TL;DR: Identity governance is being reframed as a risk-reduction discipline because orphaned accounts, excessive entitlements, and toxic role combinations continue to drive exposure in cloud, hybrid, and remote environments, according to RSA Security. The governance model now has to be dynamic and context-aware, or it will remain a compliance layer that arrives after the risk has already spread.
NHIMG editorial — based on content published by RSA Security: The Case for Identity-Centric Risk Reduction
By the numbers:
- 72% of organisations that describe themselves as confident in their AI deployment actually experience a security incident rate, compared to 33% for those who remain cautious.
Questions worth separating out
Q: How should security teams reduce identity risk when access changes faster than review cycles?
A: They should move from periodic certification to continuous entitlement governance.
Q: Why do orphaned accounts and excessive entitlements keep creating security exposure?
A: Because they preserve access after the original justification has disappeared.
Q: What breaks when identity governance is limited to compliance checklists?
A: Governance becomes too slow to stop real risk.
Practitioner guidance
- Map entitlement drift to business events Link joiner, mover, and leaver events to access changes so that role changes immediately trigger entitlement checks, exception reviews, or revocation where required.
- Replace periodic review with continuous risk signals Use policy violations, toxic role combinations, and unusual access patterns as triggers for action rather than waiting for quarterly certification to surface the problem.
- Separate ownership from inheritance Verify that every high-risk entitlement has a current owner, a business justification, and a defined review path before it can survive a role change or offboarding event.
What's in the full article
RSA Security's full blog post covers the operational detail this post intentionally leaves for the source:
- How RSA positions identity security posture management as a governance operating model rather than a one-off review process.
- The article's lifecycle framing for joiners, movers, and leavers, including how it ties identity governance to access reviews and risk reduction.
- Examples of policy-based automation and AI-driven review suggestions that sit behind the governance approach described in the post.
- The way RSA connects identity governance to Zero Trust and broader security posture, which is useful if you are comparing operating models.
👉 Read RSA Security's analysis of identity-centric risk reduction and governance →
Identity governance as risk reduction: are your controls keeping up?
Explore further
Identity governance is no longer a compliance layer, it is a runtime risk control. The article is right to move governance out of the back office and into security strategy, because entitlement drift is one of the most durable sources of exposure in modern environments. That same logic applies across human IAM, NHI governance, and autonomous access: when identity state changes faster than review cadence, the control has already gone stale. Practitioners should treat governance as part of detection and containment, not just attestation.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate survey found that 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which is a governance signal, not a tooling preference.
A question worth separating out:
Q: Who should be accountable for stale access in a Zero Trust programme?
A: The identity, application, and control owners should share accountability, but governance must assign one clear owner for entitlement validity. Zero Trust only works when access decisions reflect current risk and current purpose. If no one owns entitlement lifecycle state, stale access will survive longer than the business need that created it.
👉 Read our full editorial: Identity-centric risk reduction is reshaping governance priorities