Notifications
Clear all
Topic starter
25/06/2026 1:32 pm
TL;DR: State agencies aligning to NASCIO 2025 priorities are treating identity as the control plane for cybersecurity, AI, data access, and cloud modernization, according to SailPoint. The governance gap is no longer access management in isolation, but lifecycle control across employees, partners, machines, and cloud entitlements.
NHIMG editorial — based on content published by SailPoint: Aligning your state identity program goals to key NASCIO 2025 priorities
By the numbers:
- Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should state agencies govern machine identities in cloud and RPA environments?
A: State agencies should govern machine identities the same way they govern human access, with ownership, purpose, lifecycle triggers, and removal paths.
Q: Why do overprovisioned identities increase risk in state modernization programmes?
A: Overprovisioned identities increase risk because one account can reach more systems, data sets, and cloud services than the current role requires.
Q: What breaks when access review is not tied to lifecycle events?
A: Access review becomes a snapshot of stale reality.
Practitioner guidance
- Inventory every non-human identity Build a current inventory of machine accounts, service identities, and automation credentials across state systems, cloud services, and RPA tools.
- Re-score access after every role or service change Trigger access reviews when employees move, partners rotate, or workflows change, then remove permissions that no longer match the current job or integration.
- Tie zero trust to lifecycle revocation Use zero trust not as a network label but as a lifecycle control pattern, with explicit approval, revocation, and validation steps for each identity type.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The specific product capabilities SailPoint maps to state-agency identity modernization use cases.
- The way SailPoint positions lifecycle automation for employees, partners, and machine identities.
- The cloud infrastructure governance details behind its entitlement management approach.
- The implementation context for state agencies evaluating access control and modernization roadmaps.
👉 Read SailPoint's analysis of NASCIO 2025 identity priorities for state agencies →
NASCIO 2025 identity priorities: what state agencies should change?
Explore further
25/06/2026 3:33 pm
Identity governance is now the practical control layer for state modernization. The article shows that cybersecurity, AI, data management, and cloud services all depend on the same underlying access decisions. That is why public-sector programmes that treat identity as a back-office function keep missing the real risk boundary. The implication is straightforward: state agencies should organize security modernization around identity lifecycle governance, not around disconnected technology silos.
A few things that frame the scale:
- Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
A question worth separating out:
Q: Which identity controls matter most for zero trust in public-sector environments?
A: The controls that matter most are continuous access reduction, reliable revocation, and clear ownership for every identity type. Zero trust fails in practice when standing permissions remain broader than necessary, because the programme cannot contain the blast radius of compromised or stale access.
👉 Read our full editorial: NASCIO 2025 priorities show identity as the state security core
