Notifications
Clear all
Topic starter
07/06/2026 9:01 pm
TL;DR: Identity governance failures still begin with misused or stolen credentials, and IBM says over 80% of breaches involve them, which is why identity governance now has to move beyond account administration into continuous review, policy enforcement, and auditable revocation. The old assumption that access stays valid long enough for periodic review is breaking under cloud sprawl and rapid role changes.
NHIMG editorial — based on content published by SecurEnds: Why Organizations Need a Strong Identity Governance Framework
By the numbers:
- Over 80% of incidents involve misused or stolen credentials.
- 83% of breaches involve misuse of access rights.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams build an effective identity governance framework?
A: Start with authoritative identity sources, then define who approves access, how often it is reviewed, and what must trigger removal.
Q: Why do identity governance frameworks matter more as organisations move to cloud and hybrid IT?
A: Cloud and hybrid environments multiply identities, entitlements, and ownership handoffs faster than manual controls can track them.
Q: What do teams get wrong about access reviews?
A: They often treat completion as success, even when reviewers lack enough context to make a real decision.
Practitioner guidance
- Map every identity lifecycle trigger to an authoritative source Connect HR, contractor systems, and application ownership data so access changes when joiner, mover, and leaver events occur.
- Measure certification outcomes, not review completion Track how many entitlements are removed, reduced, or justified after each review cycle.
- Prioritise offboarding and exception cleanup first Focus on the accounts most likely to outlive their business purpose, including contractors, shared admin roles, and dormant privileged access.
What's in the full article
SecurEnds' full article covers the practical IGA detail this post intentionally leaves for the source:
- A step-by-step breakdown of the core IGA components and how teams sequence them in practice.
- A pragmatic checklist for building governance workflows around people, policy, process, and technology.
- Specific guidance on automation, AI-assisted review, and how those pieces fit into compliance mapping.
- Examples of how the source frames IAM versus IGA for readers who need a basic implementation bridge.
👉 Read SecurEnds' guide to building an identity governance framework →
Identity governance frameworks: is quarterly review enough anymore?
Explore further
08/06/2026 8:46 am
Identity governance is no longer a back-office control, it is the operating system for access risk. The article gets one thing right: access control alone does not answer whether access should remain in place. As organisations spread across SaaS, cloud, and service accounts, the governance layer has to decide when access expires, not just when it begins. Practitioners should treat governance as the control plane that makes entitlement decisions provable.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why entitlement governance breaks down before teams notice it.
A question worth separating out:
Q: Who is accountable when access is not revoked on time?
A: Accountability should sit with the business owner of the access, the system owner that enforces it, and the governance team that defines the rules. If those roles are unclear, stale permissions survive role changes and offboarding. Frameworks such as the NIST Cybersecurity Framework 2.0 can help assign governance responsibility more clearly.
👉 Read our full editorial: Identity governance frameworks are failing without continuous oversight
