Notifications
Clear all
Topic starter
12/06/2026 10:05 pm
TL;DR: Identity governance and administration still breaks down where organisations rely on ad hoc processes, spreadsheets, partial automation, and weak provisioning oversight, leaving access reviews, revocation, and compliance tracking inconsistent, according to Axiad. Manual governance assumes identities stay visible and stable long enough to manage, but that assumption fails in modern enterprise environments.
NHIMG editorial — based on content published by Axiad: 5 Current Challenges of Identity Governance and Administration
Questions worth separating out
Q: What breaks when identity governance still relies on spreadsheets?
A: The review process stops being authoritative.
Q: Why do inherited access approvals create governance risk?
A: Because copied access often carries hidden excess privilege into the new account.
Q: How can security teams tell whether IGA automation is working?
A: Look for a closed loop from discovery to decision to revocation.
Practitioner guidance
- Replace spreadsheet-based governance workflows Consolidate access reviews, remediation tracking, and evidence capture into one governed workflow so reviewers act on current entitlement data rather than emailed exports.
- Validate source entitlements before copying access Block role cloning unless the source identity has already been reviewed for excess privilege and the copied set is approved against the new job function.
- Tie revocation to lifecycle events Make access removal automatic when employment, contract, or role status changes, and use stale-account reporting to catch anything the workflow misses.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- The article's full breakdown of ad hoc, spreadsheet, and semi-automated governance patterns that create review bottlenecks
- A closer look at the provisioning oversights that let excess access propagate from one identity to another
- A practical discussion of how to build a more adaptive governance system for changing user and application access
- The vendor's framing of identity governance maturity across compliance, access visibility, and remediation
👉 Read Axiad's analysis of the current challenges in identity governance and administration →
Identity governance and administration: where the controls still fail?
Explore further
13/06/2026 12:37 am
Identity governance fails first as a coordination problem, not a tooling problem. Axiad's article shows that fragmented ownership, inconsistent data, and manual handoffs are what keep IGA from becoming reliable at scale. The governance model breaks when no one system can answer who has access, why it exists, and whether it should still be there. Practitioners should treat cross-system coordination as the primary control gap, not a reporting inconvenience.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can cascade into repeated exposure.
A question worth separating out:
Q: Who is accountable when stale accounts remain active after role changes?
A: Accountability sits with the identity governance owner, the business approver, and the system owner that failed to enforce lifecycle offboarding. In practice, frameworks expect shared responsibility, but the control failure is usually the absence of a clear revocation owner.
👉 Read our full editorial: Identity governance still breaks on manual access decisions
