Identity governance as risk reduction: are your controls keeping up?

TL;DR: Identity governance is being reframed as a risk-reduction discipline because orphaned accounts, excessive entitlements, and toxic role combinations continue to drive exposure in cloud, hybrid, and remote environments, according to RSA Security. The governance model now has to be dynamic and context-aware, or it will remain a compliance layer that arrives after the risk has already spread.

NHIMG editorial — based on content published by RSA Security: The Case for Identity-Centric Risk Reduction

By the numbers:

• 72% of organisations that describe themselves as confident in their AI deployment actually experience a security incident rate, compared to 33% for those who remain cautious.

Questions worth separating out

Q: How should security teams reduce identity risk when access changes faster than review cycles?

A: They should move from periodic certification to continuous entitlement governance.

Q: Why do orphaned accounts and excessive entitlements keep creating security exposure?

A: Because they preserve access after the original justification has disappeared.

Q: What breaks when identity governance is limited to compliance checklists?

A: Governance becomes too slow to stop real risk.

Practitioner guidance

• Map entitlement drift to business events Link joiner, mover, and leaver events to access changes so that role changes immediately trigger entitlement checks, exception reviews, or revocation where required.
• Replace periodic review with continuous risk signals Use policy violations, toxic role combinations, and unusual access patterns as triggers for action rather than waiting for quarterly certification to surface the problem.
• Separate ownership from inheritance Verify that every high-risk entitlement has a current owner, a business justification, and a defined review path before it can survive a role change or offboarding event.

What's in the full article

RSA Security's full blog post covers the operational detail this post intentionally leaves for the source:

• How RSA positions identity security posture management as a governance operating model rather than a one-off review process.
• The article's lifecycle framing for joiners, movers, and leavers, including how it ties identity governance to access reviews and risk reduction.
• Examples of policy-based automation and AI-driven review suggestions that sit behind the governance approach described in the post.
• The way RSA connects identity governance to Zero Trust and broader security posture, which is useful if you are comparing operating models.

👉 Read RSA Security's analysis of identity-centric risk reduction and governance →

Identity governance as risk reduction: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →