TL;DR: Easier access request configuration, full visibility into child assignment status for reviewers, and Docker-based Cloud Application Gateway deployment are among the additions in Omada Identity Cloud’s April 2026 release, according to Omada Identity. These changes tighten governance workflows, but they do not remove the need for disciplined lifecycle controls and review design.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should IAM teams improve access request governance without adding friction?
A: Start by simplifying the request model, not by adding more approval layers.
Q: Why does child assignment visibility matter in access reviews?
A: Because reviewers need to see the access that actually exists, not only the top-level role or group that produced it.
Q: What should teams check before using Docker-based deployment for identity infrastructure?
A: Teams should confirm who owns packaging, versioning, configuration review, and rollback procedures.
Practitioner guidance
- Tighten request template design Map each access request template to a single entitlement family, named approver path, and explicit approval condition so users cannot drift into broad or ambiguous requests.
- Audit nested assignment visibility Confirm reviewers can see child assignments, inherited entitlements, and downstream role effects before you rely on certifications as audit evidence.
- Govern gateway deployment as a service Assign ownership for packaging, version control, configuration review, and rollback handling for the Cloud Application Gateway so deployment changes do not bypass identity governance.
What's in the full announcement
Omada Identity’s full release note covers the operational detail this post intentionally leaves for the source:
- Configuration specifics for access request setup and sharing options
- The reviewer experience for child assignment status and related visibility states
- Docker-based deployment details for the Cloud Application Gateway
- Operational changes that support centralised management across environments
👉 Read Omada Identity’s April 2026 release notes on access governance updates →
Access requests and reviewer visibility: what Omada’s April release changes?
Explore further
Reviewer visibility is only meaningful when it includes downstream assignment state. Access certification breaks when reviewers can approve a parent entitlement without seeing what that approval actually propagates into. Omada’s focus on child assignment visibility points to a broader governance truth: attestation quality depends on the completeness of the privilege picture, not the volume of review activity. Practitioners should treat nested and inherited access as first-class review data, not secondary context.
A few things that frame the scale:
- 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to The State of Secrets Sprawl 2025.
- 15% of commit authors have leaked at least one secret in their contribution history, according to The State of Secrets Sprawl 2025.
A question worth separating out:
Q: How do organisations know whether access removal workflows are actually working?
A: They should verify that removal requests revoke both direct and downstream access, and then confirm that reports and certifications show the final revoked state. If the workflow ends but child assignments remain visible, the process has not actually removed privilege, only modified one part of it.
👉 Read our full editorial: Omada Identity Cloud April 2026 release sharpens access governance