Notifications
Clear all
Topic starter
25/06/2026 5:19 pm
TL;DR: As organisations shift to remote work, expand contractor access, and rely more on bots using service accounts, static entitlements and manual requests no longer keep pace with changing access patterns, according to SailPoint. The governance problem is now about real-time identity control across workforce, machine, and data access, not separate compliance checkpoints.
NHIMG editorial — based on content published by SailPoint: Our identity security journey: Transforming opportunity to impact
By the numbers:
- 80-90% of enterprise data is now outside the traditional confines of enterprise applications.
Questions worth separating out
Q: How should security teams govern service accounts that behave like business-critical access paths?
A: Treat service accounts as governed identities with owners, lifecycle states, and scoped entitlements, not as background technical objects.
Q: Why do static roles fail when access changes during the task?
A: Static roles fail because they describe intended access at a point in time, not the access required to complete a task under changing conditions.
Q: What do security teams get wrong about contractor and bot access?
A: They often treat contractor and bot access as narrower versions of employee access, when in practice both can be broader, more time-sensitive, and harder to review.
Practitioner guidance
- Map real-time entitlement changes Identify where privileges change during the task instead of at provisioning time, then flag those paths for stronger policy and monitoring.
- Inventory machine identities separately from users Create a distinct catalog for bots and service accounts that records owner, system dependency, permissions, and lifecycle state.
- Rebuild access reviews around actual usage Use review workflows that reflect who or what is actively using access, rather than certifying broad role bundles that may no longer match runtime behaviour.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How the platform maps access requests to changing entitlement patterns across workforce and machine identities.
- Examples of how customer behaviour has shifted as remote work and contractor access increase governance complexity.
- The vendor's own view of autonomous identity governance and how it relates to current product direction.
- Context on the portfolio, ecosystem, and customer momentum behind the announcement framing.
👉 Read SailPoint's blog on identity security journey and autonomous governance →
Remote access, bots and data sprawl: what IAM teams need to rework?
Explore further
25/06/2026 5:56 pm
Static identity governance is losing relevance because access is now task-shaped, not role-shaped. SailPoint’s own description reflects a wider shift: the enterprise no longer has a single access pattern per identity type. Employees, contractors, and service accounts all need context-sensitive access that changes during execution. That means old compliance-centred certification models miss the live risk surface. Practitioners should treat role stability as an assumption that has already eroded.
A few things that frame the scale:
- We are seeing 87% growth in access requested and more than 50% growth in monthly active users YoY for customers the world over, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why access and secret sprawl tend to grow together.
A question worth separating out:
Q: How can organisations tell whether identity governance is keeping pace with data sprawl?
A: Look for whether the programme can connect identities to the data they actually reach, across file stores, SaaS platforms, and shared repositories. If access reviews only cover application login rights, governance is lagging. A working model can answer who can reach sensitive data now, not just who was approved last quarter.
👉 Read our full editorial: Identity security now has to govern remote work, bots and data sprawl
