Notifications
Clear all
Topic starter
27/06/2026 1:32 pm
TL;DR: Governance value depends less on workflow polish than on how much of the identity surface a platform can actually discover and control, including shadow apps, NHIs, and lifecycle events, according to Zluri. The real issue is that access review and JIT controls fail when the governed perimeter is narrower than the environment.
NHIMG editorial — based on content published by Zluri: Security & Compliance Zluri vs. Lumos: An In-Depth Comparison
Questions worth separating out
Q: How should security teams evaluate identity governance platforms that rely on integration libraries?
A: Teams should test whether the platform can discover, certify, and revoke access beyond its connector catalogue.
Q: Why do incomplete identity inventories weaken access reviews and offboarding?
A: Because certifications and leaver workflows only work on identities the programme can see.
Q: What do security teams get wrong about just-in-time access in mixed environments?
A: They assume JIT is a single control when it is really a boundary-dependent control.
Practitioner guidance
- Map the governed identity perimeter Inventory every access path that sits outside the platform’s direct connector model, including shadow SaaS, OAuth-linked tools, API keys, service accounts, and AI-driven automations.
- Test offboarding against the real access footprint Validate whether leaver workflows revoke access beyond the HRMS and IdP boundary, including third-party apps, non-human credentials, and app ownership records.
- Re-scope access certifications to include non-human identities Require evidence that service accounts, tokens, certificates, and OAuth grants enter the same review cycle as human entitlements and are remediated on the same timetable.
What's in the full article
Zluri's full comparison covers the operational detail this post intentionally leaves for the source:
- Feature-by-feature workflow differences across access requests, reviews, JIT, and lifecycle automation
- Claims about discovery coverage, integration breadth, and the specific systems each platform can reach
- Vendor-described implementation depth for NHI governance, SoD enforcement, and continuous posture monitoring
- Pricing, packaging, and demo prompts that matter only once the architectural decision has been made
👉 Read Zluri’s comparison of identity governance coverage against Lumos →
Identity governance comparisons: what boundary are teams missing?
Explore further
27/06/2026 2:55 pm
Governance that stops at a connector boundary is not full identity governance. The article’s core premise is that visibility determines control, and that premise is correct. If a platform cannot discover shadow apps, OAuth-connected tools, service accounts, and AI agents, then access requests and certifications are only partial governance artifacts. The practitioner conclusion is simple: coverage, not interface polish, is the real evaluation criterion.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprise confidence is still low, with only 1.5 out of 10 organisations highly confident in securing NHIs according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when non-human identities remain outside lifecycle governance?
A: Accountability sits with the identity and platform owners who allow non-human access to bypass the same joiner, mover, and leaver processes used for people. If service accounts, tokens, and OAuth grants are excluded, compliance evidence is incomplete and ownership is effectively diffused across teams.
👉 Read our full editorial: Identity governance comparisons hide the real boundary of control
