Notifications
Clear all
Topic starter
02/06/2026 6:55 pm
TL;DR: Identity governance and administration tools often handle requests and deprovisioning, but audit still finds spreadsheet exports, weak evidence trails, and rubber-stamped reviews because control decisions are not anchored in business risk, according to SafePaaS. The gap is not provisioning volume but whether IGA behaves as an independent control layer for compliance.
NHIMG editorial — based on content published by SafePaaS: Internal Audit and CISOs rarely complain about a lack of systems
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams make IGA evidence audit-ready?
A: Security teams should make evidence audit-ready by ensuring every approval, review, exception, and compensating control is stored in the governance layer with time stamps and policy context.
Q: Why do access reviews often fail to reduce audit findings?
A: Access reviews fail when they certify large entitlement lists without risk context.
Q: What breaks when non-human identities are left out of governance?
A: When non-human identities are left out, ownership becomes unclear, credentials stay active too long, and audit cannot verify who approved the access or why it still exists.
Practitioner guidance
- Implement process-based access policies Map high-risk entitlements to business processes such as record-to-report, procure-to-pay, and production changes so approvers can see SoD and impact context before granting access.
- Centralise audit evidence in the governance layer Require approvals, policy context, exceptions, and compensating controls to be stored and retrievable from the governance system rather than reconstructed from ERP exports and email chains.
- Segment reviews by risk and identity type Separate routine access from high-impact roles, and give service accounts, bots, and AI agents their own review criteria, owners, and expiry rules.
That means designing for retrievability, ownership, and policy traceability from the start, not retrofitting them during audit?
👉 Read SafePaaS's analysis of identity governance and administration for audit →
Explore further
02/06/2026 7:09 pm
IGA has become an operational layer in many enterprises, but audit needs a control layer. The distinction matters because workflow completion is not the same as governance effectiveness. If approvals, reviews, and deprovisioning do not produce independent evidence with policy context, the organisation is still reconstructing control after the fact. Practitioners should treat that as a design flaw, not an audit inconvenience.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- A separate finding in the same research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which explains why lifecycle gaps persist.
A question worth separating out:
Q: What should organisations do when IGA controls are strong but audits still fail?
A: Organisations should test whether their IGA platform is only moving work or actually controlling risk. If evidence is scattered, risk context is missing, and lifecycle ownership is informal, then the control layer is too thin. The right response is to strengthen governance, not just add more workflow steps.
👉 Read our full editorial: Identity governance and administration still falls short for audit
