Notifications
Clear all
Topic starter
25/06/2026 3:12 pm
TL;DR: Identity governance is presented as the control layer that keeps access aligned with privacy obligations such as GDPR and CCPA, especially when manual reviews, role drift, and offboarding gaps make spreadsheets and ad hoc checks unreliable, according to SecurEnds. The real issue is not login control but proving and sustaining least-privilege decisions across changing roles, sensitive data, and audit expectations.
NHIMG editorial — based on content published by SecurEnds: Identity Governance and Privacy Compliance
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams implement identity governance for privacy compliance?
A: Start by linking access decisions to business purpose, sensitivity of the data, and lifecycle events such as role change or termination.
Q: Why do manual access reviews often fail privacy and compliance audits?
A: Manual reviews fail because they are slow, inconsistent, and easy to document after the fact without proving timely revocation.
Q: What breaks when access is not removed after role changes or offboarding?
A: Stale entitlements remain active, which means a former employee, contractor, or moved worker can still reach data they no longer need.
Practitioner guidance
- Separate authentication from governance evidence Document which controls prove that access to personal data is still justified after login.
- Tighten roles around data minimisation Audit broad job-based roles for unnecessary access to personal or regulated data.
- Automate lifecycle revocation for leavers and movers Link joiner-mover-leaver workflows to entitlement removal so access changes happen when employment status or job function changes.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Practical examples of how its IGA workflows automate DSAR handling and access removal.
- Details on role-based access configuration across cloud and on-prem environments.
- Examples of how policy changes are applied when employees move, leave, or change responsibilities.
👉 Read SecurEnds' analysis of identity governance and privacy compliance →
Identity governance and privacy compliance: are your controls enough?
Explore further
25/06/2026 4:34 pm
IGA is the compliance control that turns access from a login event into an auditable decision. The article correctly separates authentication from governance, which is where many privacy programmes fail. A valid sign-in does not answer whether a person should still hold access to personal or financial data after a role change, move, or departure. Practitioners should treat governance evidence as the compliance primitive, not user authentication alone.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when excessive access leads to a privacy violation?
A: Accountability sits with the teams that own access governance, data protection, and system administration together, because privacy violations often come from control gaps between those functions. The organisation must be able to show who approved the access, who reviewed it, and who removed it when it became excessive.
👉 Read our full editorial: Identity governance and privacy compliance: where IAM falls short
