Access management gaps: are your controls keeping up?

TL;DR: Access management is presented as the control layer that authenticates, authorises, and monitors both human users and non-human identities across SaaS, cloud, and on-premises systems, but the real problem is access gaps, excessive permissions, and orphaned accounts, according to Zluri. The governance lesson is that visibility and lifecycle discipline now matter more than static role assignment.

NHIMG editorial — based on content published by Zluri: Access Management: A Comprehensive Guide

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams reduce access gaps in SaaS and cloud environments?

A: Start by mapping who and what can access each application, then separate active business need from inherited or stale entitlements.

Q: Why do excessive permissions keep showing up in IAM programmes?

A: Because access often accumulates through role reuse, exceptions, and incomplete offboarding, not through a single bad decision.

Q: What is the difference between access management and identity management?

A: Identity management establishes and maintains the identity record, while access management decides what that identity can reach and continuously controls those permissions.

Practitioner guidance

• Inventory every access path, not just every user Build a complete map of human accounts, service accounts, API tokens, OAuth grants, and SaaS connectors so ownership and revocation responsibility are explicit.
• Review dormant and orphaned access first Prioritise accounts with no active business owner, no recent use, or no documented offboarding path, then revoke or reassign them before broader recertification cycles.
• Treat delegated tokens as governed identities Scope OAuth and OIDC grants tightly, define expiry and reauthorisation rules, and monitor for tokens that outlive the business purpose they were issued for.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanations of authentication, authorisation, and access control workflows in enterprise environments
• Detailed comparisons of RBAC, ABAC, PBAC, SSO, OAuth, OIDC, LDAP, SAML, and WebAuthn in practice
• Implementation-oriented best practices such as MFA, orphaned account cleanup, and access review workflows
• Product-specific access management capabilities and workflow automation details that are outside this post's scope

👉 Read Zluri's full guide to access management and least privilege →

Access management gaps: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →