TL;DR: Identity governance maturity models are only meaningful when they measure how consistently access reviews, lifecycle automation, segregation of duties, and non-human identity controls operate across the enterprise, according to SecurEnds. The governance gap is no longer whether controls exist, but whether they scale across people, applications, and machine identities without relying on manual exception handling.
NHIMG editorial — based on content published by SecurEnds: an identity governance maturity model for evaluating access, policy enforcement, and compliance
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should organisations extend identity governance maturity models to non-human identities?
A: They should score non-human identities in the same maturity framework as human accounts, but with machine-specific controls for ownership, lifecycle, privilege scope, and review coverage.
Q: Why do access reviews often fail to reflect real identity governance maturity?
A: Because completion does not prove correction.
Q: What breaks when non-human identities are excluded from governance scoring?
A: The maturity model understates risk because the identities with the most persistent or high-privilege access are left out of the control picture.
Practitioner guidance
- Expand maturity assessments to include machine identities Add service accounts, APIs, workloads, certificates, and automation identities to the same governance scorecard used for human access reviews and lifecycle controls.
- Measure entitlement correction, not just review completion Track how quickly access is removed after a termination, role change, or policy violation, because completion metrics can hide unresolved exposure.
- Connect authoritative identity data to lifecycle triggers Use a trusted source of identity truth so onboarding, transfer, and offboarding events automatically drive provisioning and deprovisioning decisions.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step maturity scorecard for access reviews, JML automation, SoD monitoring, and audit reporting
- Implementation detail on how the vendor recommends structuring lifecycle automation and certification workflows
- Practical KPI examples for tracking review completion, remediation timelines, and privileged access coverage
- Expanded guidance on extending governance to service accounts, workloads, certificates, and automation identities
👉 Read SecurEnds' identity governance maturity model for IGA and NHI →
Identity governance maturity and NHI coverage: what teams miss?
Explore further
Identity governance maturity is no longer defined by human access management alone. The article is right to place non-human identities inside the maturity model, because service accounts, APIs, workloads, and certificates now carry business-critical access. A programme that measures only employee lifecycle control is measuring a shrinking part of the risk surface. The practitioner conclusion is simple: maturity scoring must reflect the full identity estate, not just workforce governance.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
A question worth separating out:
Q: Which frameworks help assess identity governance maturity across people and machines?
A: The NIST Cybersecurity Framework 2.0 helps anchor governance, protect, detect, respond, and recover activities, while the OWASP Non-Human Identity Top 10 helps focus on machine identity risks such as overprivilege, visibility gaps, and credential management. Together they support a maturity view that includes both enterprise process and identity-specific control coverage.
👉 Read our full editorial: Identity governance maturity now depends on non-human identities