Compliance gaps in identity governance: what IAM teams are missing

TL;DR: Compliance failures are not just policy problems; they become breach, audit, and remediation problems when data quality, change control, audit logging, and access control are weak, according to Cerbos. The governing lesson is that compliance has to be built into identity and authorization design from the start, because late controls cannot fix broken assumptions.

NHIMG editorial — based on content published by Cerbos: compliance, data quality, change management, and audit logs

By the numbers:

• British Airways faced a fine of £183 million after a 2018 data breach for failing to safeguard customer data.
• Capital One was ordered to pay an $80 million penalty after a breach that exposed 106 million customer records.

Questions worth separating out

Q: What breaks when identity data is stale in a compliance programme?

A: When identity data is stale, access control, reporting, and audit evidence all start reflecting an outdated reality.

Q: Why do audit logs matter so much for regulatory compliance?

A: Audit logs matter because they are the evidence trail regulators use to verify that access controls, approvals, and changes actually happened as claimed.

Q: What do security teams get wrong about change management and access control?

A: They often treat access-affecting changes as routine engineering work instead of control events with compliance consequences.

Practitioner guidance

• Validate identity source data before policy enforcement Reconcile HR, directory, and application records so access rules evaluate against current role, status, and entitlement data.
• Treat access-affecting changes as controlled compliance events Require review, testing, and rollback planning for policy edits, permission exceptions, vendor access changes, and deployment updates that can alter authorization outcomes.
• Centralise audit logs and prove they are reviewed Send authorization, admin, and data-access events to tamper-resistant storage, retain them for the applicable regulatory window, and assign a routine review process that can surface misuse before it becomes a reportable incident.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of how Cerbos positions centralized authorization for compliance-heavy application environments
• The article’s full comparison of data quality pillars and why each one affects regulatory evidence differently
• More detail on audit logging, testable authorization, and how the vendor frames policy review for compliance teams
• The implementation context behind build-versus-buy decisions for teams evaluating externalized authorization

👉 Read Cerbos' guide on compliance, audit logs, and authorization control →

Compliance gaps in identity governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →