TL;DR: Public administration faces rising attacks, ransomware pressure, and audit demands as municipal and broader government systems handle sensitive citizen data across hybrid environments, according to Soffid. The central issue is not authentication alone, but unified identity governance that keeps access least-privileged, traceable, and manageable across human, privileged, and external accounts.
NHIMG editorial — based on content published by Soffid: IAM for public administrations, security, and compliance without complications
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should public-sector teams govern access across legacy systems and cloud services?
A: They should define one access policy model, one review cadence, and one evidence trail across all platforms.
Q: Why do public administrations need just-in-time access for privileged users?
A: Because standing administrative access creates a large exposure window in environments that must stay continuously available.
Q: What breaks when lifecycle processes are manual in government IAM?
A: Manual lifecycle management leaves access alive after role changes, contract end, or offboarding, which creates stale privilege and audit gaps.
Practitioner guidance
- Unify access governance across hybrid estates Map where employee, citizen, contractor, and service access is governed separately today.
- Convert privileged access into task-scoped sessions Replace standing administrative rights with just-in-time elevation, session recording, and enforced credential rotation for support and systems teams.
- Automate joiner, mover, and leaver workflows Tie role changes and offboarding to identity updates for employees, contractors, and external suppliers.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- How its IAM model maps public-sector roles to RBAC and federated access across mixed environments
- How its PAM controls combine just-in-time privilege, credential rotation, and session traceability
- How its onboarding, offboarding, and recertification workflows are configured for administrative use cases
- How its public-sector positioning is tied to compliance expectations such as ENS and RGPD
👉 Read Soffid's analysis of IAM for public administration and compliance →
Public sector IAM: are your controls keeping pace with digital services?
Explore further
Public-sector IAM fails when identity is treated as a login problem instead of a governance problem. The article is really about access control across people, suppliers, privileged users, and systems that outlive individual workflows. That is where public administration gets exposed: the institution can authenticate users and still fail to govern what they can do, where, and for how long. The practitioner conclusion is that identity must be managed as an operational control plane, not a front-end convenience layer.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: Who is accountable when privileged access is misused in a public service environment?
A: The organisation is accountable for proving that access was authorised, proportionate, and traceable at the time of use. That requires clear ownership for the business role, the access approver, and the system administrator who granted elevation. Without that chain of responsibility, incident response and compliance reporting both become much harder.
👉 Read our full editorial: IAM for public administration: security and compliance at scale