IAM compliance and access transfer gaps: what teams miss

TL;DR: IAM compliance obligations across SOX, HIPAA, PCI DSS, GDPR, and ISO 27001 all depend on access control, reviews, offboarding, and audit evidence, according to Zluri. The real governance gap is not policy absence but incomplete lifecycle reporting, especially around access transfer, where many programmes still fail to prove control consistency.

NHIMG editorial — based on content published by Zluri: Access Management IAM Compliance and Regulatory Obligations

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: What breaks when access transfer is not tracked separately in IAM compliance programmes?

A: Organisations lose the ability to prove that entitlement changes were approved, justified, and limited to the new business context.

Q: Why does IAM compliance get harder when service accounts and human accounts are governed differently?

A: Because auditors need a consistent story about who or what had access, why it had it, and when that access changed.

Q: How do organisations know whether access reviews are actually supporting compliance?

A: They know it is working only when reviews produce complete evidence, identify real entitlements that no longer fit the role, and trigger remediations that are recorded for audit.

Practitioner guidance

• Separate access transfer from onboarding and offboarding Define transfer as its own lifecycle event in JML workflows, with explicit approval, entitlement comparison, and evidence capture before and after the move.
• Document policy choice by use case Map RBAC, ABAC, least privilege, segregation of duties, and JIT to the compliance scenario they serve, then record why each control was selected.
• Require audit-ready evidence for every access change Store who approved the change, what entitlements were added or removed, when the review happened, and which exceptions were accepted.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The article walks through the specific compliance obligations associated with SOX, HIPAA, PCI DSS, GDPR, and ISO 27001.
• It explains how access provisioning, modification, and deprovisioning workflows are automated in the product context.
• It shows how access review automation produces reports and auto-remediation outputs for audit use.
• It describes how access control policies can be configured using rule-based conditions for common role scenarios.

👉 Read Zluri's analysis of IAM compliance, access control, and audit obligations →

IAM compliance and access transfer gaps: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →