Identity governance and zero trust: what is changing for teams?

TL;DR: Identity governance is framed as the control plane that keeps zero trust practical, with the article citing $10.5T in predicted global cybercrime costs in 2025 and warning that manual reviews, permission creep, and delayed offboarding leave access excessive and unverified. The governance problem is no longer whether to add more controls, but whether identity processes can keep pace with business and attack speed.

NHIMG editorial — based on content published by Omada Identity: IGA Cybersecurity Explained: Why Identity Governance Matters Now

By the numbers:

• Cybercrime has grown into a global economy of staggering scale, and it is predicted to cost the world around $10.5T in 2025.
• Around 40% of organizations still operate with outdated IGA.

Questions worth separating out

Q: How should security teams modernize access reviews in zero trust programmes?

A: They should move from broad, calendar-based approvals to evidence-based reviews that focus on actual usage, role fit, and exception handling.

Q: Why does permission creep increase breach impact?

A: Permission creep increases breach impact because compromised identities often retain access from previous roles or projects, giving attackers more paths than the current job actually requires.

Q: What do organisations get wrong about AI-assisted identity governance?

A: The common mistake is assuming AI can replace accountable decision-making.

Practitioner guidance

• Replace snapshot reviews with evidence-based certification Prioritize entitlements by actual use, peer comparison, and role relevance so managers review meaningful exceptions instead of bulk approval queues.
• Automate entitlement removal at role change and offboarding Connect HR, IAM, and IGA workflows so access is reduced or revoked as soon as job responsibility changes, rather than after a later reconciliation cycle.
• Right-size permissions to reduce breach blast radius Map high-value accounts and remove inherited privileges that are not required for current work, especially where access spans cloud, SaaS, and privileged functions.

What's in the full article

Omada Identity's full post covers the operational detail this post intentionally leaves for the source:

• How Omada frames manual IGA weaknesses across onboarding, offboarding, and access certification workflows
• The article's full discussion of AI-assisted review recommendations and how they are positioned inside zero trust programmes
• Omada's detailed examples of entitlement drift, blast-radius reduction, and business productivity impacts
• The supporting podcast and related resources referenced at the end of the article

👉 Read Omada Identity's analysis of why modern IGA matters for zero trust →

Identity governance and zero trust: what is changing for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →