Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Continuous identity management: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity security still relies on quarterly or yearly access reviews even though over-provisioning and privilege drift create exposure between audits, according to Opal Security. Continuous monitoring and time-bound access are becoming the practical baseline for identity programmes that need to keep pace with modern threat movement.

NHIMG editorial — based on content published by Opal Security: If It’s Not Continuous, It’s Not Secure: Reimagining Identity Management

Questions worth separating out

Q: How should security teams move from access reviews to continuous identity governance?

A: Start by treating review results as evidence, not as the control itself.

Q: When does just-in-time access reduce risk instead of adding process overhead?

A: JIT reduces risk when the resource is sensitive, the task is time-bounded, and expiry is enforced automatically.

Q: What do organisations get wrong about over-provisioned access?

A: They often treat it as an inventory problem instead of an exposure problem.

Practitioner guidance

  • Replace calendar-based reviews with continuous entitlement monitoring Track privileged access changes between UAR cycles and alert when access remains unused, excessive, or newly risky.
  • Validate access against actual system usage Compare granted entitlements with observed activity to identify birthright access and permissions that exist only because of role assumptions.
  • Time-box high-risk access with enforced expiry Use just-in-time access for sensitive resources so privileges are issued for a specific task and revoked automatically when the task ends.

What's in the full article

Opal Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • How Opal frames continuous identity monitoring across existing IAM and governance workflows
  • The practical distinction between point-in-time access reviews and continuous mitigation in day-to-day operations
  • Examples of how over-provisioning shows up in real identity programmes and where remediation usually stalls
  • The vendor's own implementation-oriented explanation of JIT and time-bound access for privileged resources

👉 Read Opal Security's analysis of continuous identity management and access review gaps →

Continuous identity management: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Continuous identity governance is now a security requirement, not a compliance convenience. The article is right to separate identity management from audit cadence because point-in-time review was designed for evidence collection, not active defence. That assumption fails when privilege can be abused between reviews, especially in environments where identities, entitlements, and workloads change daily. The implication is that identity programmes must be judged by exposure window, not audit completion.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How can IAM teams tell whether access governance is actually working?

A: Look for declining unused privilege, fewer exceptions carried across review cycles, and faster removal of access that no longer matches actual work. If the organisation can only prove access is reviewed, but cannot show that excess access is shrinking, the programme is not yet effective.

👉 Read our full editorial: Continuous identity management is the missing control plane



   
ReplyQuote
Share: