Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity governance without visibility: where do controls break down?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Most IGA programmes still govern the 30% to 40% of applications they can see while the 60% to 70% shadow layer remains outside reviews, provisioning, and audit evidence, according to Zluri's analysis. The governance problem is not weak policy design, but incomplete discovery that leaves access truth fragmented across systems and teams.

NHIMG editorial — based on content published by Zluri: Security & Compliance Identity Governance and Administration - A Visibility-First Guide

By the numbers:

Questions worth separating out

Q: What breaks when identity governance starts before visibility?

A: Access reviews, provisioning, and audit reporting all become partial controls when the organisation cannot see its full application and identity surface.

Q: When should organisations prioritise discovery over access reviews?

A: Discovery should come first whenever the team cannot confidently map all applications, identities, and entitlements in scope.

Q: How do you know if identity governance is actually working?

A: You know governance is working when the team can explain coverage, prove offboarding across connected and unconnected systems, and show that review outcomes match the real access surface.

Practitioner guidance

  • Baseline identity coverage across every application Inventory connected, shadow, and team-managed applications before expanding access governance.
  • Rebuild access reviews around complete scope Do not certify only the users visible in your IdP.
  • Close the lifecycle gap for offboarding and role change Link HR events, manager approvals, and application-level revocation so that promotion, transfer, and termination workflows reach both connected systems and the long tail of unmanaged tools.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step explanation of how to calculate application coverage gaps across IdP, logs, and business-owned tools.
  • A practical breakdown of when access reviews become materially incomplete because the review universe is smaller than the real estate.
  • A walkthrough of lifecycle workflows for promotions, terminations, and unfederated app offboarding across mixed environments.
  • Examples of how to turn visibility data into audit evidence for compliance and material weakness remediation.

👉 Read Zluri's visibility-first guide to identity governance and administration →

Identity governance without visibility: where do controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Visibility-first governance is the real prerequisite for IGA maturity. The article is right to call out that access review quality is limited by discovery quality. When the programme only sees the federated portion of the environment, certification becomes a false measure of control. Practitioners should treat coverage as the first governance outcome, because incomplete visibility invalidates everything that follows.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: What is the difference between IdP administration and identity governance?

A: IdP administration handles login, provisioning, and basic group management for connected apps. Identity governance determines whether access is still appropriate, whether it has been reviewed, and whether it has been revoked everywhere it exists. Administration can create and remove accounts. Governance proves that access remains justified across the full estate.

👉 Read our full editorial: Identity governance fails when visibility comes second



   
ReplyQuote
Share: