AI-first identity governance: what IAM teams need to change

TL;DR: As AI adoption expands machine identities, orphaned entitlements, and shadow IT, traditional IGA tools built around static HR directories can no longer answer who has access to what, according to Zluri. Static certification and rigid access models are giving way to visibility-led governance that is driven by actual usage rather than assumptions.

NHIMG editorial — based on content published by Zluri: All Manifesto for a New Era: Identity Governance for an AI-First World

By the numbers:

• 60% of IT resources in a typical organization, ation now exist as either unmanaged or shadow IT.

Questions worth separating out

Q: How should security teams govern access when identity inventories are incomplete?

A: They should treat discovery as the prerequisite control.

Q: Why do static access reviews fail in fast-changing cloud environments?

A: Static reviews fail because they certify a snapshot rather than the live entitlement state.

Q: What do IAM teams get wrong about shadow IT and entitlement sprawl?

A: They often treat shadow IT as a separate inventory issue instead of a governance problem.

Practitioner guidance

• Inventory unmanaged identities and applications first Start with discovery across SaaS, shadow IT, and machine identities so access governance is based on actual environment coverage rather than directory assumptions.
• Feed activity telemetry into recertification Use last access, frequency, and peer usage data to help reviewers distinguish active entitlements from dormant access before approvals are rubber-stamped.
• Separate dormant access from active business need Create a workflow that flags unused entitlements for removal while preserving genuinely active privileges with documented business ownership.

What's in the full article

Zluri's full post covers the operational detail this post intentionally leaves for the source:

• Detailed examples of activity-based access modelling across SaaS and legacy applications
• How intelligent groups are used to translate usage data into role definitions
• Workflow examples for auto-revoking dormant access and prioritising certification campaigns
• Implementation details on discovery coverage and telemetry integration for IGA teams

👉 Read Zluri's analysis of AI-first identity governance and next-gen IGA →

AI-first identity governance: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →