Access governance theatre: what IAM teams need to fix now

TL;DR: Quarterly access reviews often cover only a curated slice of enterprise systems while long-tail on-prem, custom, database, legacy, and non-human identities stay outside governance, according to Hydden. The control problem is not reviews themselves but partial visibility plus periodic, manual execution that leaves real risk untouched.

NHIMG editorial — based on content published by Hydden: access governance is still corporate theatre in most enterprises

Questions worth separating out

Q: How should security teams govern access reviews when large parts of the environment are outside IGA scope?

A: Security teams should treat scope as the first control, not the last.

Q: Why do periodic access reviews fail to reduce identity risk in real environments?

A: Periodic reviews fail when access changes faster than the review cycle and when the organisation relies on manual evidence collection.

Q: What do organisations get wrong about non-human identity governance?

A: They often treat service accounts and other machine identities as secondary to human access, which leaves ownership and lifecycle control unclear.

Practitioner guidance

• Quantify governed coverage, not just campaign completion. Measure what percentage of applications, databases, legacy systems, and service identities are actually in scope for access review.
• Build ownership for the ungoverned universe. Map every account to a human owner or system owner, including service accounts, bots, and custom integrations.
• Shift from periodic campaigns to event-driven control. Trigger entitlement changes, recertification, and removal workflows from authoritative lifecycle events and risk signals rather than waiting for the next quarterly cycle.

What's in the full article

Hydden's full analysis covers the operational detail this post intentionally leaves for the source:

• The playbill-style breakdown of how quarterly access campaigns actually unfold inside large enterprises.
• The specific cost and effort model for onboarding applications to traditional IGA at scale.
• The practical sequence for moving from periodic certification to continuous identity control.
• The examples of how audit evidence changes when reviews become event-driven rather than calendar-driven.

👉 Read Hydden's analysis of why access governance still feels like corporate theatre →

Access governance theatre: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →