Notifications
Clear all
Topic starter
11/06/2026 10:59 pm
TL;DR: Most organisations sit between light IGA and full IGA, with hybrid identity sprawl, manual reviews, and identity debt outpacing quarterly governance cycles, according to Gathid. Continuous, graph-based observability is emerging as the practical bridge between deployment speed and audit-ready control.
NHIMG editorial — based on content published by Gathid: Identity governance in the gray zone and the case for continuous control
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should teams govern access when they are stuck between light and full IGA?
A: Teams should govern the identities that change fastest first, then expand coverage based on risk rather than platform completeness.
Q: Why does identity debt become harder to control in hybrid environments?
A: Identity debt grows because access changes faster than manual review cycles can clear it, especially when cloud, OT, legacy, and disconnected sources each hold part of the truth.
Q: What breaks when governance relies only on quarterly access reviews?
A: Quarterly reviews miss the day-to-day drift that accumulates between certification cycles.
Practitioner guidance
- Map the gray zone explicitly Classify systems by governance maturity, not by whether they sit in a cloud or full-suite category.
- Measure identity debt as a backlog Track stale access, unresolved SoD conflicts, orphaned accounts, and delayed review completion as open governance work.
- Add continuous visibility before platform replacement Overlay a governance intelligence layer that correlates people, accounts, roles, and entitlements across mixed estates.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- A decision-tree breakdown of when Light IGA is likely enough and when the case for Full IGA becomes unavoidable.
- The article’s view of governance intelligence layers, including how a digital twin can be used to map identity relationships across systems.
- Specific examples of daily observability outputs that support access reviews, SoD analysis, and drift detection.
- The source’s framing of how to start improving governance without waiting for a full platform replacement.
👉 Read Gathid's analysis of why binary IGA models fail in real environments →
Identity governance in the gray zone: what teams are missing?
Explore further
12/06/2026 7:26 am
Identity governance in the gray zone is a control problem, not a platform problem. The article is right to reject a binary model, because most enterprises do not live in a clean Light IGA or Full IGA state. They live in a mixed environment where entitlement sprawl, disconnected records, and delayed reviews create governance gaps that no single deployment wave can erase. The practitioner conclusion is that governance maturity must be measured by continuity of control, not by product category.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
A question worth separating out:
Q: How can security teams decide whether they need a full IGA rollout?
A: Teams should decide based on the complexity of their identity estate, not on whether a platform sounds more complete. If they manage multiple authoritative sources, disconnected systems, or significant privileged access, they need stronger continuous governance regardless of rollout timing. A bridge layer can reduce risk while the long-term architecture is planned.
👉 Read our full editorial: Identity governance in the gray zone: why binary IGA fails
