They rely on static review cadences, slow approvals, and on-prem assumptions that no longer match how people access systems. When users move across locations, devices, and cloud apps, access changes faster than quarterly governance can react, which leaves stale entitlements, delayed removals, and audit gaps.
Why Traditional IGA Breaks Down in Remote Work
Traditional identity governance and administration, or IGA, was built around a world where users were on corporate networks, devices were managed centrally, and access reviews could be tied to stable locations and predictable work patterns. Remote work removes those assumptions. People sign in from home networks, unmanaged devices, SaaS tools, and mobile endpoints, so entitlement decisions age faster than quarterly certifications can catch them. That mismatch turns “governance” into a retrospective exercise instead of a control that reflects current risk. The NIST Cybersecurity Framework 2.0 emphasizes continuous risk management, which is closer to today’s operating reality than legacy review cycles.
The practical consequence is stale access, delayed deprovisioning, and blind spots across cloud apps and third-party collaboration tools. Remote work also expands the number of identities, sessions, and devices that matter to access decisions, which makes human review even less reliable. NHI Management Group has shown how quickly access sprawl becomes operationally invisible: in the Ultimate Guide to NHIs, only 5.7% of organisations report full visibility into their service accounts, a reminder that visibility gaps are usually discovered after exposure, not before. In practice, many security teams encounter access drift only after an incident review exposes it, rather than through intentional governance.
How It Works in Practice
Remote work forces IGA to shift from periodic certification to continuous entitlement validation. The core issue is not just where a user is located, but whether the access still matches the user’s role, device posture, application risk, and current business need. Static RBAC mappings often fail here because remote users do not follow one fixed access pattern. A sales manager may need CRM access, a file-sharing tool, and a privileged support portal in the same day, while working from different networks and devices. That requires runtime evaluation, not just an annual review.
In practice, stronger programs combine governance workflows with zero-trust controls and real-time signals. A useful operating model includes:
- Access requests that consider device trust, geolocation, session context, and application sensitivity.
- Short-lived approvals for elevated access, rather than persistent entitlements.
- Automated deprovisioning triggered by role changes, inactivity, or offboarding events.
- Continuous monitoring of dormant accounts, orphaned access, and high-risk sharing paths.
For identity lifecycle control, the Schneider Electric credentials breach is a useful reminder that credential exposure often cascades when access controls and response actions do not keep pace with real usage. Current guidance suggests pairing IGA with policy enforcement that can react in near real time, rather than relying on quarterly attestation alone. That aligns with the broader direction of the NIST framework and with modern identity governance patterns, which increasingly depend on access analytics, automated revocation, and continuous assurance. These controls tend to break down when organisations keep legacy directory assumptions in place because remote and cloud access paths are no longer contained within one managed perimeter.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, requiring organisations to balance access speed against review quality and audit defensibility. Remote work environments differ widely, and there is no universal standard for this yet. Fully distributed companies may need more automation than hybrid organisations because manual approvals cannot keep up with frequent context shifts. Highly regulated sectors may also accept more friction if it reduces access risk, while product or engineering teams often push for fast self-service access with compensating controls.
One common edge case is contractor and partner access. These users often need fast onboarding, broad collaboration access, and earlier offboarding than employees, which makes them especially vulnerable to entitlement drift. Another is emergency access for support teams, where time-bound elevation is appropriate but only if it is logged, reviewed, and revoked automatically. Remote work also complicates identity proofing when device trust is weak, since a user can be legitimate while the endpoint is not. The best practice is evolving toward continuous, context-aware governance, but many organisations still depend on calendar-based recertification that cannot see session-level risk. For teams managing broad identity sprawl, the patterns described in the Ultimate Guide to NHIs are relevant because the same visibility and rotation failures that affect machine identities also show up in remote human access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Remote access needs continuous least-privilege enforcement across changing sessions. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and stale credentials mirror NHI governance gaps in remote work. |
| NIST AI RMF | AI RMF governance principles support context-aware, continuously monitored access decisions. |
Apply governance and monitoring so access decisions stay aligned with changing operational context.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
