TL;DR: Legacy IGA models were built to prove that access was reviewed, not to determine whether it still makes sense in real time; as estates exceed 100 applications and service accounts outnumber humans, continuous access intelligence becomes the meaningful control, according to Abnormal AI. The old evidence-first model no longer matches how lateral movers, permission drift, and blended governance-posture programmes actually create risk.
NHIMG editorial — based on content published by Abnormal AI: Identity governance is shifting from audit evidence to live control
Questions worth separating out
Q: How should security teams move from access reviews to continuous identity governance?
A: Start by measuring effective permissions rather than only confirmed approvals.
Q: Why do movers create more identity governance risk than joiners and leavers?
A: Movers accumulate permissions across roles, teams, and inherited groups, while joiners and leavers usually follow clearer lifecycle checkpoints.
Q: What breaks when access reviews are not tied to remediation?
A: They become evidence for auditors rather than a control that reduces risk.
Practitioner guidance
- Map governance to effective access, not just approved access Track whether permissions are actually in use, how they compare to peer cohorts, and whether they changed since the last review.
- Prioritise movers in lifecycle control design Trigger re-evaluation when role, team, application ownership, or group membership changes.
- Extend governance coverage to service accounts and other non-human identities Assign ownership, review cadence, and remediation paths for machine identities that sit outside traditional HR-driven lifecycle workflows.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- How the vendor frames the shift from quarterly certification to continuous access intelligence in practice
- Examples of the specific access signals it associates with movers, drift, and over-privileged accounts
- The operational context behind its view of identity governance and posture as one continuous programme
- Additional commentary on why the market now treats identity governance as a live control problem
👉 Read Abnormal AI's analysis of identity governance shifting to continuous access intelligence →
Identity governance and posture convergence: what teams need to change?
Explore further
Evidence-first IGA was designed for audit proof, not control fidelity. The old model could answer whether a review happened, but it was never designed to answer whether the access was still justified. That assumption held in smaller estates with clearer role boundaries, but it collapses once permission drift becomes the dominant risk signal. The implication is that governance programmes built only around attestations are structurally incomplete.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to the same Astrix Security & CSA report.
A question worth separating out:
Q: Who should own identity posture when human and machine identities are both in scope?
A: Ownership should sit with the programme that can see and act on the effective access state across both classes of identity. Human IAM, NHI governance, and security operations need a shared remediation model, otherwise machine identities stay outside the review cycle and risk persists.
👉 Read our full editorial: Identity governance is shifting from audit evidence to live control