Notifications
Clear all
Topic starter
07/06/2026 8:09 pm
TL;DR: Identity governance is shifting to continuous, automated, policy-driven operations, with a median of 98% of access requests automated, 21,000 identities governed per organisation, and 90% of review tasks completed in under five days, according to ConductorOne data. Periodic access review models cannot keep pace once software, not people, becomes the primary execution layer.
NHIMG editorial — based on content published by ConductorOne: What Identity Governance Looks Like When Automation Does the Work
By the numbers:
- At the median, 90% of access review tasks were completed in under five days.
Questions worth separating out
Q: How should security teams govern access when automation handles most requests?
A: Security teams should treat automation as the default execution path and build policy around exception handling, risk thresholds, and enforcement hooks.
Q: Why do periodic access reviews break down in software-first environments?
A: Periodic reviews assume access changes slowly enough for humans to inspect it on a fixed schedule.
Q: What do organisations get wrong about automating identity governance?
A: They often automate the workflow without hardening the policy.
Practitioner guidance
- Redesign access workflows around policy enforcement Classify requests into policy-driven paths, then reserve human review for exceptions, sensitive entitlements, and regulatory triggers.
- Rebuild review campaigns as continuous exception workflows Use automated evidence collection, reminder logic, and enforcement hooks so access reviews become a live control, not a quarterly scramble.
- Govern NHI and human access through one operating model Bring service accounts, automation identities, and employee access into the same governance inventory so lifecycle, recertification, and revocation are not fragmented by actor type.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Cross-customer metrics and charts showing how automation is changing governance execution across organisation sizes.
- Industry and company-size breakdowns that help teams compare their own governance maturity against peers.
- Trends across access grants, revocations, and reviews for practitioners building an operating model.
- A fuller picture of what normal looks like for modern identity governance when automation does the work.
👉 Read ConductorOne's blog on identity governance at AI speed →
Identity governance at AI speed: are your controls keeping up?
Explore further
07/06/2026 9:57 pm
Identity governance is no longer an episodic review function; it is becoming the execution layer for access decisions. The post's strongest signal is that automation is now absorbing the bulk of routine governance work, which means the old quarterly model is structurally late. For practitioners, this reframes identity governance from a compliance calendar into a continuous policy system.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do you know if identity governance automation is actually working?
A: Look for fast exception closure, low manual rework, and clean enforcement across provisioning and revocation, not just a high automation rate. If approvals are automated but exceptions linger or access remains after revocation, the programme is moving faster without improving control.
👉 Read our full editorial: Identity governance at AI speed is becoming the new baseline
