TL;DR: ITGC certification is presented as a way to validate access, change management, logging, and documentation controls against SOX, ISO 27001, HIPAA, and PCI DSS expectations, according to Zluri. The real governance issue is not certification itself, but whether organisations can prove controls work before an audit exposes orphaned access and weak evidence chains.
NHIMG editorial — based on content published by Zluri: ITGC Certification: What It Is & How To Obtain It?
Questions worth separating out
Q: What breaks when ITGC access controls are not tied to lifecycle management?
A: Access can remain active after employment ends, which means the control exists in policy but not in practice.
Q: Why do ITGC audits focus so heavily on access reviews and logging?
A: Because access reviews show whether entitlements are still justified, while logging shows whether system activity can be traced and defended.
Q: How do organisations know if ITGC controls are actually working?
A: They test whether approvals, deprovisioning, and logging produce consistent evidence across the same systems auditors will sample.
Practitioner guidance
- Reconcile leaver access before certification testing Cross-check terminated users against application entitlements, privileged accounts, and shared access paths before auditors sample the environment.
- Standardise evidence for access and change controls Require each review, approval, and modification to produce a durable artefact that can be retraced during the audit window.
- Tie ITGC ownership to identity operations Assign explicit control owners for joiner-mover-leaver activity, privileged access, logging, and escalation so gaps do not drift between teams.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for assessing your current ITGC framework and closing control gaps before an audit.
- Practical examples of how SOX, ISO 27001, HIPAA, and PCI DSS map to access control, logging, and change management.
- A walkthrough of the certification process, including how external auditors assess control evidence.
- Examples of how access review reports can support internal audit preparation and external evidence collection.
👉 Read Zluri's guide to ITGC certification and audit-ready controls →
ITGC certification and access reviews: what teams miss most?
Explore further
ITGC certification is really access accountability under audit pressure. The article treats certification as a compliance milestone, but the identity reality is narrower and harsher. Auditors are testing whether access, change, and logging controls can be evidenced at the exact systems where risk concentrates. For practitioners, the lesson is that certification quality depends on lifecycle discipline, not policy volume.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
A question worth separating out:
Q: Who is accountable when ITGC certification fails an audit?
A: Accountability usually sits with the control owners for identity, change management, and operations, not with auditors. Certification fails when evidence is missing, stale access remains unresolved, or approvals cannot be proved. That is why governance needs named owners, clear escalation paths, and a repeatable evidence chain across teams.
👉 Read our full editorial: ITGC certification exposes the access control gaps auditors find