Legacy IGA struggles because it often cannot reconcile duplicate identities, stale attributes, and incomplete entitlement context across systems. Reviewers are left confirming basic facts manually, which turns certification into a delay-heavy exercise. The practical result is weaker evidence, slower closure, and a higher chance that risky access survives the review.
Why This Matters for Security Teams
Legacy IGA tools were built around periodic, human-centred certification cycles: named users, stable job roles, and predictable entitlements. That model breaks down when access is driven by service accounts, API keys, CI/CD automation, and other NHIs that change faster than review workflows can keep up. NHIs already outnumber human identities by 25x to 50x in modern enterprises, and only 5.7% of organisations report full visibility into their service accounts, according to the Ultimate Guide to NHIs from NHI Mgmt Group.
Access reviews become weak not because teams are careless, but because the evidence is incomplete. Reviewers are asked to approve entitlements without reliable ownership, rotation, or usage context, which turns certification into a guessing exercise. That is especially dangerous when excessive privilege is common and stale credentials remain valid long after the business case has changed. In practice, many security teams encounter risky access only after an audit exception or incident exposes what the review process never had enough context to catch.
How It Works in Practice
Effective access reviews depend on more than an entitlement export. Reviewers need identity continuity across systems, current ownership, last-used timestamps, privilege scope, and a clear link between the NHI and the workload it supports. The problem with legacy IGA is that it often treats access as a static record, while NHI reality is dynamic: credentials rotate, workloads scale up and down, and the same automation may be instantiated in multiple environments.
Practitioners increasingly pair IGA with workload-centric controls rather than expecting IGA alone to solve the problem. Current guidance suggests using cryptographic workload identity, short-lived credentials, and policy checks at request time so that review evidence reflects what the workload can actually do, not just what was provisioned months earlier. That approach aligns with the OWASP Non-Human Identity Top 10 and the NHI Lifecycle Management Guide, which both emphasize lifecycle visibility, rotation, and offboarding discipline.
- Map each NHI to a business owner and a technical owner before the review begins.
- Attach evidence of last use, credential age, and scope at the time of certification.
- Separate human access from machine access so reviewers are not forced into one generic workflow.
- Auto-expire or revalidate access that lacks current context instead of asking reviewers to infer intent.
These controls tend to break down in highly ephemeral environments, such as auto-scaling containers and short-lived CI/CD jobs, because entitlement data and runtime state drift faster than the review cadence.
Common Variations and Edge Cases
Tighter certification controls often increase operational overhead, requiring organisations to balance review depth against release velocity and reviewer fatigue. That tradeoff is real, and it is why best practice is evolving rather than settled. Some teams reduce friction by certifying the control plane instead of each transient instance, while others certify only the standing entitlement model and let runtime policy enforce the rest.
There is no universal standard for how much contextual evidence is enough, especially for shared service accounts, third-party integrations, and development sandboxes. In those cases, legacy IGA may still be useful for ownership attestation and exception tracking, but it should not be the sole source of truth. The strongest programmes combine IGA with secrets management, workload inventory, and continuous monitoring, then use access reviews to confirm governance rather than discover basic facts.
The 52 NHI Breaches Analysis shows how often missed machine identity hygiene becomes a material security issue, which is why reviewers need evidence that is tied to runtime behaviour, not just directory data.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Access reviews fail when NHI credentials are stale or untracked across systems. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege reviews depend on accurate entitlement context and approval evidence. |
| NIST AI RMF | AI RMF helps govern dynamic, context-dependent access decisions for automated workloads. |
Apply AI RMF governance to define ownership, evidence, and escalation paths for machine access reviews.
Related resources from NHI Mgmt Group
- Why do legacy IAM systems struggle with modern cloud access patterns?
- How should organisations modernise legacy IGA without breaking existing access governance?
- How should security teams run access reviews for non-human identities?
- When do NHI access reviews create more value than a one-time cleanup?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
