Notifications
Clear all
Topic starter
27/06/2026 12:59 pm
TL;DR: IAM access models degrade as roles, exceptions, and entitlement data drift over time, turning reviews into compliance work instead of risk reduction, according to Nexis. The core problem is that authorization quality depends on sustained data governance, not a one-time design effort.
NHIMG editorial — based on content published by Nexis: IAM Data Quality in Identity and Access Management: From Research to Practice
Questions worth separating out
Q: How should organisations stop IAM roles from drifting out of date?
A: Organisations should treat role drift as a governance issue, not a periodic clean-up task.
Q: Why do access reviews often fail to reduce real risk?
A: Access reviews fail when reviewers lack enough context to judge whether access is still appropriate.
Q: What is the best signal that IAM controls are degrading?
A: The strongest signals are rising exceptions, repeated conflicts, growing redundancy, and increasing effort spent explaining access rather than governing it.
Practitioner guidance
- Establish data owners for identity and entitlement records Assign explicit ownership for role, attribute, and entitlement data so that stale records have a clear remediation path.
- Measure policy drift with structural quality indicators Track redundancy, conflicts, complexity, and excessive access as recurring quality signals rather than one-off clean-up tasks.
- Use transaction logs to validate access state Compare provisioning, movement, and removal events against the current authorization model to find mismatches that static review alone will miss.
What's in the full report
Nexis's full article covers the research detail this post intentionally leaves for the source:
- The doctoral research design and how the IAM data quality model was built from assessment, improvement, and review perspectives.
- The empirical examples behind policy complexity reduction and access review quality monitoring.
- The transaction-log approach used to identify inconsistent authorizations at scale.
- The academic publications and practical validation work carried out with Nexis.
👉 Read Nexis's analysis of IAM data quality and long-term access governance →
IAM data quality in practice: are your controls degrading over time?
Explore further
27/06/2026 2:07 pm
IAM data quality is the hidden control surface of identity governance. The article is right to separate IAM effectiveness from tooling maturity, because access control outcomes depend on the freshness, consistency, and completeness of the underlying identity data. When role, entitlement, and policy data decay, the programme does not merely become harder to run, it becomes less trustworthy. For practitioners, that means governance has to treat data quality as an operational control, not an implementation detail.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- Our research also shows that the average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
A question worth separating out:
Q: How should teams govern NHI access data alongside human IAM?
A: Teams should use the same data-quality discipline across humans and non-human identities, but with tighter lifecycle controls for machine identities. Service accounts, tokens, and workload identities need ownership, expiry tracking, and entitlement validation because their sprawl can outpace manual review. The NHI Lifecycle Management Guide is the right reference point for that work.
👉 Read our full editorial: IAM data quality is becoming the real access control problem
