TL;DR: Identity governance now has to be translated into the language of security, finance, compliance, and the business, because IT leaders are managing SaaS sprawl, access sprawl, AI adoption, and lifecycle gaps that each stakeholder sees differently, according to Zluri. The underlying issue is not technical complexity alone but organizational alignment across human, NHI, and AI-driven access patterns.
NHIMG editorial — based on content published by Zluri: Career From IT Director to Strategic Diplomat, on getting budget, buy-in, and a seat at the table
Questions worth separating out
Q: How should security teams build a business case for identity governance?
A: Start with the stakeholder problem, not the platform.
Q: Why do identity programmes get stuck even when the technical controls are sound?
A: They usually fail on organisational alignment.
Q: What breaks when service accounts and SaaS access are not part of governance reviews?
A: The programme loses visibility into a large part of the real risk surface.
Practitioner guidance
- Define one governance problem, then translate it five ways Build a single identity governance narrative that can be re-expressed for security, finance, compliance, business leaders, and the executive team without changing the underlying evidence.
- Inventory the identities that sit outside human IAM Document service accounts, OAuth integrations, SaaS app accounts, and AI agent access alongside human users so the programme reflects the actual control surface.
- Tie lifecycle events to financial and security outcomes Make joiner, mover, and leaver workflows produce both access changes and measurable business results, such as license recovery, entitlement removal, and evidence of closure.
What's in the full article
Zluri's full article covers the stakeholder-specific messaging and operational examples this post intentionally leaves at the strategic level:
- Practical talking points for security, finance, compliance, and business leaders in separate budget conversations
- Examples of how to translate one governance initiative into multiple stakeholder narratives without changing the underlying data
- Operational scenarios for using discovery, onboarding, and offboarding evidence to support approval decisions
- Illustrative wording for presenting identity governance as a business outcome rather than an IT project
👉 Read Zluri's analysis of how IT leaders win budget, buy-in, and influence →
Identity governance as a business case: how do teams win buy-in?
Explore further
Identity governance now succeeds or fails as an alignment discipline, not a tooling discipline. The article is right that the technical problem is only half the story. Security, finance, compliance, and business leaders all evaluate identity risk through different metrics, so the same control can look like protection, overhead, or delay depending on the audience. Practitioners should treat budget approval as part of the governance model itself.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own identity governance when access spans IT, finance, and the business?
A: Ownership should sit with the team that can coordinate policy, evidence, and lifecycle execution across functions, not with IT alone. Identity governance is now a cross-functional operating model, so the accountable owner needs authority to align security, finance, compliance, and business stakeholders around the same control outcomes.
👉 Read our full editorial: Strategic identity governance needs budget, buy-in, and a seat