TL;DR: Modern identity governance failures are less about missing visibility than about poor data, fragmented context, and slow action across identity systems, according to RSA Security. The implication is that governance programmes now need cleaner entitlement data, faster decisioning, and tighter lifecycle control to stay effective.
NHIMG editorial — based on content published by RSA Security: You Don’t Have an IGA Problem. You Have a Data Problem
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams fix identity governance when the data is unreliable?
A: Start with the inventory layer, not the review layer.
Q: Why do access reviews often fail to reduce real risk?
A: Access reviews fail when they produce evidence but do not drive closure.
Q: What do teams get wrong about non-human identity lifecycle management?
A: They often apply human lifecycle thinking to machine credentials.
Practitioner guidance
- Rebuild the entitlement inventory from authoritative sources Map each application, cloud platform, and directory source to a single entitlement record with owner, business purpose, and system-of-record status.
- Track review-to-remediation latency as a control metric Measure how long it takes to turn a recertification decision into revocation, restriction, or re-approval.
- Assign explicit ownership to every non-human identity Require a named owner for service accounts, API keys, tokens, and certificates, plus an expiry or rotation path.
What's in the full article
RSA Security's full post covers the operational detail this post intentionally leaves for the source:
- The article's own breakdown of why identity governance fails when data quality, ownership, and actionability are weak.
- The specific RSA framing of how modern IGA programmes break across visibility, certification, and lifecycle execution.
- The product and governance context behind RSA's current IGA narrative, which is useful if you need the vendor's exact positioning.
- Additional related posts on lifecycle reviews, cloud repatriation, and governance collapse that expand the same theme.
👉 Read RSA Security's analysis of why identity governance breaks in modern environments →
Identity governance and data quality: what teams are missing?
Explore further
Identity governance is becoming a data integrity problem before it is a workflow problem. RSA Security’s framing reflects a wider shift in enterprise identity: if the entitlement graph is wrong, no amount of review cadence can restore control. Clean source data is now the prerequisite for meaningful governance, because bad ownership, stale entitlements, and missing context make every downstream decision weaker. Practitioners should treat identity data quality as a control surface, not an operational afterthought.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- A related finding shows that only 5.7% of organisations have full visibility into their service accounts, which means most governance teams are operating with an incomplete identity picture.
A question worth separating out:
Q: Who should own the cleanup after a risky entitlement is found?
A: The business or technical owner accountable for the application, workload, or data path should own cleanup. Identity teams can orchestrate the process, but they cannot substitute for accountable ownership. Without a named owner, risky access tends to remain open because nobody has authority to approve removal.
👉 Read our full editorial: Identity governance is collapsing into data quality and action