Notifications
Clear all
Topic starter
25/06/2026 1:30 pm
TL;DR: The pandemic exposed a common gap in digital transformation: many organisations are providing access without governing who should have it, how it should be used, or how to prove it later, according to SailPoint. That makes identity a business-essential control, not an IT convenience.
NHIMG editorial — based on content published by SailPoint: Identity as ‘business essential’
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How do security teams move from access provisioning to real identity governance?
A: By separating entitlement approval, provisioning, review, and revocation into distinct controls with clear ownership.
Q: Why does hybrid work expose weaknesses in identity governance?
A: Hybrid work increases the number of systems, exceptions, and approval paths involved in daily access decisions.
Q: What do security teams get wrong when they think access management is enough?
A: They confuse the ability to grant access with the ability to govern it.
Practitioner guidance
- Separate access provisioning from governance decisions Document who approves access, who certifies it, and who revokes it.
- Build a complete entitlement inventory Create a single view of users, roles, systems, and effective permissions so access reviews are based on current evidence rather than local spreadsheets or assumptions.
- Standardise hybrid-work access workflows Apply the same approval, recertification, and offboarding logic across remote and office-based users so exceptions do not become the default model.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The article’s framing of how pandemic-driven remote work changed identity expectations across organisations.
- The author’s CIO, CISO, and auditor questions that illustrate why governance must be measurable.
- The business-essential identity argument as presented by SailPoint in its own words.
- The broader blog series context and author perspective that sit behind this short commentary.
👉 Read SailPoint's blog on why identity governance is business essential →
Identity governance and the access-only gap teams still miss?
Explore further
25/06/2026 3:32 pm
Access-only identity programmes create an accountability deficit, not just a visibility gap. The article is strongest when it shows that handing out access does not answer the CIO’s or CISO’s actual questions about who is entitled to what and why. That is the governance failure state: organisations can move work to the cloud and support remote users, yet still lack a defensible record of entitlement decisions. The implication is that identity must be managed as a control system, not a distribution mechanism.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 5.7% of organisations have full visibility into their service accounts, showing how quickly entitlement blind spots become a governance problem.
A question worth separating out:
Q: How should organisations apply identity governance across human and non-human accounts?
A: They should use the same lifecycle logic for both, but tailor the control evidence to the identity type. Human accounts need role, joiner-mover-leaver, and access review discipline. Non-human identities need ownership, rotation, offboarding, and validation that their permissions still match the service they support.
👉 Read our full editorial: Identity governance is business essential, not just access provision
