TL;DR: Manual spot-checking no longer scales for data governance, AI safety, or regulatory compliance, according to Collibra’s analysis of Control Tower. The shift to continuous, exception-based enforcement matters because static metadata and periodic review leave blind spots where failures persist unnoticed.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should teams implement continuous control validation in data governance?
A: Start by converting policies into executable controls with explicit conditions, scope, and owners.
Q: When does manual governance review create more risk than it reduces?
A: Manual review becomes risky when the asset population, policy set, or change rate is too large for periodic checks to detect failures before they matter.
Q: What breaks when governance controls cannot explain why an asset failed?
A: Teams lose the ability to triage quickly, assign ownership, and prove remediation.
Practitioner guidance
- Define controls as executable rules Express each policy as a testable condition with clear scope, pass or fail logic, and an owner who can act when the control breaks.
- Prioritise exception-based workflows Route teams only to failing assets and require each failure to carry a reason code, a responsible steward, and a tracked resolution state.
- Preserve evidence for every control run Keep a complete history of checks, failures, and remediation actions so audit teams can verify what was tested and when it was resolved.
What's in the full announcement
Collibra's full post covers the operational detail this post intentionally leaves for the source:
- The exact no-code query builder flow for defining validation logic across metadata fields.
- The scheduled control execution model, including how pass and fail states are displayed over time.
- The alerting workflow that routes failures into email, Slack, or Microsoft Teams.
- The product team's examples for BCBS 239, data freshness, and AI policy validation.
👉 Read Collibra's post on automating trust with Control Tower controls →
Control Tower controls: what they mean for data governance teams?
Explore further
Control enforcement is becoming the real governance layer. Static policy documents and manual spot checks do not provide assurance when data assets, AI inputs, or control conditions change continuously. The post reflects a broader shift in governance: organisations are moving from describing policy to executing it. For practitioners, the question is no longer whether a rule exists, but whether it is continuously validated against real assets.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when automated governance controls fail?
A: Accountability should sit with the control owner and the asset steward, not with the automation layer. Automated enforcement can detect, route, and document failures, but human ownership is still required for policy decisions, remediation approval, and audit response.
👉 Read our full editorial: Automating trust in data governance with Control Tower controls