Notifications
Clear all
Topic starter
25/06/2026 5:18 pm
TL;DR: Nationwide Building Society says identity security is part of its wider business continuity strategy, with a focus on seamless authentication, automated manual controls, and stronger governance for critical applications, according to SailPoint. The practical lesson is that resilience programmes fail when identity controls remain manual, fragmented, or outside the continuity plan.
NHIMG editorial — based on content published by SailPoint: Identity Security and Business Continuity at Nationwide Building Society
Questions worth separating out
Q: How should security teams include identity in business continuity planning?
A: They should treat identity as a recovery dependency, not just an administration task.
Q: Why do manual identity processes create resilience risk?
A: Manual processes slow down access decisions, create inconsistency, and are the first thing to weaken when teams are under pressure.
Q: When should organisations automate identity governance for critical systems?
A: They should automate it wherever a delay, error, or exception in access control would affect service continuity or compliance.
Practitioner guidance
- Align identity controls to business continuity tiers Identify which applications and access paths must remain governable during disruption, then assign stronger approval, recovery, and oversight rules to those tiers.
- Replace manual access steps in critical workflows Map the approval, provisioning, and exception steps that still depend on human handoffs, and remove the ones that create delay or inconsistency for essential systems.
- Test authentication for disruption scenarios Verify that access workflows still support essential users and administrators during outage conditions, failover events, and recovery operations.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Sarah Harber’s account of how Nationwide structured its access management priorities around critical business services.
- The specific way automated end-to-end controls were used to reduce manual intervention across identity workflows.
- The video discussion of how the organisation linked compliance, control, and business continuity in one programme.
- The customer story framing that shows how a financial services environment maps identity to resilience priorities.
Business continuity and identity security at Nationwide Building Society?
Explore further
25/06/2026 5:55 pm
Identity security becomes a continuity control when business change is the constant. This article shows a familiar maturity shift: access management is no longer justified only by compliance or convenience, but by the need to keep critical services governable as the organisation changes. That is the right framing for modern IAM programmes, because brittle access processes become operational risk the moment business continuity is tested. The practitioner lesson is to treat identity governance as part of resilience design, not a separate administrative layer.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What is the difference between authentication resilience and identity governance?
A: Authentication resilience is about whether people can still sign in and reach essential systems during disruption. Identity governance is about whether the access granted is still appropriate, controlled, and reviewable. Mature programmes need both. A system can be easy to use and still be poorly governed, or tightly governed and still fail under operational stress.
👉 Read our full editorial: Identity security and business continuity at Nationwide Building Society
