TL;DR: GDPR pressure, infrastructure as code, and API-driven access controls can support rapid growth without stalling delivery, according to Commvault and monday.com, while highlighting the limits of manual permission management and static governance. Security becomes scalable when access, auditing, and infrastructure are designed to move with the business.
NHIMG editorial — based on content published by Commvault: operationalizing data security at scale in a STRIVE episode with monday.com
Questions worth separating out
Q: How should teams scale data access controls without creating permission sprawl?
A: Use role-based access as a starting point, then tighten access through automation, logging, and recurring entitlement reviews.
Q: Why do infrastructure as code and IAM need to work together?
A: Because infrastructure changes and access changes usually happen together.
Q: How do organisations know whether data access governance is actually working?
A: Look for evidence that permissions are current, logs are complete, and access reviews lead to real removals rather than paperwork.
Practitioner guidance
- Codify permissions as infrastructure Represent roles, access policies, and environment setup in version-controlled configuration so changes can be reviewed, tested, and rolled back consistently.
- Tie access changes to identity workflows Connect provisioning and revocation to API-driven identity processes rather than relying on tickets, spreadsheets, or manual approvals for routine changes.
- Reduce broad roles in analytics environments Review shared access patterns across data teams and replace catch-all permissions with tighter role definitions that reflect actual job functions.
What's in the full article
Commvault's full discussion covers the operational detail this post intentionally leaves at the governance level:
- How monday.com structured its European data warehouse and access model in practice
- The implementation lessons behind standing up a compliant environment in under two weeks
- Specific ways automation and API-driven controls replaced manual permission handling
- The operational tradeoffs between analytics velocity, visibility, and auditability
👉 Read Commvault's discussion of operationalizing data security at scale →
Data security at scale: what IAM teams need to do differently?
Explore further
Security at scale is an identity governance problem disguised as an infrastructure problem. When organisations grow fast, access to data, analytics, and tooling expands faster than manual review cycles can absorb. That makes permission governance the control plane for compliance, not a back-office task. The implication is that IAM and IGA teams need to treat data platform access as a lifecycle discipline, not a one-time setup.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: What should compliance and security leaders do when growth outpaces manual controls?
A: Prioritise controls that scale automatically, especially policy-driven access, infrastructure as code, and continuous visibility. Manual control paths tend to collapse under growth because they depend on individual follow-up. Leaders should shift attention from isolated approvals to the repeatable identity and governance processes that keep access aligned with business change.
👉 Read our full editorial: Operationalizing data security at scale without slowing growth