Notifications
Clear all
Topic starter
12/06/2026 10:23 pm
TL;DR: Organisations often cannot reliably tie Azure AD, AWS, Jenkins, and other accounts back to one employee, which creates access-control gaps and operational blind spots when accounts drift out of sync, according to Axiad. Identity correlation becomes a governance problem, not just a directory problem.
NHIMG editorial — based on content published by Axiad: Risk correlating identities and their users
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should IAM teams correlate employee identities across multiple systems?
A: Start with a common identity model that maps each employee to all known account records, then compare stable attributes such as principal IDs, email addresses, and platform-specific usernames.
Q: Why do federated login and single sign-on not eliminate identity sprawl?
A: Federation simplifies authentication, but it does not remove local accounts, service-specific identities, or downstream application records.
Q: What breaks when employee accounts are not linked across platforms?
A: Access reviews, offboarding, and privilege cleanup all become partial because teams cannot tell which accounts belong to the same person.
Practitioner guidance
- Inventory all account-bearing systems Build a list of every platform that issues user accounts, including cloud consoles, CI/CD tools, ticketing systems, and internal apps.
- Link correlation outputs to JML workflows Feed matched identities into joiner-mover-leaver processes so that onboarding, role change, and leaver actions update every related account record, not only the primary directory entry.
- Require reviewer validation for high-risk matches Set a human verification step for accounts with overlapping attributes but ambiguous ownership, especially where privileged access or finance-adjacent systems are involved.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- How the Identity Correlation Service compares avatar attributes to infer likely account ownership.
- The example showing three different accounts tied to the same employee identity.
- The product framing around centralized analysis of employee accounts across multiple platforms.
👉 Read Axiad's analysis of correlating employee identities across account silos →
Identity correlation across silos: what IAM teams need to know?
Explore further
13/06/2026 1:06 am
Identity correlation is a governance prerequisite, not a data enrichment exercise. The article describes a common enterprise condition where one employee is represented by several account records across cloud, CI/CD, and application platforms. That fragmentation is not just inconvenient, because it breaks the organisation’s ability to assert ownership over access. When the authoritative identity is missing, every downstream governance process starts from incomplete state. The implication is that identity programmes must treat correlation as foundational control plumbing, not as a reporting feature.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when an employee retains access in one system after leaving another?
A: Accountability sits with the identity governance process, not with a single platform owner, because the organisation failed to maintain a unified view of account ownership. HR, IAM, and application teams all need a shared source of truth for identity state. Without it, leaver actions can complete in one system while access persists elsewhere.
👉 Read our full editorial: Correlating employee identities across account silos reduces IAM risk
