TL;DR: Identity stacks manage policy and intent well, but they still miss the authority pathways created by inheritance, delegated access, and cross-system relationships, according to Gathid. The structural gap is now the real identity risk, because review tools cannot see what authority has accumulated across the environment.
NHIMG editorial — based on content published by Gathid: authority pathways and the limits of the identity stack
Questions worth separating out
Q: What is the difference between approved access and effective authority in IAM?
A: Approved access is what policy says an identity should have.
Q: Why do access reviews miss hidden privilege paths?
A: Access reviews usually examine entitlements one system at a time, which means they can miss how separate permissions combine into control across platforms.
Q: How should security teams govern non-human identities that have persistent access?
A: Security teams should treat every non-human identity as a managed asset with an owner, an explicit purpose, a scoped privilege set, and a defined offboarding path.
Practitioner guidance
- Map authority paths across systems Build an identity graph that traces groups, roles, credentials, trusts, and delegated permissions across cloud and SaaS platforms.
- Review non-human identities alongside human accounts Put service accounts, automation accounts, and delegated tokens into the same governance process as user access so lifecycle gaps do not hide persistent control.
- Validate effective control, not just approved access Test whether a role can actually modify, impersonate, or escalate in downstream systems after inheritance and cross-account trust are applied.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How authority pathways can be reconstructed from directory, cloud, PAM, and SaaS relationships.
- The specific examples of inherited roles, nested groups, and cross-account trust that create hidden control.
- Why traditional access reviews miss accumulated authority across multiple systems.
- The argument for a daily, deterministic model of enterprise authority that can be recomputed from source state.
👉 Read Gathid's analysis of authority pathways and identity stack blind spots →
Authority pathways and IAM blind spots: what teams are missing?
Explore further
Authority visibility, not policy completeness, is the missing layer in modern identity security. The article is right to separate intended access from actual authority. IAM, IGA, and PAM tools can confirm policy, but they cannot reliably expose the control that emerges when roles, groups, credentials, and trust relationships combine across systems. Practitioners should treat authority mapping as a distinct governance problem, not a feature request inside existing identity tooling.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: What should teams do when identity tools do not show the full control path?
A: Assume the blind spot is structural, not a dashboard problem. Add an authority model that spans directory, cloud, SaaS, PAM, and non-human identities, then use it to identify where access accumulates across systems. If the path is invisible, the governance decision is incomplete.
👉 Read our full editorial: Authority pathways are exposing the limits of modern IAM stacks