TL;DR: IAM maturity models still assume identities are comparatively stable and reviewable, but the article shows access governance, lifecycle management, and control consistency remain uneven across many programmes. That matters because AI systems and NHIs expose those gaps more sharply than human-centric IAM ever did.
NHIMG editorial — based on content published by Zluri: Access Management Identity & Access Management Maturity Model - A Guide For 2026
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
Questions worth separating out
Q: How should teams assess IAM maturity when NHIs and AI systems are in scope?
A: They should assess maturity by actor type, because human IAM, service accounts, and AI-driven identities fail in different ways.
Q: Why do IAM maturity models break down in environments with lots of service accounts?
A: They break down when maturity is measured by policy presence instead of entitlement closure.
Q: What do security teams get wrong about access management maturity?
A: They often confuse structured process with effective control.
Practitioner guidance
- Map maturity levels to actor type Separate human IAM, service account governance, and AI-driven identity control into different maturity baselines so you do not measure them with the same operational assumptions.
- Test lifecycle closure against real events Run joiner, mover, and leaver checks against live provisioning and deprovisioning records, including API keys, service accounts, and delegated admin access.
- Prove least privilege with revocation evidence Require evidence that access can be reduced, scoped, or revoked quickly for each identity class.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step maturity progression examples for each IAM level and component.
- Specific ILM, access management, and governance capability breakdowns that can help teams map their current state.
- Operational descriptions of provisioning, modification, and removal workflows across the maturity model.
- Concrete product-oriented examples of how Zluri positions access management automation and reporting.
👉 Read Zluri's guide to IAM maturity models for 2026 →
IAM maturity models and AI agents: where current controls break?
Explore further
IAM maturity models are useful, but they often overstate control readiness when lifecycle execution remains manual. The article’s four-level framing shows the familiar path from ad hoc to optimized, yet most organisations still struggle to make provisioning, modification, and removal work consistently across all identity types. That means maturity scoring can look better than actual operational control. Practitioners should treat lifecycle execution, not policy presence, as the real maturity test.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, according to the Ultimate Guide to NHIs, which shows how slowly identity remediation still moves in practice.
A question worth separating out:
Q: What is the difference between defined IAM processes and managed IAM processes?
A: Defined IAM processes are documented and repeatable, but still largely reactive. Managed IAM processes anticipate risk, enforce controls more consistently, and use monitoring or analytics to detect drift before it becomes a breach or compliance issue. The difference is not just process maturity, but whether the programme can prevent identity problems instead of responding after the fact.
👉 Read our full editorial: IAM maturity models miss the identity shift AI agents create