Notifications
Clear all
Topic starter
25/06/2026 1:34 pm
TL;DR: Public sector identity management is shifting from perimeter assumptions to identity-first control as remote work expands, with police and local government leaders describing the need for a common blueprint, stronger joiner-leaver governance, and role-based certification, according to SailPoint. The real issue is not tooling alone but whether access, approval, and accountability can be made consistent across fragmented organisations.
NHIMG editorial — based on content published by SailPoint: Identity Transformation in the Public Sector
By the numbers:
- There are at least 43 separate organisations in the policing authorities looking for a baseline blueprint for access and identity control.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should public sector organisations govern access when staff work remotely?
A: They should move access decisions to the identity layer and make them role-based, time-aware, and reviewable.
Q: Why do fragmented agencies struggle to standardise IAM controls?
A: Because each organisation often builds its own approval rules, role models, and governance habits, which makes a shared control baseline difficult.
Q: What breaks when joiner and leaver processes are not defined upfront?
A: Access tends to become inconsistent, slow to revoke, and dependent on manual follow-up.
Practitioner guidance
- Define a shared identity blueprint early Map baseline access rules, approval paths, and role definitions before deploying new identity tooling across departments or agencies.
- Tie role governance to recurring certification Run access certification campaigns against named role owners so each entitlement has an accountable approver.
- Automate joiner and leaver workflows Create standard provisioning and revocation flows for staff moves, transfers, and departures so offboarding does not depend on manual cleanup.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Direct interview context from public sector leaders on how identity programmes were reshaped by remote work and pandemic pressure
- Specific discussion of how role-based certification built confidence in access governance across legacy estates
- Practical commentary on why joiner and leaver process design had to come before implementation
- The source article's own explanation of how business ownership and identity tooling were combined in practice
👉 Read SailPoint's blog on public sector identity transformation →
Public sector IAM in remote work: what teams are missing now?
Explore further
25/06/2026 3:35 pm
Identity is the control plane when the perimeter disappears: This article shows that public sector access can no longer rely on network location or organisational boundaries as the primary trust signal. When users work remotely, the decision point moves to identity, where authentication, purpose, and entitlement must be evaluated in real time. For IAM leaders, that means identity policy now carries the burden that perimeter security used to absorb.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own role-based access certification in public sector IAM?
A: Business and service owners should own it, because they understand whether access still matches the job or service requirement. IAM teams can run the process, but they cannot replace the accountability needed to approve, reject, or remove entitlements with confidence.
👉 Read our full editorial: Public sector identity transformation needs a common access blueprint
