Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Legacy identity gaps: what IAM teams are missing in large enterprises


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: Large enterprises can have strong identity policies on paper yet still leave major systems outside IGA and PAM coverage because legacy platforms, undocumented permissions, and service-account sprawl do not map cleanly to modern connectors, according to Hydden. The practical lesson is that identity governance fails when data extraction and lifecycle visibility stop at the edge of the infrastructure estate.

NHIMG editorial — based on content published by Hydden: Identity hygiene at scale breaks where legacy infrastructure outlives policy

Questions worth separating out

Q: What breaks when legacy systems cannot be covered by modern IGA and PAM tools?

A: Access governance becomes partial even when policy is strong.

Q: Why do service accounts create more risk than many teams expect?

A: Service accounts often carry privileged access, are poorly owned, and persist long after the original purpose has ended.

Q: How can security teams tell whether identity drift is becoming a control failure?

A: Look for a growing delay between unauthorised changes and formal review, especially on systems that still depend on manual extracts.

Practitioner guidance

  • Map every critical system that cannot be governed through standard connectors Create a coverage register for mainframes, custom ERP, legacy SQL stores, and any application that cannot be fully normalised into IGA or PAM.
  • Discover and classify service accounts as governed identities Inventory service accounts across scripts, infrastructure, and retired projects, then assign business owners, privilege tiers, and rotation expectations.
  • Replace quarterly-only reviews with continuous monitoring on high-risk estates Keep certification for formal control, but add ongoing detection for systems where access changes outside the review cycle.

What's in the full article

Hydden's full analysis covers the operational detail this post intentionally leaves for the source:

  • Examples of how AI-enabled extraction can normalise permissions from unstructured legacy data
  • The enterprise scenarios where custom connectors are still failing and why audit scope remains incomplete
  • The practical bridge between legacy identity data, PAM onboarding, and continuous governance workflows
  • The specific ways technical debt and M&A history widen the gap between policy and infrastructure

👉 Read Hydden's analysis of why identity basics fail at enterprise scale →

Legacy identity gaps: what IAM teams are missing in large enterprises?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Legacy identity estates expose a governance gap, not just a tooling gap. The article shows that many programmes are blocked because identity data cannot be extracted cleanly from mainframes, custom SQL stores, and other non-standard systems. That means policy can be correct while enforcement is blind. The implication is that identity maturity is constrained by data accessibility, not by policy maturity alone.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: How should IAM leaders respond when a large part of the estate sits outside automated governance?

A: They should prioritise data coverage over tool expansion. The right first move is to identify which systems cannot be ingested, which identities have no owner, and which privileged accounts do not rotate. Once those gaps are visible, governance can be redesigned around actual estate conditions instead of vendor assumptions.

👉 Read our full editorial: Identity hygiene at scale breaks where legacy infrastructure outlives policy



   
ReplyQuote
Share: