Measure whether access governance is closed-loop. A mature programme can assign ownership, approve access, recertify entitlements, and remove them without losing evidence. If the process cannot show who approved what, when it was reviewed, and whether removal happened, the maturity score is cosmetic rather than operational.
Why This Matters for Security Teams
IGA maturity is not measured by whether a control exists on paper, but by whether identity governance actually closes the loop across the full lifecycle. A team can have approvals, recertifications, and offboarding tasks in place and still fail if it cannot prove ownership, evidence, and revocation. That gap is where audit checklists create false confidence. NIST Cybersecurity Framework 2.0 treats governance as an operational discipline, not a static list of activities, which aligns closely with mature IGA practice.
For organisations managing large numbers of non-human identities, the issue is sharper. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, and that visibility gap makes any maturity score based only on policy presence misleading. The better measure is whether governance outcomes are observable, repeatable, and reversible. In practice, many security teams discover their IGA gaps only after an access review fails to remove stale entitlements or an audit asks for proof that no one can produce.
How It Works in Practice
Mature IGA programmes should be assessed as a closed-loop system. The loop starts when access is requested, assigned to an owner, approved with a defined reason, and logged with sufficient evidence. It continues through periodic recertification, exception handling, and timely revocation. If any step depends on tribal knowledge or manual follow-up, the process is not mature even if the workflow tool shows a green status.
A useful maturity model should examine whether governance controls are measurable at each stage:
- Ownership is explicit for every application, role, account, or entitlement.
- Approvals are tied to policy, not just manager convenience.
- Recertification results in action, including removal where access is no longer justified.
- Revocation is verified, not merely requested.
- Evidence is retained in a way that supports audit, investigation, and trend analysis.
This is where guidance from the NIST Cybersecurity Framework 2.0 is helpful, because it pushes organisations toward outcome-based governance rather than checkbox compliance. For identity-specific lifecycle discipline, the NHI Lifecycle Management Guide reinforces that access must be assigned, reviewed, rotated, and removed with traceability. The question is not whether a recertification campaign happened, but whether the campaign reduced standing access and left a defensible evidence trail. NHI Mgmt Group also highlights the broader audit problem in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives, where lifecycle controls are framed as a governance obligation rather than a reporting exercise. These controls tend to break down when ownership is distributed across application teams and revocation depends on separate service desks because no single system can verify completion end to end.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, so organisations have to balance proof quality against process friction. That tradeoff becomes visible when the environment includes thousands of entitlements, inherited group memberships, contractor access, or machine accounts that do not fit human-style review cadences. In those cases, a standard audit checklist may show that reviews occurred, but it will not show whether the right privileges were actually removed or whether exceptions were continuously justified.
Best practice is evolving toward different maturity measures for different identity classes. Human access can often be reviewed through manager attestations, while non-human access usually needs lifecycle evidence, technical verification, and shorter revocation windows. Where organisations rely heavily on shared accounts, legacy systems, or third-party-administered environments, maturity scoring should explicitly penalise weak traceability. The Top 10 NHI Issues is a useful reminder that excessive privilege and poor visibility distort governance outcomes long before an audit occurs. This guidance breaks down in highly federated environments where identity data is fragmented across multiple IAM platforms and no authoritative source can confirm who approved what, when it was recertified, and whether removal actually happened.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Maturity should be risk-based and outcome-driven, not checklist-only. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Weak lifecycle visibility and revocation are core NHI governance gaps. |
| NIST AI RMF | Governance maturity depends on accountability, traceability, and continuous monitoring. |
Score IGA by closure of access risk, evidence quality, and verified remediation outcomes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
