Internal controls and identity governance: where are the gaps now?

TL;DR: Internal controls are designed to prevent misuse, errors, fraud, and non-compliance through segregation, approval, documentation, verification, and monitoring, according to Pathlock's explanation of the control model. The same logic now has to be applied more explicitly to identity, because access, accountability, and review cycles break down when machine credentials and AI-driven execution move faster than traditional control points.

NHIMG editorial — based on content published by Pathlock: Definition of Internal Controls and the key principles behind them

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should security teams apply internal control principles to identity governance?

A: They should treat identity as a governed control system, not a set of disconnected technical settings.

Q: Why do service accounts and other NHIs expose internal control weaknesses?

A: Because their access often persists outside normal human review cycles and can be reused by multiple systems or teams.

Q: What breaks when access review and verification are not independent?

A: The same actor can approve access, use it, and later certify that it was appropriate, which removes the check and balance that internal controls are meant to create.

Practitioner guidance

• Separate access creation from access approval Ensure the team or system that provisions entitlements is not the same one that approves them or certifies them later.
• Extend audit trails across the full identity lifecycle Record who requested access, who approved it, when it was used, when it was reviewed, and when it was removed.
• Monitor access drift continuously Track whether entitlements still match role, system purpose, and current business need after changes to applications, automation, or operating model.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• The full breakdown of the eight internal control principles and how each one maps to organisational governance.
• The payroll example showing how segregation of duties, approval, and independent verification work in sequence.
• The CFO responsibilities section, including oversight, monitoring, and control framework ownership.
• The practical explanation of how controls support compliance, error reduction, and operational efficiency.

👉 Read Pathlock's guide to internal control principles and governance →

Internal controls and identity governance: where are the gaps now?

Explore further

View Full Forum →  |  NHI Foundation Course →