NHIMG Forum - Recent Posts

RE: Pathlock Nexus and continuous ERP controls: what changes for IAM teams

Mr NHI — Tue, 02 Jun 2026 20:52:48 +0000

Transaction-first governance is becoming the correct control lens for modern ERP risk. The core problem is no longer just entitlement sprawl. It is that business value is created and lost inside high-speed transactions that need to be evaluated as they happen. For IAM and PAM teams, that means access control and transaction assurance can no longer be separate disciplines.

A few things that frame the scale:

85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
That same research found only 1.5 out of 10 organisations are highly confident in securing NHIs, which helps explain why transaction-heavy environments struggle to keep pace with automation.

A question worth separating out:

Q: When should organisations move from periodic audit to continuous assurance?

A: They should move as soon as business processes depend on bots, AI agents, or high-volume ERP automation that can execute sensitive transactions faster than manual review can keep up. If the control objective is to stop bad transactions rather than merely document them, continuous assurance becomes necessary.

👉 Read our full editorial: Pathlock Nexus and the shift to continuous ERP control governance

RE: Unused IAM permissions: why visibility alone does not reduce risk

Mr NHI — Tue, 02 Jun 2026 20:52:32 +0000

Visibility without enforcement is not least privilege. IAM Access Analyzer can identify unused permissions, but the control problem remains unsolved until those permissions are actually constrained or removed. In mature environments, dashboards tend to accumulate faster than remediation capacity, especially where service accounts and other non-human identities are created continuously. The practical conclusion is clear: least privilege must be enforced, not merely observed.

A few things that frame the scale:

70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, which shows how sharply blast radius changes when access is scoped correctly.

A question worth separating out:

Q: When should organisations use central blocking instead of deleting a role?

A: Use central blocking when the identity may still be needed by rare, undocumented, or periodic workflows. Deletion is permanent and can break dependencies that appear only after the fact. Blocking lets the team reduce blast radius while keeping the recovery path simple.

👉 Read our full editorial: IAM Access Analyzer finds unused access, but enforcement stays manual

RE: Sub:jugation and phantom cloud identities: what IAM teams missed

Mr NHI — Tue, 02 Jun 2026 20:52:16 +0000

Phantom Cloud Identities are the real control failure here. The trust policy still exists, but the identity it trusts no longer has a legitimate owner. That means standard secrets hygiene is not enough, because the problem is stale federation state rather than exposed static credentials. Teams need to govern the lifecycle of the identity subject, not just the token format.

A few things that frame the scale:

28,65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to the State of Secrets Sprawl 2026.
AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to the State of Secrets Sprawl 2026.

A question worth separating out:

Q: Who is accountable when a reclaimed namespace can assume a cloud role?

A: Accountability sits with the team that owns the cloud role, the CI/CD namespace, and the offboarding process that should have removed the trust. Federation makes the control shared, but shared control does not mean shared responsibility. The role owner must prove the trust condition still matches a legitimate active identity.

👉 Read our full editorial: Sub:jugation exposes phantom cloud identities in CI/CD OIDC trust

RE: Linux passwordless support: what changes for IAM teams now?

Mr NHI — Tue, 02 Jun 2026 20:51:59 +0000

Linux passwordless is now an identity governance issue, not just a UX upgrade. The practical significance of this capability is that Linux stops being the exception that weakens enterprise authentication policy. When the same phishing-resistant methods can span Linux, Windows, macOS, iOS, and Android, teams can finally apply consistent assurance rules across the user estate. The practitioner takeaway is simple: if Linux remains password-based, passwordless is not actually enterprise-wide.

A few things that frame the scale:

70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
That same survey found only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: How do you know if passwordless coverage is actually enterprise-wide?

A: Measure coverage by operating system, user role, and access path rather than by overall adoption alone. If Linux administrators, server operators, or critical application users still rely on passwords or OTP as a fallback, the programme is not truly enterprise-wide.

👉 Read our full editorial: Linux passwordless support closes a major IAM gap for enterprises

RE: Identity governance in cloud and AI environments: what changes now?

Mr NHI — Tue, 02 Jun 2026 20:51:43 +0000

Continuous assurance is now the baseline control expectation for modern identity governance. Periodic access reviews still have value, but they no longer provide enough signal in environments where cloud permissions, service identities, and AI-assisted workflows change continuously. The governance model that survives is the one that can evaluate access state in near real time and tie it to business risk.

A few things that frame the scale:

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.

A question worth separating out:

Q: How can organisations reduce audit friction without weakening governance?

A: Use policy automation, delegated decision rights, and shared risk signals to shorten approval paths while keeping accountability intact. The objective is not fewer controls. It is fewer manual handoffs and less delay between risk detection and action, which is what preserves both auditability and operational continuity.

👉 Read our full editorial: Identity governance for human and non-human identities needs real-time control

RE: AI agent identity risk and standing privilege: are controls keeping up?

Mr NHI — Tue, 02 Jun 2026 20:51:26 +0000

Standing privilege is now the most exploitable control failure in AI-heavy environments. The article's core point is that attackers win faster when identities remain permanently enabled, especially when those identities hold secrets or tool access. Just-in-time access is therefore not a nice-to-have optimisation, but the control that shortens the abuse window. Practitioners should treat persistent privilege as the default condition that needs active removal.

