CIEM governance and NHI support: what changes for IAM teams?

TL;DR: KuppingerCole named SailPoint’s Cloud Infrastructure Entitlement Management solution an overall leader in its latest Leadership Compass after evaluating 14 vendors, according to SailPoint. The governance signal is clear: CIEM is moving from a point capability to a broader identity control plane, and NHI support will raise the bar further, while noting SIEM support across 10 mainstream third-party applications and tighter integration into the SailPoint platform.

NHIMG editorial — based on content published by SailPoint: SailPoint named a leader in Cloud Infrastructure Entitlement Management

By the numbers:

• SailPoint’s CIEM support includes 10 mainstream third-party applications for SIEM integration.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern cloud entitlements alongside IAM and IGA?

A: They should treat cloud entitlements as part of the same identity governance lifecycle, not as a separate cloud-only review stream.

Q: Why do non-human identities complicate CIEM programmes?

A: Non-human identities complicate CIEM because service accounts, tokens, and workload identities do not follow human review patterns.

Q: What breaks when CIEM does not cover machine identities?

A: The governance model breaks at the point where cloud access reviews assume all access belongs to a person.

Practitioner guidance

• Map CIEM into the broader identity control plane. Define where entitlement review, access certification, and privileged access workflows intersect so CIEM findings do not sit outside IAM and IGA decision-making.
• Validate NHI coverage before treating CIEM as complete. Check whether the platform can represent service accounts, API keys, tokens, and workload identities with the same review logic used for human access.
• Correlate entitlement findings with detection data. Use SIEM integration to test whether risky permissions are dormant, actively used, or associated with unusual cloud activity.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The analyst report language quoted by SailPoint, including the exact criteria behind the leader designation.
• The product-side context for how CIEM sits inside the SailPoint dashboard and platform workflow.
• The roadmap note about non-human identities, which matters if you need to understand future scope rather than current capability.
• The source article's own framing of cloud access management and entitlement governance in one place.

👉 Read SailPoint’s blog on its CIEM leader recognition and NHI roadmap →

CIEM governance and NHI support: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →