Notifications
Clear all
Topic starter
11/06/2026 11:44 pm
TL;DR: MFA and SSO reduce login risk, but they do not answer whether access should exist, how long it should last, or who must review it, according to Zluri. That gap leaves contractors, movers, shadow apps, and privileged accounts outside governance unless identity lifecycle controls are added.
NHIMG editorial — based on content published by Zluri: Access Management Identity Governance and why MFA and SSO are not enough
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: What breaks when MFA and SSO are treated as full identity governance?
A: Governance breaks at the post-login stage.
Q: Why do access reviews matter if MFA is already in place?
A: MFA reduces login risk, but it does not answer whether the account should retain its permissions.
Q: How do security teams know whether identity governance is actually working?
A: They should look for evidence that access changes when business context changes.
Practitioner guidance
- Map governance gaps after authentication Identify where MFA and SSO end and where no system currently owns entitlement review, ownership, or removal across SaaS and internal applications.
- Automate joiner-mover-leaver changes Connect HR, IAM, and SaaS workflows so role changes and exits trigger access updates automatically instead of waiting on tickets or manual cleanup.
- Discover apps outside the IdP Inventory direct-login apps, shadow SaaS, and contractor-managed tools that never enter the SSO path, then bring them into governance coverage.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The lifecycle workflow examples for joiner, mover, and leaver access changes across SaaS environments.
- The access review and remediation mechanics behind policy enforcement and entitlement cleanup.
- The product-side discussion of discovery methods, including how unmanaged apps are mapped into governance coverage.
- The implementation examples for admin roles, direct URLs, and shadow IT visibility.
👉 Read Zluri's analysis of why MFA and SSO stop short of access governance →
MFA and SSO only solve login. Where does governance take over?
Explore further
12/06/2026 8:33 am
Authentication without governance is an incomplete security model. MFA and SSO reduce credential abuse, but they do not answer whether access is still justified, who owns it, or when it should be removed. That is why organisations can look mature at the login layer while remaining weak in access control outcomes. The implication is straightforward: authentication strength cannot be mistaken for governance maturity.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when access remains active after a role change or exit?
A: Accountability should sit with the system owner, app owner, and governance process, not with authentication alone. If access remains active after a role change or exit, the failure is lifecycle ownership. That is why governance frameworks must define who approves, who certifies, and who remediates.
👉 Read our full editorial: Access management identity governance: why MFA and SSO fall short
