Notifications
Clear all
Topic starter
06/06/2026 2:17 am
TL;DR: GRC in cybersecurity works best when governance, risk, and compliance are tied to identity controls, because fragmented tools, manual evidence collection, and point-in-time reviews leave access risk unmanaged across cloud and SaaS environments, according to SecurEnds. The governance gap is no longer abstract: identity is the control plane that determines whether GRC is continuous or merely reactive.
NHIMG editorial — based on content published by SecurEnds: GRC in cybersecurity and identity governance
Questions worth separating out
Q: How should security teams make GRC more effective in cloud environments?
A: Security teams should make GRC identity-aware.
Q: Why do access reviews often fail to reduce real cyber risk?
A: Access reviews often fail because they are point-in-time checks against a moving environment.
Q: What breaks when cybersecurity GRC is managed with spreadsheets and emails?
A: Manual workflows break the link between actual access state and compliance evidence.
Practitioner guidance
- Connect GRC controls to identity events Treat access grants, role changes, approvals, and removals as the source of truth for governance evidence so the control state is visible as it changes.
- Automate audit evidence from the identity layer Pull entitlement history, approval logs, and review outcomes directly from IAM and PAM systems instead of reconstructing them from spreadsheets and emails.
- Rebuild access reviews around privilege risk Prioritise privileged roles, third-party access, and orphaned accounts first, then shorten review cycles where the business impact of drift is highest.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- The full GRC workflow breakdown that connects governance, risk scoring, and compliance evidence across control owners.
- Specific identity integration patterns for tracking user access, vendor permissions, and cloud entitlement changes.
- Examples of automated compliance monitoring and real-time reporting for ISO 27001, SOC 2, and NIST-aligned programmes.
- The article's software-centric view of centralized risk management and audit readiness, which is useful once teams move from policy to implementation.
👉 Read SecurEnds' analysis of GRC in cybersecurity and identity governance →
GRC in cybersecurity: what identity teams still need to fix?
Explore further
06/06/2026 3:53 am
Identity governance is the real enforcement layer inside cybersecurity GRC. Governance, risk, and compliance sound broad, but the control model fails or succeeds where identity is decided, approved, and revoked. If access is not continuously governed, the organisation can satisfy reporting requirements while leaving the actual attack surface untouched. Practitioners should treat identity events as the primary evidence of whether GRC is functioning.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- 46% confirmed and 26% suspected that they had experienced an NHI breach, which means the governance problem is already widespread rather than emerging.
A question worth separating out:
Q: Who is accountable when identity-related GRC controls are weak?
A: Accountability sits with the teams that own governance, access administration, and risk oversight together. Security, IAM, and compliance cannot split responsibility and still expect continuous control. When identity drift is not addressed, the organisation has a governance failure, not just a tooling problem.
👉 Read our full editorial: GRC in cybersecurity: identity governance gaps teams still miss
