TL;DR: Governance only works when discovery sees the full access surface, not just what the IdP already knows, and 60% of applications often sit outside IT control, according to Zluri’s comparison with ConductorOne. The real issue is structural: if discovery is SSO-bound, downstream reviews, offboarding, and SoD stay SSO-bound too.
NHIMG editorial — based on content published by Zluri: Zluri vs ConductorOne: A Capability-by-Capability Comparison (2026)
By the numbers:
Questions worth separating out
Q: What breaks when discovery is limited to SSO-connected applications?
A: Governance breaks at the first step because reviews, offboarding, and SoD can only operate on what discovery found.
Q: Why do NHIs complicate identity governance programmes?
A: NHIs complicate governance because they are not anchored to human lifecycle events and often persist across application, workload, or workflow changes.
Q: How can security teams know whether access reviews are producing real control?
A: They should compare review outputs with live HR, IdP, and application state, then check whether drift keeps reappearing between cycles.
Practitioner guidance
- Map the real access surface before buying governance features Inventory how the platform discovers apps and credentials outside SSO, including browser activity, direct integrations, finance data, and agent-driven access.
- Test offboarding against actual discovered access Run a sample leaver workflow for a user with shared apps, manual invites, and machine access.
- Validate review freshness and drift monitoring Ask how often HRMS and IdP data sync, and what controls detect access drift between formal certification cycles.
What's in the full article
Zluri's full comparison covers the operational detail this post intentionally leaves for the source:
- Specific discovery methods across SSO, MDM, finance data, browser agents, and direct integrations.
- Implementation detail for offboarding workflows that act on discovered shadow apps and real access footprints.
- Configuration depth for approval routing, SoD rules, and workflow automation across SaaS applications.
- Vendor-specific capability breakdowns that help teams evaluate fit against their current identity stack.
👉 Read Zluri’s comparison of identity discovery, offboarding, and access review scope →
Zluri vs ConductorOne: what access-surface gap are teams missing?
Explore further
Discovery scope is the real control plane for identity governance. If discovery only sees SSO-connected applications, the organisation is not running full governance. It is running governance inside a narrowed model of the environment. That model excludes shadow IT, shared access, direct API use, and much of the machine identity layer that now carries real business risk. Practitioners should treat discovery coverage as the first governance control, not a supporting feature.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% say governing them is critical to enterprise security.
A question worth separating out:
Q: When should teams use JIT access instead of broader identity governance controls?
A: JIT access is useful when the main problem is short-lived privileged access to cloud infrastructure. It should not be treated as a substitute for discovery, offboarding, or access certification across SaaS and machine identities. If the organisation’s real risk is hidden apps or lingering credentials, JIT solves only a narrow part of the problem.
👉 Read our full editorial: Zluri vs ConductorOne exposes the access-surface governance gap