Notifications
Clear all
Topic starter
03/06/2026 2:23 pm
TL;DR: Saviynt says its Terraform Provider has earned HashiCorp Partner Premier status, which it frames as evidence that IGA can address Day 2 issues such as credential shadowing, infrastructure-governance bridging, and continuous identity posture sync, according to Saviynt. The real shift is that identity governance is moving from provisioning checks to ongoing control of infrastructure-driven access states.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern Terraform-managed identities in IGA programs?
A: Security teams should treat Terraform-managed access as part of the identity lifecycle, not as a deployment by-product.
Q: Why do Terraform workflows create governance gaps for identity teams?
A: Terraform workflows create governance gaps because infrastructure can change faster than identity review cycles.
Q: What do security teams get wrong about connector credentials in infrastructure automation?
A: Teams often treat connector credentials as technical plumbing instead of governed identities.
Practitioner guidance
- Map Terraform-managed access to identity owners Catalog every Terraform provider, module, and privileged connector as an identity-bearing object with an owner, purpose, and revocation path.
- Separate Day 0 provisioning from Day 2 review Use deployment events to create access, then use change events and periodic attestations to validate whether that access still matches policy.
- Track credential shadowing as a lifecycle issue Identify secrets and connector credentials that continue to function outside approved review and rotation processes.
What's in the full announcement
Saviynt's full blog post covers the operational detail this post intentionally leaves for the source:
- A closer look at the Terraform Provider architecture and how it maps infrastructure workflows to governance controls.
- The specific Day 2 operational problems the vendor says the provider addresses, including credential shadowing and posture sync.
- Details on the broader onboarding strategy that combines Terraform, agentic AI-based onboarding, and legacy integrations.
- The vendor's own explanation of what Partner Premier status means in the Terraform Registry ecosystem.
👉 Read Saviynt's post on Terraform governance for IGA and Day 2 control →
Terraform governance and IGA: what Day 2 control changes?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
03/06/2026 2:31 pm
Terraform has become an identity control surface, not just a deployment mechanism. Once infrastructure state drives access state, governance can no longer stop at initial provisioning. The identity question moves into Day 2: who can still act, what connector still works, and which privileges have drifted beyond the approval record. Practitioners should treat infrastructure code as part of the identity programme, not adjacent to it.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, which shows why lifecycle discipline matters beyond initial provisioning.
A question worth separating out:
Q: How can organisations tell whether identity posture sync is actually working?
A: Identity posture sync is working when current infrastructure state and current access state match without manual reconciliation. Teams should look for timely updates after Terraform changes, clear ownership of privileged connectors, and audit evidence that reflects live access rather than historical snapshots. If reviews lag the environment, the control is only reporting, not governing.
👉 Read our full editorial: Terraform governance for IGA now extends into Day 2 control
