TL;DR: CFOs are increasingly using identity and access data to improve governance, reduce risk, and target controls where exposure is highest, according to Gathid. The broader lesson is that access intelligence is becoming a finance and compliance input, not just an IAM report.
NHIMG editorial — based on content published by Gathid: Data-driven governance and the strategic role of the CFO
By the numbers:
- The average cost of a data breach continues to rise, with IBM reporting a global average of $4.88 million in 2024.
Questions worth separating out
Q: How should finance teams use access data in governance decisions?
A: Finance teams should use access data to identify where control risk concentrates, which systems affect reporting integrity, and where manual oversight is most needed.
Q: Why does access drift matter to financial governance?
A: Access drift matters because permissions can change faster than governance processes can review them.
Q: What do organisations get wrong about automated access reviews?
A: The main mistake is assuming automation fixes poor identity data.
Practitioner guidance
- Build a finance-facing access inventory Map every financial application, reporting platform, and data repository to its owning identities, owners, and review cadence so governance teams can see where control gaps sit.
- Use access evidence in audit planning Prioritise audit and compliance effort around high-risk access paths rather than spreading review time evenly across departments.
- Remediate ownership gaps first Assign clear ownership for critical applications and identity domains before deploying automated review or policy scoring.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor frames data-driven governance workflows for finance and compliance teams
- Examples of access intelligence use cases across reporting, risk allocation, and control oversight
- The article's own commentary on stakeholder alignment, integration complexity, and change management
- How Gathid positions identity and access platforms in relation to CFO decision-making
👉 Read Gathid's article on data-driven governance for CFOs and identity access →
Data-driven governance for CFOs: what IAM teams need to know?
Explore further
Data-driven governance is becoming a control discipline, not just a reporting discipline. The article is right to frame identity and access information as something finance leaders can use to assess control health, not merely budget performance. When access governs who can affect financial data, governance starts to look like a core control layer. Practitioners should treat identity telemetry as evidence for control decisions, not just operational insight.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak the underlying identity inventory still is.
A question worth separating out:
Q: Who should own identity governance when finance data is involved?
A: Ownership should be shared, but accountability must be explicit. Finance understands the business criticality of the data, IT understands the systems, and IAM or IGA teams understand the control mechanics. Effective governance depends on one accountable owner per application or domain, with clear review and remediation responsibilities.
👉 Read our full editorial: Data-driven governance is reshaping the CFO's identity remit