Notifications
Clear all
Topic starter
22/06/2026 10:05 am
TL;DR: Traditional identity governance programs fail when periodic access reviews and static policies lag behind identities that are provisioned, changed, and abused in milliseconds, creating what RSA calls the “Negligence Gap” between documentation and real enforcement. The case for continuous, risk-based governance is now a defensibility requirement, not a compliance preference.
NHIMG editorial — based on content published by RSA Security: From Compliance Theater to Active Defense, Rethinking Identity Governance for a World That Does Not Wait for Annual Reviews
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should organisations move from periodic access reviews to continuous identity governance?
A: Start by treating certification campaigns as validation, not detection.
Q: Why do non-human identities make traditional IGA review cycles less effective?
A: Non-human identities often carry elevated privileges, change outside human workflows, and are rarely visible in manager-led reviews.
Q: What breaks when access reviews are the primary identity control?
A: The control breaks because access can change, be abused, and disappear between review cycles.
Practitioner guidance
- Replace calendar-based reviews with continuous entitlement monitoring Instrument identity changes so that provisioning, scope changes, and exception approvals are evaluated as they happen.
- Prioritise non-human identity coverage in governance scope Map service accounts, API keys, tokens, certificates, and machine identities into the same governance inventory as human users.
- Measure time to revocation as a control metric Track how long excessive access remains active after a role change, exception expiration, or compromise signal.
What's in the full report
RSA Security's full report covers the operational detail this post intentionally leaves for the source:
- A governance maturity framework for moving from annual attestation to continuous identity enforcement.
- Metrics for measuring enforcement latency, revocation lag, and defensibility across IAM and IGA.
- Implementation considerations for ADG across human and non-human identity populations.
- The paper's examples of how auditors, regulators, and litigators evaluate real-time control evidence.
👉 Read RSA Security's report on active defense governance and identity reviews →
Identity governance beyond annual reviews: what changes now?
Explore further
22/06/2026 10:50 am
The Negligence Gap is not a process flaw, it is an exposure model. Static policy documentation was designed for environments where access changes slowly enough to be reviewed on a schedule. That assumption fails when identities are modified continuously and exploitation happens between campaigns. The implication is that governance maturity must be measured by enforcement latency, not by the existence of an attestation calendar.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when identity governance fails during a breach?
A: Accountability shifts to whether the organisation can show that access controls were operating when the incident happened, not whether policies were written. Regulators, auditors, and litigators will ask for evidence of enforcement, revocation, and exception handling. If that evidence is missing, the governance programme becomes part of the liability story.
👉 Read our full editorial: Compliance theater to active defense in identity governance
