Notifications
Clear all
Topic starter
07/06/2026 8:11 pm
TL;DR: Manual user access reviews cannot keep pace with daily joiner, mover, and leaver events, privilege creep, and shadow applications, so identity governance is shifting toward event-driven continuous assurance, according to ConductorOne’s webinar with Treasure Data. The control problem is no longer proving a review happened, but continuously proving risk is being reduced.
NHIMG editorial — based on content published by ConductorOne: The IGA Maturity Curve: Shifting from Reviews to Assurance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams move from access reviews to continuous assurance?
A: Start by linking identity events to policy decisions.
Q: Why do periodic access reviews fail in dynamic SaaS environments?
A: Periodic reviews fail because they assess yesterday’s entitlement snapshot while access is changing every day.
Q: What do teams get wrong about identity governance maturity?
A: Teams often confuse completed reviews with effective governance.
Practitioner guidance
- Move from calendar-based reviews to event-driven assurance Tie entitlement changes, role changes, and access exceptions to workflow triggers so review decisions happen when identity state changes, not only at quarter-end.
- Build a complete identity inventory before automating recertification Normalize application, owner, and entitlement data across SaaS platforms so managers and control owners can evaluate real access rather than incomplete reports.
- Reduce standing access that accumulates between reviews Use JIT elevation and narrower birthright access for high-risk systems so fewer risky entitlements survive long enough to become review backlog.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- The webinar discussion with Treasure Data on how GRC teams shifted from manual review work to continuous oversight.
- Examples of the connector-driven identity data collection that reduced manual report gathering across SaaS applications.
- The practical difference between thinner birthright access, just-in-time access, and automation-led governance.
- How AI changes the GRC operating model by pushing teams toward exception handling and risk tradeoffs.
👉 Read ConductorOne's analysis of the IGA maturity curve and continuous assurance →
Manual access reviews are failing. What does continuous assurance change?
Explore further
07/06/2026 9:59 pm
Manual access review is a backward control, not a security model. Quarterly and annual recertifications were designed for environments where identity state stayed stable long enough to be audited after the fact. That assumption no longer holds in SaaS-heavy estates with constant joiner, mover, and leaver activity. The implication is that governance teams must stop treating completion of a review as evidence of control effectiveness.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How do organisations know whether continuous assurance is working?
A: Look for shrinking review backlogs, fewer stale entitlements, faster exception handling, and a clearer inventory of ownership across applications. If access changes are still discovered only during audits, the programme is reporting on activity rather than controlling risk.
👉 Read our full editorial: The IGA maturity curve: from reviews to continuous assurance
