Notifications
Clear all
Topic starter
12/06/2026 9:58 pm
TL;DR: The core issue is not automation itself, but whether identity governance can keep pace with discovery, review, and cleanup across human, NHI, and delegated access patterns, according to Josys’ April 2026 release, which adds automated app classification, targeted access reviews, Google Workspace user filtering, API-driven attribute sync, and workflow retry controls to reduce manual governance overhead for SaaS-heavy environments.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should teams automate access reviews without losing governance quality?
A: Automate the scheduling and routing, but keep the review design risk-based.
Q: When does app discovery automation become a governance control instead of a reporting tool?
A: It becomes a governance control when discovery is tied to explicit action.
Q: What do security teams get wrong about user attribute sync in identity platforms?
A: They often assume every field should be synchronised from the same source.
Practitioner guidance
- Define policy thresholds for new app enforcement Set explicit criteria for when newly discovered apps are auto-approved, reviewed, warned, or blocked, and document the exception path for business-critical tools.
- Scope access reviews by entitlement risk Build recurring reviews around role criticality, departmental ownership, and sensitive access rather than reviewing every account with the same cadence.
- Separate source-owned and local attributes Create a field-by-field ownership map for directory sync so local governance data is preserved where upstream systems should not overwrite it.
What's in the full announcement
Josys' full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step configuration examples for automated app discovery and policy actions.
- Practical setup details for recurring access reviews, including scheduling and reminder handling.
- API-level attribute management details for teams integrating identity sync into existing workflows.
- Workflow retry behaviour and execution history handling for failed automation runs.
👉 Read Josys' April 2026 product release on access review and app control updates →
Access reviews and shadow IT automation: what changed in Josys?
Explore further
13/06/2026 12:25 am
Automation only helps when governance rules still describe the right identity boundary. Josys’ release shows the industry moving toward more continuous access administration, but the real test is whether policy, review, and sync logic still reflect who or what actually owns access. That matters because SaaS environments increasingly mix human users, delegated admin roles, and machine-driven workflows. The practitioner conclusion is that governance precision matters more than workflow volume.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means access governance still starts from partial inventory data rather than complete control.
A question worth separating out:
Q: Who is accountable when automated workflows retry a failed access action?
A: Accountability stays with the identity or platform owner, not the retry button. Teams should define which failures are safe to rerun, what state must be checked before retrying, and which actions require human confirmation before the workflow is allowed to execute again.
👉 Read our full editorial: Josys April release tightens access governance and app control
