TL;DR: Identity governance for Entra works well inside Microsoft’s ecosystem, but it leaves applications, IAM systems, and access paths outside that scope inconsistent or invisible, according to OpenIAM. The real issue is not Entra coverage, but the structural failure of platform-bounded governance in multi-system enterprise estates.
NHIMG editorial — based on content published by OpenIAM: Identity Governance for Entra: Why Entra-Centric Governance Creates Fragmented Control Across Enterprise Systems
Questions worth separating out
Q: How should security teams govern identity access across Entra and other platforms?
A: Use Entra as one control source, but evaluate identity governance at the enterprise layer.
Q: Why do Entra-centric governance models create blind spots in large enterprises?
A: They create blind spots because many applications, vendors, and local access paths sit outside Entra’s native governance scope.
Q: How do teams know whether identity governance is actually working across systems?
A: Look for consistent certification coverage, revocation timing, and policy enforcement across all identity systems, not just the primary directory.
Practitioner guidance
- Inventory every identity system that affects access decisions Build a complete map of Entra, other IAM platforms, SaaS-native directories, legacy systems, partner access, and business-managed applications.
- Separate visibility from governance authority Use Entra for its native controls, but do not assume its dashboards equal enterprise coverage.
- Reconcile access across systems before certification When running access reviews, correlate entitlements from Entra with external applications and downstream identity systems so reviewers see the full access picture.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- The full Entra governance breakdown across applications, legacy systems, and decentralised provisioning paths
- The specific ways access reviews and entitlement management differ when identity systems do not share a common governance layer
- The enterprise control model OpenIAM proposes for moving governance above individual platforms
- The article’s FAQ examples on fragmented governance, inconsistent enforcement, and multi-system oversight
👉 Read OpenIAM’s analysis of identity governance for Entra and enterprise fragmentation →
Entra-centric governance: where does enterprise control break down?
Explore further
Identity governance cannot be centralized if the identity estate is not centralized. Entra-centric governance creates the impression that one control plane can govern every identity path, but enterprise environments are multi-system by design. Applications, vendor access, legacy platforms, and decentralised provisioning all break that assumption. The implication is not to add more reviews inside Entra, but to stop treating one platform boundary as an enterprise governance boundary.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when access remains unmanaged outside Entra?
A: Accountability should sit with the enterprise identity governance function, not the directory owner alone. When access is provisioned or reviewed outside the primary platform, the organisation still owns the risk, and governance teams must define how those systems are brought under one policy model.
👉 Read our full editorial: Identity governance for Entra creates fragmentation beyond one platform