Notifications
Clear all
Topic starter
08/06/2026 4:18 pm
TL;DR: Identity governance has shifted from audit support to direct risk control, with access reviews, just-in-time access, and owner-based entitlement governance now doing the security work once left to compliance processes, according to ConductorOne. The practical shift is clear: security-led IGA closes standing privilege and orphaned access gaps that checkbox controls leave behind.
NHIMG editorial — based on content published by ConductorOne: Security vs. Compliance: Bridging the Gap with C1
Questions worth separating out
Q: How should security teams turn access reviews into real risk reduction?
A: Security teams should use access reviews to remove dormant access, orphaned accounts, and privileges that no longer match the work being performed.
Q: When does just-in-time access reduce risk more than it adds complexity?
A: JIT access reduces risk when the alternative is standing privilege for elevated or sensitive access.
Q: What do organisations get wrong about compliance-led identity governance?
A: They often mistake evidence of process for evidence of control effectiveness.
Practitioner guidance
- Reframe access reviews as risk-removal exercises Use user access reviews to identify dormant accounts, unnecessary entitlements, and production access that no longer matches operational need.
- Convert elevated access to just-in-time access Apply JIT workflows to privileged and production access so entitlements exist only for the duration of a specific task.
- Assign accountable owners to every entitlement Inventory service accounts, orphaned accounts, and shared access paths, then map each one to a named business or system owner.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor positions quarterly user access reviews as a security control rather than a compliance artifact.
- The practical workflow for combining just-in-time access with granular request approvals to remove standing privilege.
- Examples of automated policy decisions based on duration, location, source, and sensitivity.
- The product-oriented identity governance model behind the vendor's unified control approach.
👉 Read ConductorOne's analysis of security vs compliance in identity governance →
Security vs compliance in identity governance: what changes now?
Explore further
08/06/2026 5:52 pm
Compliance is the floor, not the control objective. This post correctly separates audit assurance from risk reduction, but the larger point is that identity governance fails when evidence becomes the end state. SOX, PCI, and ISO can define minimum proof requirements, yet they do not by themselves remove excessive privilege, dormant access, or inaccessible ownership chains. The practitioner conclusion is that the programme must be evaluated by exposure reduced, not paperwork completed.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do you know if identity governance is actually working?
A: Look for measurable reduction in standing privilege, faster removal of unnecessary access, and fewer entitlements without clear ownership. If access reviews produce findings but not removals, the programme is generating compliance evidence rather than lowering risk. Effective governance changes the identity surface, especially in production and privileged environments.
👉 Read our full editorial: Security-first identity governance: why compliance is not enough
