Notifications
Clear all
Topic starter
25/06/2026 5:12 pm
TL;DR: Access governance is rising from an administrative control to a strategic risk function as leaders prioritise sensitive data protection, AI enablement, and broader non-human identity oversight, according to SafePaaS and Altum Strategy Group’s Cybersecurity Leadership Survey 2026. The shift is forcing IAM programmes to move beyond static RBAC and audit-centric GRC toward attribute-based, continuously monitored controls that can govern human and machine access at enterprise speed.
NHIMG editorial — based on content published by SafePaaS: access governance, AI adoption, and the changing NHI risk landscape
By the numbers:
- 78% of organizations report that DevSecOps is fully integrated into their development lifecycle.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams govern access for AI systems and machine identities?
A: Security teams should govern AI systems and machine identities as distinct access subjects with named ownership, scoped purpose, and data-specific policy.
Q: Why do RBAC models struggle in cloud and AI-driven environments?
A: RBAC struggles because it ties access to static job functions, while cloud and AI environments change by context, data sensitivity, and execution path.
Q: How can organisations tell whether access governance is actually working?
A: Organisations should look for reduced privilege drift, fewer standing exceptions, and faster detection of dormant or anomalous access.
Practitioner guidance
- Rebuild sensitive-data access rules around attributes Replace broad role assignments with contextual policy for systems that hold customer data, IP, pricing, or trade secrets.
- Inventory non-human identities as governed assets Create a separate catalogue for service accounts, APIs, bots, and AI agents.
- Link governance reviews to operational telemetry Use MDR and identity logs to validate whether permissions are still appropriate in production.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- Survey discussion on how security leaders ranked data protection, AI enablement, MDR, and GRC investment priorities
- Examples of how ABAC decisions can be applied to regional, business-unit, and data-sensitivity scenarios
- Board-level metric themes that the panel says executives are asking for in 2026
- The article's framing of governance as a speed enabler rather than a blocker
👉 Read SafePaaS's analysis of access governance, AI adoption, and NHI risk →
AI-driven access governance: what IAM teams need to change now?
Explore further
25/06/2026 5:44 pm
Access governance is becoming the control plane for enterprise AI risk. The article is right to shift the conversation away from governance as paperwork and toward governance as operational decisioning. When AI systems, cloud services, and data platforms converge, the question is no longer whether access is approved once, but whether it remains justified as data, context, and business use change. Practitioners should treat access governance as a live risk function, not an after-the-fact audit artifact.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who should own non-human identity risk in an IAM programme?
A: Non-human identity risk should be owned jointly by IAM, application owners, and security operations, with clear accountability for each identity’s purpose and lifecycle. If no one owns the identity, over-privilege and hidden access tend to persist. Shared governance works only when the business owner can answer why the identity exists and who reviews it.
👉 Read our full editorial: Access governance is becoming the control plane for AI-driven risk
