Notifications
Clear all
Topic starter
25/06/2026 1:32 pm
TL;DR: Access management grants workers the connectivity they need, but identity security is what adds oversight, brake points, and risk mitigation when access is no longer static, according to SailPoint. The core issue is that modern programmes must govern who gets access, how long it lasts, and how to stop it from becoming a business risk.
NHIMG editorial — based on content published by SailPoint: The Identity Management Pendulum: Identity Security Mitigates Access Management Risk
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams separate access enablement from access governance?
A: Security teams should treat provisioning and governance as different workflows.
Q: Why do broad access rights increase identity risk?
A: Broad access rights increase risk because they make misuse, lateral movement, and delayed revocation more likely once credentials are active.
Q: What do identity teams get wrong about secure access?
A: Teams often assume that granting access is the main job and security can be addressed later.
Practitioner guidance
- Separate access provisioning from access governance Define one workflow for granting access and a different one for certifying, expiring, and revoking it.
- Inventory every identity that can reach business systems Maintain a live inventory of users, service accounts, tokens, and delegated entitlements so you can see where access exists before you try to secure it.
- Attach expiry and review logic to all high-risk access Require time-bound access for privileged roles, sensitive systems, and temporary business exceptions, then enforce review before renewal.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor frames identity security versus access management in enterprise operating models
- Examples of the access risk scenarios discussed in the original article
- The article's extended race-car analogy and how it maps to security controls
- The broader narrative SailPoint uses to describe secure enablement across cloud environments
👉 Read SailPoint's analysis of why identity security must mitigate access risk →
Identity security and access management: where is the real control gap?
Explore further
25/06/2026 3:34 pm
Identity security is the control layer that prevents access from becoming unmanaged risk. The article is right to separate granting access from securing it, because those are different governance problems with different failure modes. Access management answers the enablement question, but identity security determines whether that access remains bounded, observable, and revocable. Practitioners should treat this as an architectural split, not a branding distinction.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity observability remains in practice.
A question worth separating out:
Q: Who is accountable when access remains in place after it should have been removed?
A: Accountability should sit with the identity owner, the system owner, and the governance process that failed to enforce expiry or revocation. NIST Cybersecurity Framework 2.0 is useful here because it treats access control and governance as operational responsibilities, not one-time setup tasks.
👉 Read our full editorial: Identity security is now the control layer for access risk
