Identity governance without visibility: where do controls break down?

TL;DR: Most IGA programmes still govern the 30% to 40% of applications they can see while the 60% to 70% shadow layer remains outside reviews, provisioning, and audit evidence, according to Zluri's analysis. The governance problem is not weak policy design, but incomplete discovery that leaves access truth fragmented across systems and teams.

NHIMG editorial — based on content published by Zluri: Security & Compliance Identity Governance and Administration - A Visibility-First Guide

By the numbers:

• 60-70% of applications are shadow apps that IT doesn't even know about.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: What breaks when identity governance starts before visibility?

A: Access reviews, provisioning, and audit reporting all become partial controls when the organisation cannot see its full application and identity surface.

Q: When should organisations prioritise discovery over access reviews?

A: Discovery should come first whenever the team cannot confidently map all applications, identities, and entitlements in scope.

Q: How do you know if identity governance is actually working?

A: You know governance is working when the team can explain coverage, prove offboarding across connected and unconnected systems, and show that review outcomes match the real access surface.

Practitioner guidance

• Baseline identity coverage across every application Inventory connected, shadow, and team-managed applications before expanding access governance.
• Rebuild access reviews around complete scope Do not certify only the users visible in your IdP.
• Close the lifecycle gap for offboarding and role change Link HR events, manager approvals, and application-level revocation so that promotion, transfer, and termination workflows reach both connected systems and the long tail of unmanaged tools.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• A step-by-step explanation of how to calculate application coverage gaps across IdP, logs, and business-owned tools.
• A practical breakdown of when access reviews become materially incomplete because the review universe is smaller than the real estate.
• A walkthrough of lifecycle workflows for promotions, terminations, and unfederated app offboarding across mixed environments.
• Examples of how to turn visibility data into audit evidence for compliance and material weakness remediation.

👉 Read Zluri's visibility-first guide to identity governance and administration →

Identity governance without visibility: where do controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →