Notifications
Clear all
Topic starter
11/06/2026 11:45 pm
TL;DR: Traditional IGA tools that rely on HR or directory syncs struggle in SaaS-heavy environments with contractors, bots, APIs, and service accounts, according to Zluri. The governance shift is toward a real-time system of record that correlates identity context, access, and usage before stale entitlements create audit and security gaps.
NHIMG editorial — based on content published by Zluri: Access Management Next Gen IGA As A System of Record
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern identity when access spans human and non-human accounts?
A: They should treat human users, contractors, service accounts, bots, and APIs as distinct governance subjects under one record model.
Q: Why do delayed sync cycles create governance risk in SaaS environments?
A: Delayed sync cycles let access drift between the moment it changes and the moment governance sees it.
Q: What breaks when IGA cannot correlate identity fragments across systems?
A: Ownership becomes unclear, duplicate accounts persist, and auditors cannot reliably tell whether access is justified or removed.
Practitioner guidance
- Audit where identity truth actually lives Inventory which systems create, modify, and revoke identity data for employees, contractors, service accounts, bots, and APIs.
- Correlate human and non-human identities into one record Build a single ownership model that links account fragments across HR, directories, SaaS apps, and machine identity sources.
- Replace schedule-only reviews with signal-driven governance Use usage telemetry, role changes, and app-native permission events to trigger reviews and revocation workflows when access becomes stale.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The system-of-record workflow design for consolidating identity data across HR, SaaS, and directory sources.
- The specific automation examples used to trigger provisioning, reviews, and offboarding in dynamic environments.
- The product-level view of how usage telemetry and app-native signals are surfaced for governance decisions.
- The implementation context for organisations trying to replace periodic sync with continuous identity control.
👉 Read Zluri's analysis of next-gen IGA as the system of record for identity →
Next-gen IGA system of record: what changes for IAM teams?
Explore further
12/06/2026 8:34 am
Next-gen IGA only works as a system of record if it replaces, rather than depends on, delayed authority. The traditional assumption is that HR and directory systems can notify governance tooling fast enough for access decisions to stay accurate. That assumption breaks in SaaS-heavy estates where entitlements are created, changed, and revoked outside the primary directory. The implication is that identity governance must be built around authoritative correlation, not passive sync.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Another finding from our research shows that 97% of NHIs carry excessive privileges, which broadens attack surface even when governance appears in place.
A question worth separating out:
Q: How do teams know whether next-gen IGA is actually improving governance?
A: Look for shorter revocation cycles, fewer orphaned accounts, and review evidence that ties access to current usage rather than static assignment. If the platform still depends on periodic batch updates, it is helping with inventory, but not yet functioning as the true system of record.
👉 Read our full editorial: Next-gen IGA as system of record for human and NHI access
