IAM modernization and access governance: what teams are missing

TL;DR: Legacy IAM approaches built around static roles, periodic certifications, and manual ticketing no longer match SaaS-heavy environments, where access spans employees, contractors, vendors, bots, and service accounts, according to Zluri. The real shift is from point-in-time administration to continuous governance that can see, review, and revoke access before audits force the issue.

NHIMG editorial — based on content published by Zluri: Access Management IAM Modernization: Move From Manual Chaos to Governance

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams modernise IAM without replacing everything at once?

A: Start with one high-friction workflow, usually offboarding or contractor access, and make that flow lifecycle-driven and measurable.

Q: Why do SaaS environments expose weaknesses in legacy IAM models?

A: SaaS environments multiply the number of systems where access can exist, while legacy IAM often only governs the core directory and a few standard apps.

Q: What breaks when service accounts are treated like low-priority identities?

A: Service accounts become unmanaged access paths when they lack clear ownership, expiry, and review.

Practitioner guidance

• Map the real identity estate Inventory employees, contractors, vendors, bots, service accounts, and the SaaS apps they actually touch.
• Automate joiner-mover-leaver flows Prioritise provisioning and deprovisioning for the identities that change most often, then remove manual ticket handoffs where they delay revocation.
• Redesign access reviews around usage Limit certifications to risky, dormant, or business-critical access and require reviewers to see last-use context before approving.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step IAM modernisation sequence for teams moving from manual tickets to governed lifecycle workflows
• Practical access-review patterns for SaaS, contractors, and service accounts that need implementation detail
• Guidance on choosing an IAM platform that can support JML, usage visibility, and non-human identities
• Measurement ideas for showing whether modernisation is reducing access friction and audit effort

👉 Read Zluri's guide on IAM modernisation and access governance →

IAM modernization and access governance: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →