Notifications
Clear all
Topic starter
25/06/2026 5:13 pm
TL;DR: Working-from-anywhere exposed a dangerous gap between enabling access and securing it, because identity has become the modern enterprise perimeter and each identity can open hundreds or thousands of access points, according to SailPoint. The real risk is false confidence in authentication alone, because access that is not continuously governed becomes exposure.
NHIMG editorial — based on content published by SailPoint: False Sense of Security
Questions worth separating out
Q: How should security teams balance access enablement and identity control?
A: Security teams should treat access enablement as a delivery function and identity control as a governance function.
Q: Why do strong authentication controls not eliminate identity risk?
A: Strong authentication only proves that an identity can sign in.
Q: What breaks when access reviews are disconnected from lifecycle events?
A: When reviews are disconnected from joiner, mover, and leaver events, organisations end up certifying access that no longer matches business need.
Practitioner guidance
- Separate access approval from access governance Require a second control step after initial provisioning to confirm role fit, privilege scope, and business need before access is treated as acceptable.
- Tie every access review to a lifecycle trigger Trigger recertification when a role changes, a contractor engagement ends, or a project closes, so stale access is not re-certified by default.
- Inventory the identities that define your perimeter Build a single view of employees, contractors, partners, and non-human identities so each access relationship can be evaluated against policy.
What's in the full article
SailPoint's full blog post covers the operational detail this post intentionally leaves for the source:
- How the author maps access enablement decisions to identity security failure modes in the modern enterprise
- The article's full set of governance questions for role changes, access duration, and entitlement removal
- The reasoning behind the claim that identity now functions as the enterprise perimeter
- The source's broader commentary on balancing workforce productivity with security policy
👉 Read SailPoint's blog on why access enablement is not identity security →
Identity security enablement vs control: where teams still fail?
Explore further
25/06/2026 5:46 pm
Enablement without control is the core identity governance failure. The article is right to separate giving access from securing it, because those are different control problems with different failure modes. In practice, organisations often celebrate faster access provisioning while leaving privilege scope, approval quality, and removal discipline underdeveloped. The practitioner conclusion is simple: access velocity is not security.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- In the same research, 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which shows that access often fails after provisioning, not at login.
A question worth separating out:
Q: Who should own identity security in a modern enterprise perimeter model?
A: Ownership should sit across IAM, IGA, PAM, and security architecture, because the perimeter now consists of identity relationships rather than network boundaries. Operations can provision access, but governance must define scope, review, and removal. The business cannot delegate accountability to authentication alone.
👉 Read our full editorial: Identity security needs control, not just access enablement