A few things that frame the scale:

80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What should organisations do first when AI-driven attacks speed up exploitation?

A: Organisations should focus first on identities that already combine privilege, persistence, and secret access. Those are the fastest paths to compromise and the hardest to detect manually. The first 24 to 72 hours should be spent reducing exposure windows, validating revocation, and confirming which agents or service accounts can still reach sensitive systems.

👉 Read our full editorial: AI agent identity risk is accelerating privilege exposure in enterprises

RE: D365 F&O access governance on 2026-06-02: what is changing?

Mr NHI — Tue, 02 Jun 2026 20:51:10 +0000

Continuous proof is now the core governance requirement for business applications. D365 F&O teams are being asked to show that SoD, privilege, and provisioning controls are effective in operation, not merely defined in policy. That changes the control model from periodic attestation to ongoing evidence gathering, which is closer to how auditors now expect resilient governance to behave. Practitioners should treat every access review as a test of control reality, not a paperwork exercise.

A few things that frame the scale:

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.

A question worth separating out:

Q: Who should own access governance when business applications affect audit and licensing?

A: Ownership should be shared, but accountability must be explicit. IAM or security teams usually run the control framework, while finance, application owners, and audit stakeholders validate business need and risk tolerance. Without that split, access decisions drift into either unchecked convenience or disconnected compliance paperwork.

👉 Read our full editorial: D365 F&O access governance needs continuous proof, not paper controls

RE: AI agents as privileged identities: what IAM teams need now

Mr NHI — Tue, 02 Jun 2026 20:50:54 +0000

Identity is becoming the decisive control plane for AI-era compromise. Vulnerability discovery may be accelerating, but the attacker still needs a credential, a session, and a route to impact. That shifts the security center of gravity from finding every flaw to limiting what any compromised or autonomous identity can do. Practitioners should treat identity blast radius as the primary risk variable.

A few things that frame the scale:

91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
Only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity-led attack paths persist even when teams think they have coverage.

A question worth separating out:

Q: What should teams do in the first 24 to 72 hours after discovering agent misuse?

A: Contain the session, revoke the agent's credentials, inventory every reachable system, and review all actions taken during the period of misuse. Then determine whether the problem is limited to one identity, or whether the same privilege pattern exists elsewhere in the environment.

👉 Read our full editorial: Mythos-era AI agents raise the stakes for identity security

RE: Orphaned accounts in IGA: what this webinar means for teams

Mr NHI — Tue, 02 Jun 2026 20:50:37 +0000

Conversational IGA does not solve governance gaps by itself: it simply compresses the time it takes to find them. When teams already face orphaned accounts, limited reviewer capacity, and audit pressure, AI-assisted search can improve triage but cannot substitute for authoritative ownership, review standards, or remediation discipline. The practitioner implication is simple: if the underlying IGA model is weak, a faster interface will only expose the weakness sooner.

A few things that frame the scale:

96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

A question worth separating out:

Q: How do teams know whether AI-assisted IGA is actually working?

A: Look for shorter review cycles, fewer unresolved orphaned accounts, and clearer remediation ownership without an increase in policy exceptions or audit findings. If the system produces speed but not better decision quality, it is only moving the bottleneck. Effective AI-assisted IGA improves both throughput and control fidelity.

👉 Read our full editorial: Orphaned accounts and agentic AI in IGA: Pathlock webinar implications

Pathlock Nexus and continuous ERP controls: what changes for IAM teams

Mr NHI — Tue, 02 Jun 2026 20:50:02 +0000

TL;DR: Pathlock says modern ERP environments now require continuous, transaction-first assurance because AI agents, bots, and service accounts execute critical business actions at machine speed across SAP, Oracle, Workday, and 150+ applications. The governance shift is bigger than monitoring more logs, because identity, privilege, and transaction context now have to be evaluated together in real time.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should security teams govern AI agents and bots in ERP systems?

A: Treat AI agents and bots as governed non-human identities with explicit ownership, least privilege, and lifecycle controls.

Q: Why do static ERP access reviews miss so much risk?

A: Static reviews miss sequence-based risk because a permission that looks acceptable in isolation may become dangerous when combined with transaction order, business context, and automation.

Q: What breaks when transaction controls are only tested after the fact?

A: After-the-fact testing lets fraud, compliance violations, and privilege misuse execute before anyone can intervene.

Practitioner guidance

Map transaction-critical identities Inventory the users, bots, service accounts, and AI agents that can create, approve, or release ERP transactions, then assign explicit owners for each identity and workflow.
Replace sampling with continuous controls monitoring Instrument controls so they evaluate transactions in real time, then retain evidence for audit, investigation, and exception handling across SAP, Oracle, Workday, and related systems.
Reduce toxic access combinations Use SoD analysis and role cleanup to remove combinations that let one identity both initiate and approve the same high-risk business process.

The control objective shifts from periodic approval to continuous containment?

👉 Read Pathlock's analysis of continuous ERP control governance with Pathlock Nexus →

Explore further

View Full Forum → | NHI Foundation Course →