Notifications
Clear all
Topic starter
27/06/2026 1:02 pm
TL;DR: Identity governance and administration is shifting from an operational function to a security, risk, and compliance control plane, while Gartner says most organisations still use less than half of the capabilities they already pay for. The gap is not tooling alone but fragmented visibility, siloed intelligence, and slow remediation that leave identity attack paths unmanaged.
NHIMG editorial — based on content published by Nexis: My Personal Lessons from the Gartner IAM Summit on Visibility, Intelligence, and the Future of Identity Governance
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should IAM teams reduce identity governance noise without losing coverage?
A: Start by correlating identity facts, entitlement data, and security signals into one triage view.
Q: Why do machine identities make identity governance harder to run?
A: Machine identities change faster, appear in more systems, and often sit outside human review habits.
Q: What breaks when identity reviews stay manual in a fast-changing environment?
A: Manual reviews lag behind entitlement change, so risk is discovered after access has already been used or replicated elsewhere.
Practitioner guidance
- Correlate identity signals across systems Build a governance layer that joins entitlement data, identity activity, and security alerts so review teams can prioritise the identities that create the highest blast radius.
- Classify machine and agent identities as first-class subjects Extend lifecycle, entitlement, and audit treatment to service accounts, workloads, APIs, and agents instead of leaving them in separate technical silos.
- Tie governance outputs to auditable remediation Replace review-only workflows with actions that revoke, reduce, or re-certify access and then prove the change in evidence trails for audit and compliance.
What's in the full article
Nexis's full analysis covers the operational detail this post intentionally leaves for the source:
- How the NEXIS Platform maps identities, entitlements, and controls to policies and governance rules in practice.
- Real-time segregation of duties enforcement and AI-assisted recertification workflows for operational teams.
- Continuous Identity Security Posture Management mechanics for organisations moving beyond periodic reviews.
- Enterprise and third-party risk management connections that extend identity governance into broader GRC reporting.
👉 Read Nexis's analysis of identity governance, visibility, and IVIP →
Identity governance complexity: what IAM teams need to fix now?
Explore further
27/06/2026 2:11 pm
Visibility without action is governance theatre: The article is right that most enterprises do not fail because they lack tooling. They fail because fragmented identity data never turns into decisive remediation, so risk stays visible but unresolved. That is why the VIA model matters as an operating model, not just a reporting sequence. The practitioner lesson is that governance must end in auditable action or it is only measurement.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own identity risk when governance spans IAM, PAM, and security operations?
A: Ownership should sit with the identity programme, but it must be operationally linked to security and compliance teams. When governance is split into disconnected functions, no one can close the loop between discovery, decision, remediation, and evidence.
👉 Read our full editorial: Identity governance is becoming an enterprise security control plane
