Notifications
Clear all
Topic starter
12/06/2026 10:03 pm
TL;DR: Access policies define which users can reach which resources, under what conditions, and with what actions, helping organisations combine authentication, authorisation, least privilege, conditional access, and monitoring into a consistent control layer according to Josys. The real governance issue is that policy logic only works when identity, context, and lifecycle controls are kept aligned across human and non-human access paths.
NHIMG editorial — based on content published by Josys: What is an Access Policy?
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams implement access policies across cloud and SaaS apps?
A: Start with a shared policy model that defines who can request access, which conditions must be satisfied, and which approvals are required.
Q: Why do access policies fail when organisations have many exceptions?
A: Policies fail when exceptions become the operating model instead of the edge case.
Q: What signals show that an access policy is no longer working?
A: Look for broad role assignments, repeated manual approvals, stale entitlements, and access that no longer matches job function or business need.
Practitioner guidance
- Centralise policy decision logic Define who can approve access, which attributes are required, and which conditions must be met before a resource is exposed.
- Convert standing access into conditional access Replace permanent permissions with time-bound or context-bound rules wherever the task does not require continuous access.
- Tie policy review to actual access usage Compare approved entitlements against observed access patterns and flag policies that no longer reflect how teams work.
What's in the full article
Josys's full article covers the operational detail this post intentionally leaves for the source:
- Centralised policy dashboard workflows for managing access across applications and devices
- Role-based templates for onboarding, role changes, and offboarding in one operational flow
- Reporting and audit trail detail that supports compliance evidence and policy review
- How the platform frames AI-assisted policy suggestions for IT operations teams
👉 Read Josys's article on access policy and identity governance →
Access policies and IAM controls: what governance teams should check?
Explore further
13/06/2026 12:33 am
Access policy is the control plane where identity governance becomes enforceable. Without a policy layer, authentication and authorisation remain isolated events instead of repeatable security decisions. That matters because access in modern enterprises spans humans, service accounts, and workflow identities, all of which need consistent decision logic. The practitioner conclusion is straightforward: if policy is fragmented, governance is fragmented too.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do access policies support identity lifecycle governance?
A: They create a direct link between lifecycle events and access decisions. When someone joins, changes role, or leaves, the policy should update or revoke access without waiting for a separate manual cleanup step. That same discipline applies to service accounts and workload identities that also need timely offboarding.
👉 Read our full editorial: Access policies define the control layer IAM teams need to govern access
