IAM sprawl and visibility gaps: what continuous governance fixes

TL;DR: Fragmented identity tooling creates blind spots, weak audit evidence, and delayed incident response because access data, approvals, and logs live in separate systems, according to Cerbos’s discussion with 1Kosmos advisor Giao Nguyen. Continuous governance matters because IAM maturity is no longer about how many tools you have, but whether you can prove and enforce access decisions in real time.

NHIMG editorial — based on content published by Cerbos: Continuous governance for fragmented IAM and visibility blind spots

By the numbers:

• 84% of companies have suffered an identity-related breach in 2021.

Questions worth separating out

Q: How should security teams reduce IAM sprawl without disrupting operations?

A: Start by inventorying every system that stores identity data, approvals, or entitlements, then identify which source is authoritative for each decision.

Q: Why do fragmented identity systems create audit and security risk?

A: Fragmented systems break the chain between access, approval, and evidence.

Q: What do organisations get wrong about access reviews?

A: They often treat access reviews as proof of control maturity, when they are really only snapshots.

Practitioner guidance

• Inventory every identity system and approval source Map where identity data lives, which system is authoritative for each attribute, and where approvals are recorded.
• Create a single traceable record for access changes Tie every privileged change to an approval, ticket, policy reference, and timestamp so auditors and responders can reconstruct who changed what and why without manual spreadsheet work.
• Shift high-risk access into continuous monitoring Start with production systems, finance data, and privileged admin roles, then add automated alerts for dormant accounts, unusual role grants, and policy violations across those domains.

What's in the full article

Cerbos's full blog covers the operational detail this post intentionally leaves for the source:

• The specific continuous governance workflow discussed by Cerbos and 1Kosmos advisor Giao Nguyen for turning audits into routine operations.
• The policy-as-code and unified authorization pattern Cerbos describes for enforcing access decisions consistently across environments.
• The practical examples of traceability, logging, and review automation that support an always audit-ready operating model.
• The continuation of the series, including how privilege creep builds on the governance gaps described here.

👉 Read Cerbos's blog on continuous governance for fragmented IAM →

IAM sprawl and visibility gaps: what continuous governance fixes?

Explore further

View Full Forum →  |  NHI Foundation Course →