Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Public sector identity governance: can IAM keep compliance and uptime aligned?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Public sector cyberattacks now account for 34% of incidents in Spain, and 2025 activity rose 40% year over year, according to Soffid, as bot-driven scanning industrializes access exploitation and turns identity control into a service continuity issue. Compliance now depends on governance that can verify, recertify, and revoke without disrupting operations.

NHIMG editorial — based on content published by Soffid: Digital identity in the public sector: how to simplify regulatory compliance and strengthen cybersecurity

By the numbers:

Questions worth separating out

Q: How should public-sector teams govern non-human identities without slowing operations?

A: Public-sector teams should govern non-human identities with separate ownership, lifecycle controls, and review cadences rather than forcing them into human access workflows.

Q: Why do non-human identities create more compliance risk in government environments?

A: Non-human identities create more compliance risk because they often hold persistent permissions, move faster than human review cycles, and are easier to forget during offboarding or system changes.

Q: What breaks when identity reviews are built only for employee accounts?

A: What breaks is coverage.

Practitioner guidance

  • Inventory every identity type that can access public-sector systems Build a single inventory that includes employees, contractors, service accounts, API keys, certificates, and integration identities.
  • Separate human and non-human access governance Do not run service accounts through the same review logic as staff accounts.
  • Make audit evidence automatic Generate logs, recertification records, and revocation evidence as part of normal IAM operations.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • How its unified IAM, IGA, PAM, and risk management stack is positioned for public-sector environments.
  • How the vendor describes automated recertification, incident logging, and reporting for compliance evidence.
  • How the article frames compatibility with legacy systems and low-friction deployment in public institutions.

👉 Read Soffid's analysis of public-sector digital identity compliance and cybersecurity →

Public sector identity governance: can IAM keep compliance and uptime aligned?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Identity governance, not perimeter hardening, is the decisive control plane in public sector security. The article makes clear that attackers are industrializing discovery through massive scans and then exploiting identity weaknesses once they find them. That means the real battle is over who can access what, under what conditions, and for how long. Public-sector programmes that still treat IAM as a back-office function are defending the wrong layer.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when public-sector identity controls fail under NIS2?

A: Accountability falls on the organisation that owns the service, the identity governance process, and the operational systems that expose access, not on a single tool or team. Under NIS2, public bodies must be able to show oversight, rapid response, and demonstrable control evidence across the identity lifecycle.

👉 Read our full editorial: Public sector digital identity compliance depends on stronger IAM



   
ReplyQuote
Share: