Notifications
Clear all
Topic starter
02/06/2026 6:54 pm
TL;DR: Large enterprises are seeing SOX findings, access delays, and shadow workarounds because governance remains centralized while the business has become federated, according to SafePaaS. The practical lesson is that access risk must be owned where it originates, with central guardrails and local decision-making tied to evidence.
NHIMG editorial — based on content published by SafePaaS: federated governance for enterprise access risk
Questions worth separating out
Q: How should security teams structure access governance in a federated enterprise?
A: Security teams should separate policy ownership from decision ownership.
Q: Why do centralized IAM approval queues create governance problems?
A: Centralized queues create delays and weaken decision quality because approvers often lack the process context needed to judge risk.
Q: What do organisations get wrong about segregation of duties in federated environments?
A: They treat SoD as a static ruleset instead of a control that must reflect how work is actually done.
Practitioner guidance
- Define ownership by risk domain Assign access decision ownership to finance, operations, HR, or platform leaders where the process risk actually exists, while keeping policy definition centralized in one control model.
- Instrument approvals with process context Require approvers to see segregation of duties impact, critical access flags, and the business process affected before they can sign off on a request.
- Create an independent evidence layer Capture who approved what, when, against which policy, and with what risk context so audit evidence is consistent across ERP, SaaS, cloud, and AI systems.
Teams that still route all decisions through a single central queue will struggle to sustain both delivery and evidence quality?
👉 Read SafePaaS's analysis of federated governance for enterprise IAM →
Explore further
02/06/2026 7:08 pm
Federated enterprises need federated governance, not just delegated administration. Central IAM teams can define policy, but they cannot safely own every access decision across plants, regions, and platforms. The operating model has to place decision authority with the people who understand the business process, while preserving central guardrails and evidence. Practitioners should treat governance alignment as a control design issue, not an organizational preference.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- 46% confirmed and 26% suspected a breach of non-human identities, which shows that visibility gaps are still shaping incident response and governance confidence.
A question worth separating out:
Q: How do teams know if federated governance is actually working?
A: Look for fewer access-related delays, fewer repeated audit findings, and fewer manual reconstructions during reviews. If approvals still require central escalation for routine decisions, or if auditors cannot trace who owned the risk, the model is not truly federated. Evidence quality is the best test.
👉 Read our full editorial: Federated governance is now the control gap in enterprise IAM
