TL;DR: Access management is presented as the control layer that authenticates, authorises, and monitors both human users and non-human identities across SaaS, cloud, and on-premises systems, but the real problem is access gaps, excessive permissions, and orphaned accounts, according to Zluri. The governance lesson is that visibility and lifecycle discipline now matter more than static role assignment.
NHIMG editorial — based on content published by Zluri: Access Management: A Comprehensive Guide
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams reduce access gaps in SaaS and cloud environments?
A: Start by mapping who and what can access each application, then separate active business need from inherited or stale entitlements.
Q: Why do excessive permissions keep showing up in IAM programmes?
A: Because access often accumulates through role reuse, exceptions, and incomplete offboarding, not through a single bad decision.
Q: What is the difference between access management and identity management?
A: Identity management establishes and maintains the identity record, while access management decides what that identity can reach and continuously controls those permissions.
Practitioner guidance
- Inventory every access path, not just every user Build a complete map of human accounts, service accounts, API tokens, OAuth grants, and SaaS connectors so ownership and revocation responsibility are explicit.
- Review dormant and orphaned access first Prioritise accounts with no active business owner, no recent use, or no documented offboarding path, then revoke or reassign them before broader recertification cycles.
- Treat delegated tokens as governed identities Scope OAuth and OIDC grants tightly, define expiry and reauthorisation rules, and monitor for tokens that outlive the business purpose they were issued for.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanations of authentication, authorisation, and access control workflows in enterprise environments
- Detailed comparisons of RBAC, ABAC, PBAC, SSO, OAuth, OIDC, LDAP, SAML, and WebAuthn in practice
- Implementation-oriented best practices such as MFA, orphaned account cleanup, and access review workflows
- Product-specific access management capabilities and workflow automation details that are outside this post's scope
👉 Read Zluri's full guide to access management and least privilege →
Access management gaps: are your controls keeping up?
Explore further
Access management is now a lifecycle problem, not a login problem. The article correctly frames access as authentication, authorisation, and control, but the governing issue is whether access can be removed, narrowed, and audited at the same speed it is granted. That is why identity programmes that stop at sign-in controls still leave the most dangerous permissions untouched. Practitioners should treat access management as continuous entitlement governance, not as front-door security.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations know if access reviews are actually working?
A: They should measure whether reviews lead to real entitlement changes, especially removals of dormant, excessive, or ownerless access. If review output does not produce revocation evidence, reduced scope, or tighter expiry controls, the process is cosmetic. Effective reviews change the attack surface, not just the spreadsheet.
👉 Read our full editorial: Access management gaps expose why least privilege still fails