Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity governance and zero trust: what is changing for teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity governance is framed as the control plane that keeps zero trust practical, with the article citing $10.5T in predicted global cybercrime costs in 2025 and warning that manual reviews, permission creep, and delayed offboarding leave access excessive and unverified. The governance problem is no longer whether to add more controls, but whether identity processes can keep pace with business and attack speed.

NHIMG editorial — based on content published by Omada Identity: IGA Cybersecurity Explained: Why Identity Governance Matters Now

By the numbers:

Questions worth separating out

Q: How should security teams modernize access reviews in zero trust programmes?

A: They should move from broad, calendar-based approvals to evidence-based reviews that focus on actual usage, role fit, and exception handling.

Q: Why does permission creep increase breach impact?

A: Permission creep increases breach impact because compromised identities often retain access from previous roles or projects, giving attackers more paths than the current job actually requires.

Q: What do organisations get wrong about AI-assisted identity governance?

A: The common mistake is assuming AI can replace accountable decision-making.

Practitioner guidance

  • Replace snapshot reviews with evidence-based certification Prioritize entitlements by actual use, peer comparison, and role relevance so managers review meaningful exceptions instead of bulk approval queues.
  • Automate entitlement removal at role change and offboarding Connect HR, IAM, and IGA workflows so access is reduced or revoked as soon as job responsibility changes, rather than after a later reconciliation cycle.
  • Right-size permissions to reduce breach blast radius Map high-value accounts and remove inherited privileges that are not required for current work, especially where access spans cloud, SaaS, and privileged functions.

What's in the full article

Omada Identity's full post covers the operational detail this post intentionally leaves for the source:

  • How Omada frames manual IGA weaknesses across onboarding, offboarding, and access certification workflows
  • The article's full discussion of AI-assisted review recommendations and how they are positioned inside zero trust programmes
  • Omada's detailed examples of entitlement drift, blast-radius reduction, and business productivity impacts
  • The supporting podcast and related resources referenced at the end of the article

👉 Read Omada Identity's analysis of why modern IGA matters for zero trust →

Identity governance and zero trust: what is changing for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Modern identity governance is the operational layer that makes zero trust real. Zero trust depends on explicit verification and minimum necessary access, but those principles collapse if entitlements stay stale after role changes or offboarding. The article is right to frame IGA as the control plane because access governance is where policy becomes enforceable across human, non-human, and automated identities. Practitioners should treat lifecycle enforcement as the mechanism that turns zero trust from architecture into practice.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle governance remains in many environments.

A question worth separating out:

Q: Who is accountable when stale access causes a security incident?

A: Accountability sits with the business owner, access approver, and governance team that allowed outdated entitlements to persist. Zero trust does not remove responsibility. It makes ownership more visible by requiring continuous verification and explicit justification for access. Organisations should be able to trace who approved, who reviewed, and who failed to revoke the access in time.

👉 Read our full editorial: Identity governance is now the control plane for zero trust



   
ReplyQuote
Share: