TL;DR: Identity governance is most exposed where permissions, roles, and identities change faster than review cycles can keep up, and Soffid’s analysis argues automation and standardisation are needed to maintain compliance, reduce over-privilege, and prevent unauthorised access across hybrid estates. The governance problem is not missing controls but stale controls that cannot track thousands of moving identities.
NHIMG editorial — based on content published by Soffid: Identity Governance (IGA): real risks and how to manage them easily and automatically
Questions worth separating out
Q: How should security teams govern access changes across hybrid identity environments?
A: They should treat provisioning, review, and revocation as one lifecycle control loop rather than separate tasks.
Q: Why do access reviews fail when identities change frequently?
A: Access reviews fail when the review cycle is slower than the rate of role and entitlement change.
Q: What breaks when identity governance is handled manually at scale?
A: Manual governance breaks because account creation, modification, and revocation cannot keep pace with thousands of identities across multiple environments.
Practitioner guidance
- Map access to lifecycle ownership Assign a named owner for every account, role, and entitlement so provisioning, review, and revocation have a single accountable control point across on-premise and cloud systems.
- Automate joiner-mover-leaver workflows Use standard workflows to create, modify, and delete identities and permissions so access changes happen with business events instead of ad hoc tickets.
- Align recertification with entitlement drift Shorten review cycles for high-risk roles and ensure re-provisioning, removal, and approval evidence are captured in the same governance record.
What's in the full article
Soffid's full post covers the operational detail this post intentionally leaves for the source:
- Automation logic for account creation, modification, and deletion across identity estates.
- How role-based access policy is mapped to tasks and functions inside the platform.
- The article’s own view of lifecycle maturity and operational efficiency gains.
- Examples of how the vendor positions identity governance in relation to compliance requirements.
👉 Read Soffid's analysis of identity governance risks and lifecycle automation →
Identity governance and dynamic access change: are controls keeping up?
Explore further
Identity governance breaks first at the point where review cycles lag identity change. The problem in modern IAM is rarely an absence of policy, but a mismatch between how fast entitlements change and how slowly they are certified. That mismatch is what creates stale access, audit noise, and hidden privilege paths. Practitioners should treat review cadence as a control boundary, not a compliance routine.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when access remains active after a role or relationship ends?
A: Accountability sits with the business owner and the identity governance process that failed to revoke access on time. In practice, auditors will look for evidence that lifecycle ownership, approval, and deprovisioning were defined and executed. If they were not, the organisation inherits the risk and the compliance finding.
👉 Read our full editorial: Identity governance is failing where dynamic access changes fastest