As organisations grow, identity data gets messier, ownership becomes less clear, and access reviews multiply. Platforms become harder to run when they depend on perfect role models and manual coordination. The real issue is usually not technology capacity but the gap between governance ambition and the team’s ability to sustain it.
Why This Matters for Security Teams
IGA platforms become harder to run as organisations grow because identity sprawl turns governance into an operations problem. More apps, more service accounts, more exceptions, and more ownership disputes mean every access review takes longer and produces more noise. NHI Management Group’s Ultimate Guide to NHIs shows that NHIs outnumber human identities by 25x to 50x in modern enterprises, which is why scale quickly exposes weak role models and manual exception handling.
That pressure shows up in review fatigue, stale entitlements, and unclear accountability for who should approve what. The same growth that adds business value also makes clean certification cycles harder to sustain. The issue is not simply platform capacity; it is the mismatch between governance design and the actual operating model. Current guidance from the NIST Cybersecurity Framework 2.0 still points teams toward risk-based governance, but implementation becomes fragile when ownership data is incomplete and access patterns change faster than policies. In practice, many security teams discover the IGA bottleneck only after access review backlogs, audit findings, or overprovisioned identities have already accumulated.
How It Works in Practice
At smaller scale, IGA platforms can depend on role mining, manager attestations, and periodic certification because the number of identities and entitlements is still manageable. As the environment grows, those workflows begin to fail for predictable reasons: entitlements multiply faster than role design can keep up, business owners change, and access decisions drift away from the underlying application reality. For NHI governance, this is even more pronounced because service accounts, API keys, tokens, and automated workloads often lack a human owner who can reliably certify access.
Practitioners increasingly treat IGA as a control plane that must ingest better identity hygiene rather than a system that can fix poor inputs. That means linking lifecycle events, ownership records, and entitlement inventories to authoritative sources, then using policy to decide when an access request or review is valid. NIST CSF 2.0 and the NHIMG research on NHI scale and market realities both point to the same operational truth: governance only works when the organisation can keep identity data current enough to trust.
Common operating patterns include:
- Synchronising HR, CMDB, cloud, and directory data so the platform can identify who or what owns an entitlement.
- Using RBAC where it is stable, but allowing exception handling for systems with dynamic or inherited access.
- Automating joiner-mover-leaver events for humans and separate lifecycle rules for NHIs, since their offboarding requirements differ.
- Shortening certification scopes so reviewers see meaningful access bundles instead of long, unusable entitlement lists.
As an organisation grows, the real problem is not just more identities; it is more ambiguity around who is responsible for validating them. These controls tend to break down in decentralised environments where application teams create their own roles, ownership records are stale, and there is no reliable source of truth for service-account use.
Common Variations and Edge Cases
Tighter governance often increases administrative overhead, requiring organisations to balance auditability against operational speed. Best practice is evolving here, and there is no universal standard for how much IGA automation is enough at enterprise scale. Some organisations can centralise access governance successfully, while others need a federated model because domain teams understand application context better than a central review group.
One common edge case is inherited access from cloud, SaaS, and platform teams. In those environments, role definitions look neat on paper but break down when permissions are layered across subscriptions, accounts, and nested groups. Another is NHIs tied to pipelines or ephemeral workloads, where a conventional quarterly certification adds little value because the credential may already be obsolete by the time the review occurs. In those cases, current guidance suggests shifting from static review cycles toward event-driven governance, stronger ownership metadata, and tighter lifecycle controls.
NHIMG’s research suggests the scale issue is often visible long before failure becomes obvious, especially when visibility into service accounts is low and credential hygiene lags behind organisational growth. If ownership cannot be established, the platform will keep producing tickets and exceptions faster than reviewers can resolve them, which is why growth exposes governance debt so quickly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.AM-1 | Asset and identity inventories are foundational when IGA scale increases. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access governance becomes harder as entitlements multiply. |
| NIST AI RMF | GOVERN | Governance becomes harder when ownership, accountability, and process discipline erode. |
Maintain authoritative identity inventories so reviews and access decisions start from known assets.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
