Notifications
Clear all
Topic starter
08/06/2026 4:44 pm
TL;DR: Organizations with employees spread across Azure AD, AWS IAM, Jenkins, Artifactory, and HR systems lose consistent access control when accounts cannot be reliably tied back to one person, according to Axiad. The governance problem is identity correlation, not account count, because mismatched records break visibility, lifecycle control, and entitlement decisions.
NHIMG editorial — based on content published by Axiad: Correlating identities and their users
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should IAM teams handle employees who have multiple accounts across systems?
A: They should create a canonical identity record that links every account to one governed subject.
Q: Why does account federation not solve identity governance on its own?
A: Federation simplifies sign-in, but it does not eliminate local, legacy, or service accounts, and it does not guarantee that all records point to the same subject.
Q: What breaks when identity correlation is missing?
A: Access reviews become fragmented, offboarding becomes incomplete, and entitlement analysis can miss duplicate or excessive access.
Practitioner guidance
- Map every account type to a governed subject record Create a canonical identity record that links HR, directory, cloud, build, and SaaS accounts for each employee.
- Treat correlation exceptions as governance defects Route unmatched or low-confidence account links to identity operations for remediation before they enter certification cycles.
- Rebuild recertification around the subject, not the application Run access review campaigns against the consolidated identity graph so reviewers can see aggregate access across platforms.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The identity correlation workflow used to match avatars and account attributes across systems.
- The method for scoring similarity between accounts when no single identifier is universal.
- The example of Waiter Norton showing how multiple principals can map to one person.
- The product framing around Axiad Mesh and its account-linking infrastructure.
👉 Read Axiad's analysis of identity correlation across siloed accounts →
Identity correlation across accounts: what IAM teams need to fix?
Explore further
08/06/2026 6:31 pm
Identity correlation is an access-governance control, not a data-quality nicety. The article’s core insight is that IAM collapses when the same employee exists as disconnected principals across cloud and enterprise systems. That creates blind spots in certification, offboarding, and privilege analysis because no control plane can govern what it cannot reliably identify. Practitioners should treat correlation as a prerequisite for enforceable identity governance.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How do organisations know whether identity correlation is working?
A: They should test whether every active account can be linked back to one subject with high confidence and whether exceptions are quickly resolved. Good correlation shows up in cleaner certification results, fewer orphaned accounts, and more complete revocation during offboarding.
👉 Read our full editorial: Identity correlation across siloed accounts is the real IAM gap
