Notifications
Clear all
Topic starter
27/06/2026 1:01 pm
TL;DR: Many IAM programmes still lack an accurate, actionable view of how identities, roles, and entitlements behave across the enterprise, according to Nexis, so it positions identity visibility, hybrid RBAC and ABAC, and no-code governance as the operating model for continuous control. That framing matters because static review cycles and fragmented data no longer match how access actually changes in modern environments.
NHIMG editorial — based on content published by Nexis: IAM Unique Capabilities of the NEXIS Platform
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should IAM teams govern hybrid RBAC and ABAC models?
A: They should govern both models through the same approval, versioning, and evidence process.
Q: Why do identity visibility gaps weaken access governance?
A: Because reviewers cannot make defensible decisions when they cannot see how entitlements relate to roles, ownership, usage, and change over time.
Q: When should organisations use preventive compliance checks in IAM?
A: They should use them before access is assigned, especially where separation-of-duties conflicts, risky combinations, or regulated workflows are involved.
Practitioner guidance
- Map role and entitlement drift to business context Tie access structures to named business functions, applications, and ownership paths so reviewers can judge whether entitlements still reflect how work is actually done.
- Unify RBAC and ABAC governance in one control plane Document where role rules end and attribute rules begin, then apply version control and approval workflow to both so policy changes remain explainable.
- Move access reviews earlier with preventive checks Detect separation-of-duties conflicts and risky entitlement combinations before assignment, then route exceptions through business-approved remediation rather than after-the-fact cleanup.
What's in the full article
Nexis's full article covers the operational detail this post intentionally leaves for the source:
- Configuration-ready workflow logic for approvals, reviews, and exception handling.
- Examples of how the platform structures role simulation, versioning, and change control.
- Data quality routines and validation patterns for harmonising identity data across sources.
- Business-facing dashboard and comment workflow mechanics for access review decisions.
👉 Read Nexis's analysis of identity visibility, hybrid RBAC and ABAC governance →
Identity visibility and hybrid authorization: what IAM teams need now?
Explore further
27/06/2026 2:10 pm
Identity visibility is now a governance control, not a reporting feature. When leaders cannot explain how entitlements map to roles, business context, and time, they do not have governance, only inventory. That distinction matters in audits, access reviews, and remediation planning, because opaque access structures are where drift becomes normalised. Practitioners should treat visibility as the evidence layer that makes every downstream decision defensible.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How can teams tell whether role optimisation is working?
A: Look for fewer overlaps, fewer unused roles, cleaner approval paths, and a smaller backlog of exceptions or manual fixes. If the role model still generates recurring remediation work, optimisation is not holding. The goal is a role structure that stays aligned with organisational change instead of collapsing into drift.
👉 Read our full editorial: Identity governance visibility gaps shape modern IAM and authorization
