Notifications
Clear all
Topic starter
22/06/2026 1:43 pm
TL;DR: A Q&A with Rita Gurevich on The Last Watchdog argues that many organisations still cannot answer basic questions about who has access to what, despite broad investment in PAM and IGA tools. The result is an accountability gap that lets outdated permissions and forgotten accounts accumulate, showing why identity governance is now foundational to Zero Trust.
NHIMG editorial — based on content published by SPHERE Technology Solutions: a Q&A on identity governance and the limits of current access control visibility
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams reduce identity governance gaps in privileged access programmes?
A: Start by making ownership explicit for every privileged entitlement, including break-glass accounts and delegated admin paths.
Q: Why do identity governance gaps weaken Zero Trust programmes?
A: Zero Trust depends on continuous verification, but verification is only as good as the identity data behind it.
Q: What do security teams get wrong about PAM and IGA coverage?
A: They often assume the tools themselves close the loop on access accountability.
Practitioner guidance
- Audit entitlement ownership across all privileged paths Map every admin role, break-glass account, and delegated access path to a named business owner and a technical custodian.
- Reconcile PAM and IGA data with live system state Compare governance records with actual active accounts, token use, and service access to find drift between policy and reality.
- Tie Zero Trust enforcement to governance freshness Use current entitlement reviews, revocation timestamps, and access exceptions as inputs to enforcement decisions rather than audit outputs.
What's in the full article
SPHERE Technology Solutions' full article covers the operational detail this post intentionally leaves for the source:
- The Q&A context with Rita Gurevich on how identity governance is changing inside enterprise security programmes.
- The discussion of why PAM and IGA investments still leave accountability gaps in real organisations.
- The article's framing of identity governance as the control layer that makes Zero Trust workable.
- The vendor's perspective on identity intelligence capabilities and how they surface access risks.
👉 Read SPHERE Technology Solutions' Q&A on identity governance and Zero Trust →
Identity governance gaps: what IAM teams are still missing?
Explore further
This topic was modified 1 hour ago by Mr NHI
22/06/2026 1:49 pm
Identity governance is no longer a back-office control, it is the authority layer for enterprise access. When organisations cannot answer who has access to what, every downstream security decision becomes less reliable. PAM can reduce session risk and IGA can review entitlements, but neither helps if ownership is unclear or records are stale. The practical conclusion is that governance accuracy now determines whether access controls actually mean anything.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when forgotten access and stale privileges create exposure?
A: Accountability should sit with the business owner of the entitlement and the operational team responsible for revocation and review. If no one can name those roles, the control is already failing. Frameworks such as the NIST Cybersecurity Framework 2.0 expect clear governance, not ambiguous stewardship.
👉 Read our full editorial: Identity governance gaps are exposing the limits of zero trust
