Identity governance and data quality: what teams are missing

TL;DR: Modern identity governance failures are less about missing visibility than about poor data, fragmented context, and slow action across identity systems, according to RSA Security. The implication is that governance programmes now need cleaner entitlement data, faster decisioning, and tighter lifecycle control to stay effective.

NHIMG editorial — based on content published by RSA Security: You Don’t Have an IGA Problem. You Have a Data Problem

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams fix identity governance when the data is unreliable?

A: Start with the inventory layer, not the review layer.

Q: Why do access reviews often fail to reduce real risk?

A: Access reviews fail when they produce evidence but do not drive closure.

Q: What do teams get wrong about non-human identity lifecycle management?

A: They often apply human lifecycle thinking to machine credentials.

Practitioner guidance

• Rebuild the entitlement inventory from authoritative sources Map each application, cloud platform, and directory source to a single entitlement record with owner, business purpose, and system-of-record status.
• Track review-to-remediation latency as a control metric Measure how long it takes to turn a recertification decision into revocation, restriction, or re-approval.
• Assign explicit ownership to every non-human identity Require a named owner for service accounts, API keys, tokens, and certificates, plus an expiry or rotation path.

What's in the full article

RSA Security's full post covers the operational detail this post intentionally leaves for the source:

• The article's own breakdown of why identity governance fails when data quality, ownership, and actionability are weak.
• The specific RSA framing of how modern IGA programmes break across visibility, certification, and lifecycle execution.
• The product and governance context behind RSA's current IGA narrative, which is useful if you need the vendor's exact positioning.
• Additional related posts on lifecycle reviews, cloud repatriation, and governance collapse that expand the same theme.

👉 Read RSA Security's analysis of why identity governance breaks in modern environments →

Identity governance and data quality: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →