Notifications
Clear all
Topic starter
14/05/2026 4:08 pm
TL;DR: Identity security is shifting from an IT control to a business enabler because attackers now target identities, third-party access, and privileged pathways, while more than half of CEOs fear their current business model will not survive the next decade without transformation, according to PwC. That makes integrated identity governance, PAM, and access management a core resilience requirement, not a hygiene task.
NHIMG editorial — based on content published by SailPoint: A conversation with PwC on identity security as a business enabler
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should organisations govern third-party identity access more tightly?
A: Treat third-party access as a lifecycle problem, not a procurement checkbox.
Q: When does identity security become a business risk rather than a technical issue?
A: Identity security becomes a business risk when a compromise can interrupt revenue, expose regulated data, or block transformation work.
Q: What is the difference between IAM and PAM in identity governance?
A: IAM governs authentication and ordinary access across the estate, while PAM constrains elevated privileges and high-risk sessions.
Practitioner guidance
- Map identity blast radius for every privileged account Inventory which systems each privileged human and non-human identity can reach, then remove access that is not required for the current task or workload.
- Extend governance to partner and vendor identities Put external users, API integrations, automation accounts, and support identities into the same joiner-mover-leaver and access certification process as employees.
- Tie PAM to identity lifecycle controls Do not let privileged access exist outside lifecycle oversight.
That means linking access policy, privilege boundaries, and revocation speed to business-critical systems, while aligning with the NIST Cybersecurity Framework 2.0 and Top 10 NHI Issues?
👉 Read SailPoint's conversation on identity security as a business enabler →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
14/05/2026 6:59 pm
A few things worth adding from our research at NHI Mgmt Group.
Identity security is now a business continuity issue, not just a control function. The article is right to frame identity as the point where cyber risk and transformation risk meet. When authentication, authorization, and lifecycle management fail together, the business cannot safely scale digital change. Practitioners should treat identity resilience as an executive-level continuity requirement.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why identity sprawl so often outpaces governance.
A question worth separating out:
Q: Why do non-human identities make identity security harder to manage?
A: Non-human identities are harder to manage because they are numerous, often overprivileged, and frequently long-lived. They may be embedded in code, CI/CD pipelines, cloud services, or vendor integrations, which makes ownership and rotation unclear. Without dedicated governance, they become durable trust paths for attackers.
👉 Read our full editorial: Identity security is becoming the control plane for business risk
