Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity governance coverage gaps: why phase one leaves risk behind


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Only 54% of applications are adequately integrated with an IGA platform and just 6% of organisations report fully automated IGA processes, according to the source article and the 2025 State of IGA Report. Partial coverage turns disconnected applications into a governance blind spot that compounds compliance, lifecycle, and maintenance costs.

NHIMG editorial — based on content published by Cerby: identity governance programs and the cost of partial application coverage

By the numbers:

Questions worth separating out

Q: What breaks when identity governance stops at the easiest applications?

A: Coverage gaps turn governance into documentation instead of enforcement.

Q: When should organisations prioritise hard-to-integrate applications over easy wins?

A: As soon as the easy integrations no longer improve security posture.

Q: How do you know if access reviews are actually reducing risk?

A: Access reviews are working only when the outcome is enforceable.

Practitioner guidance

  • Inventory unmanaged applications by control gap Classify every application that cannot currently enforce automated provisioning, deprovisioning, or access review outcomes.
  • Quantify connector maintenance as a recurring cost Track how often custom connectors break after UI, API, or permission changes and assign that effort to the program cost baseline.
  • Escalate read-only reviews as failed control enforcement Flag any application where access certification cannot result in direct revocation.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

  • The cost model for custom application integration across legacy, non-federated, and premium-tier platforms
  • How self-healing connector maintenance reduces the burden of keeping fragmented integrations alive
  • The operational mechanics of feeding identity data from disconnected systems back into governance workflows
  • Why Cerby argues its approach changes the economics of reaching full application coverage

👉 Read Cerby's analysis of why phase one identity governance stalls →

Identity governance coverage gaps: why phase one leaves risk behind?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Phase one IGA is a coverage model, not a governance model. A program that secures only its easiest applications leaves the most operationally difficult systems outside enforcement. That is where lifecycle drift, certification failure, and exception sprawl accumulate. The implication is that partial integration should be treated as an interim state with explicit risk, not as a stable operating model.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when disconnected applications stay outside identity governance?

A: Accountability sits with the identity and application owners who accepted the exception and with the governance function that allowed it to persist. If the organisation chooses to leave a system outside automated control, that decision should be explicit, time-bound, and reviewed as a risk acceptance rather than treated as normal coverage.

👉 Read our full editorial: Identity governance fails when programs stop at phase one



   
ReplyQuote
Share: