Identity governance and administration: where are teams still stuck?

TL;DR: Identity governance fails when organisations rely on ad hoc processes, spreadsheets, and partial automation that cannot keep pace with access changes, according to Axiad. Manual remediation, weak provisioning oversight, and poor cross-system coordination leave users over-privileged and make compliance harder to sustain.

NHIMG editorial — based on content published by Axiad: 5 Current Challenges of Identity Governance and Administration

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when identity governance relies on spreadsheets and email approvals?

A: Access decisions lose traceability, version control, and reliable ownership.

Q: Why do inherited permissions create so much identity risk?

A: Inherited permissions are risky because they transfer trust from one identity to another without proving that the new subject needs the same access.

Q: How can security teams tell whether identity governance is working?

A: Look for evidence that approvals, recertifications, and removals are happening through a single authoritative process with clear owners and timestamps.

Practitioner guidance

• Replace ad hoc tracking with system-owned governance workflows Move access approvals, recertifications, and removals into authoritative identity workflows so the source of truth is the same place decisions are made and evidenced.
• Review privilege inheritance at onboarding Audit clone-based account creation, role templates, and delegated approvals to find where excess permissions are being passed forward by default.
• Tighten offboarding and account closure checks Verify that leaver, contractor-end, and role-change processes actually disable access, revoke linked permissions, and close dormant accounts across connected systems.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• How the vendor maps specific identity governance failure modes to practical remediation steps across access review and provisioning.
• Examples of how organisations can centralise governance without relying on ad hoc spreadsheets and manual reconciliation.
• The article's own recommended approach for improving coordination between business units, approvals, and identity data.
• The vendor's framing of adaptive governance as a response to changing access conditions across environments.

👉 Read Axiad's blog on current identity governance and administration challenges →

Identity governance and administration: where are teams still stuck?

Explore further

View Full Forum →  |  NHI Foundation Course →