TL;DR: Identity governance programs can satisfy audits through completed certifications, documented attestations, and clean evidence trails while access exposure barely changes, according to OpenIAM. The real issue is that oversight proves process existence, not whether high-risk privileges, toxic combinations, or unnecessary access are actually shrinking.
NHIMG editorial — based on content published by OpenIAM: Why Identity Governance Programs Pass Audits but Still Fail to Reduce Risk
Questions worth separating out
Q: How do identity governance teams prove risk reduction instead of just audit completion?
A: They must measure outcome change, not only workflow completion.
Q: Why do identity governance programs often look mature without lowering access risk?
A: Because many programmes optimise for evidence production.
Q: What do security teams get wrong about access certifications?
A: They often treat a completed certification as a risk-reduction event rather than a control check.
Practitioner guidance
- Replace completion metrics with exposure metrics Track whether high-risk entitlements decline quarter over quarter, whether toxic combinations are removed, and whether dormant access is actually deprovisioned across the estate.
- Tie recertification to entitlement change Require each access review cycle to produce a measurable change in the access graph, such as revoked privileges, removed exceptions, or closed orphaned accounts.
- Measure privilege creep by identity type Separate reporting for human accounts, service accounts, and other non-human identities so hidden accumulation in one class does not get masked by good performance in another.
What's in the full article
OpenIAM's full blog post covers the operational detail this post intentionally leaves for the source:
- How the article distinguishes certification evidence from measurable exposure reduction in enterprise IAM programmes
- The governance metrics OpenIAM says boards and auditors tend to accept, but which do not show whether access risk is actually falling
- Practical examples of where privilege accumulation persists even after completed access reviews
- The article's framing for moving from audit-driven governance to outcome-driven identity controls
👉 Read OpenIAM's analysis of why identity governance passes audits but still misses risk reduction →
Identity governance audit success and the exposure gap teams miss?
Explore further
Audit success is not a proxy for identity risk reduction. Many governance programmes are built to prove that reviews happened, not that access exposure declined. That distinction matters because compliance evidence can be complete while privilege creep, dormant access, and toxic entitlements remain in place. The implication is straightforward: identity governance must be judged by entitlement outcomes, not by campaign hygiene alone.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- In the same research, enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one governance failure can repeat.
A question worth separating out:
Q: Who is accountable when governance passes audit but exposure stays high?
A: Accountability sits with the identity governance owner, the system owners who approve entitlements, and the security leadership that accepted audit completion as a success metric. Standards such as the NIST Cybersecurity Framework 2.0 expect governance outcomes to support resilience, not just documentation.
👉 Read our full editorial: Why identity governance passes audits but still misses risk reduction