Notifications
Clear all
Topic starter
11/06/2026 11:21 pm
TL;DR: Disconnected systems, legacy platforms and shadow SaaS are leaving identities outside central governance, while unmanaged non-human accounts and shared credentials create persistent access risk across complex environments, according to Gathid. Holistic discovery, contextual data and localised cleanup are now essential because identity risk increasingly lives beyond the systems IAM teams already monitor.
NHIMG editorial — based on content published by Gathid: Identity isn't just a security concern
By the numbers:
- It is not uncommon for organisations to have upwards of 50 cloud environments, each configured differently, with its own identity settings.
Questions worth separating out
Q: How should teams govern access in disconnected systems that do not integrate with IAM?
A: Teams should treat disconnected systems as first-class governance targets, not exceptions.
Q: Why do legacy platforms create persistent identity risk?
A: Legacy platforms create persistent risk because access is often managed locally, without federation or automated lifecycle sync.
Q: What do security teams get wrong about non-human identities?
A: Teams often treat service accounts, bots and integrations as technical details instead of governed identities.
Practitioner guidance
- Discover non-standard identity stores first Map every system where credentials, roles or shared access exist, including marketing tools, legacy applications, remote facility systems and ad hoc cloud accounts.
- Tie access to authoritative business context Join identity records to HR, contract and asset data so role changes, departures and vendor changes can drive removal of access in disconnected platforms.
- Prioritise orphaned and privileged accounts Focus cleanup on systems with sensitive data, accounts without clear ownership and permissions that have no documented business justification.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- Examples of how to inventory access in disconnected platforms using exports, manual audits and system reports
- A practical framework for building digital twins and knowledge graphs to model access relationships
- Guidance on prioritising cleanup across orphaned accounts, privileged access and sensitive systems
- Operational ways to link identity data to HR, contract and asset records for lifecycle control
👉 Read Gathid's analysis of unmanaged identities in disconnected systems →
Shadow identities in disconnected systems: what IAM teams miss?
Explore further
12/06/2026 7:58 am
Shadow identity is now a governance category, not a cleanup task. The article describes a control problem that sits between sanctioned IAM and everything the business creates without waiting for central approval. That is not a visibility annoyance, it is a structural governance gap because ownership, review and offboarding no longer map cleanly to the systems where access is actually used. Practitioners should treat shadow identity as an enterprise control domain.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which points to recurring control weakness rather than one-off exposure.
A question worth separating out:
Q: How can organisations reduce identity risk without replacing every legacy system?
A: Organisations can reduce risk by prioritising the highest-impact identities first. Start with orphaned accounts, privileged access, and systems holding sensitive data, then build local remediation lists for business owners. The objective is visible control and measured cleanup, not perfect platform standardisation.
👉 Read our full editorial: Unmanaged identities in shadow systems are widening access risk
