TL;DR: Audit frameworks generally require defensible oversight, separation of duties, and evidence that access decisions are reviewed consistently, but they do not prescribe quarterly certifications or fixed governance cycles, according to OpenIAM. The real test is whether identity governance reduces exposure, not just whether it produces audit-ready documentation.
NHIMG editorial — based on content published by OpenIAM: What Audit Frameworks Actually Require from Identity Governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 68% of organisations do not know how to fully address NHI risks.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
A: Start with the controls the framework actually expects: oversight, accountability, and traceable access decisions.
Q: Why do access review campaigns often fail to reduce real identity risk?
A: Because they are usually measured by completion, not by the number of privileges removed or accounts retired.
Q: What do teams get wrong about audit requirements for identity governance?
A: They often assume that a framework's expectation for oversight also implies a fixed operating cadence, such as quarterly certifications.
Practitioner guidance
- Separate audit evidence from control outcomes Track review completion, but also measure how many entitlements were revoked, re-scoped, or retired after each cycle.
- Rework certification scope around risk, not volume Prioritise high-risk systems, privileged roles, third-party access, and non-human identities that change faster than human review cycles.
- Align governance metrics to exposure reduction Add metrics for privilege creep, dormant access, exception age, and service account visibility.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- Examples of how regulated organisations structure certification workflows for audit evidence.
- The specific governance artefacts auditors expect to see when reviewing access decisions.
- How documentation retention supports examination readiness in practice.
- The article's own framing of compliance versus exposure reduction for identity programmes.
👉 Read OpenIAM's analysis of what audit frameworks require from identity governance →
Audit frameworks and identity governance: what do they really require?
Explore further
Audit frameworks require defensible oversight, not a specific certification ritual. The article gets the core distinction right: frameworks care about whether access is monitored, segregation of duties is enforced, and evidence can be produced consistently. They do not generally dictate quarterly reviews or universal entitlement certification as the only acceptable model. Practitioners should therefore treat cadence as a design choice, not a regulatory command.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- Only 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: Who is accountable when governance passes audit but access exposure stays high?
A: Accountability sits with the identity, security, and compliance owners who defined success as documentation rather than exposure reduction. Frameworks usually require defensible oversight, but they do not prevent a team from optimising for evidence volume instead of privilege removal.
👉 Read our full editorial: Audit frameworks require oversight, not rigid identity governance cycles