IT compliance audits and access controls: what IAM teams miss

TL;DR: IT compliance audits check whether security controls, policies, and evidence align with laws and frameworks such as HIPAA, PCI-DSS, SOC 2, ISO, and GDPR, according to Zluri. The governance lesson is bigger than certification: audit readiness depends on provable access control, periodic review, and remediation discipline across human, workload, and service identities.

NHIMG editorial — based on content published by Zluri: Security & Compliance IT Compliance Audit - A Comprehensive Guide in 2026

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should teams make IT compliance audits work across human and non-human identities?

A: Teams should use one governance model for all identity types, then vary the controls by subject.

Q: Why do compliance audits often expose NHI problems before they expose human IAM issues?

A: NHIs usually accumulate faster, are reviewed less often, and persist longer than human accounts.

Q: What should organisations do when audit evidence does not match actual access state?

A: They should treat the mismatch as a control failure, not a reporting problem.

Practitioner guidance

• Inventory every privileged identity and assign a named owner Build a complete register of human admin accounts, service accounts, API keys, tokens, and certificates, then attach business purpose, system scope, and review cadence to each one.
• Connect access reviews to actual entitlement changes Do not let certification end at approval.
• Track secrets outside approved vaults as audit exceptions Identify credentials stored in code, config files, CI/CD tools, and shared documents, then treat each location as a control exception until it is removed or formally justified.

What's in the full article

Zluri's full guide covers the operational detail this post intentionally leaves for the source:

• Framework-by-framework audit checklist for HIPAA, PCI-DSS, SOC 2, ISO, and GDPR so teams can map requirements to controls.
• Step-by-step access review and auto-remediation workflow detail for operational teams that need to turn governance into action.
• Examples of access directory, access privilege, and activity alert workflows that support evidence collection during an audit.
• Practical certification process guidance for organisations trying to formalise compliance reporting and remediation.

👉 Read Zluri's guide to IT compliance audit controls and frameworks →

IT compliance audits and access controls: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →