IT general controls

Expanded Definition

IT general controls, or ITGC, are the baseline controls that make systems trustworthy enough for auditors and operators to rely on downstream activity. In practice, they cover access administration, change management, backups, logging, job scheduling, and segregation of duties across the application stack.

For NHI and IAM programs, ITGC is the control layer that determines whether service accounts, secrets, and privileged tooling can be operated safely at scale. It is closely related to broader governance concepts in NIST Cybersecurity Framework 2.0, especially identity, access, and protective controls, but usage in the industry is still evolving because some teams treat ITGC as an audit category while others treat it as an engineering discipline. The most common misapplication is assuming application-level approvals are enough, which occurs when infrastructure access, deployment paths, and secret rotation are left outside the control boundary.

Examples and Use Cases

Implementing ITGC rigorously often introduces slower change velocity and more evidence collection, requiring organisations to weigh delivery speed against auditability and recovery confidence.

• A finance team restricts production access so that only approved operators can modify service accounts, rotate secrets, or approve emergency access.
• A platform team requires change tickets, peer review, and rollback plans before updating authentication middleware or CI/CD runners.
• An auditor traces whether backup jobs, log retention, and restore testing are controlled well enough to support transaction integrity.
• A security team uses the NIST Cybersecurity Framework 2.0 as a baseline to tie access, change, and recovery controls together across systems.
• A governance team consults Ultimate Guide to NHIs — Standards to align service account lifecycle steps with evidence that auditors can verify.

In mature environments, ITGC also governs the tools that manage non-human identities, because the control failure is often not the workload itself but the administrative plane around it. That is why service account creation, credential rotation, and privileged session handling should all be traceable to an approved process rather than handled ad hoc.

Why It Matters in NHI Security

ITGC becomes critical when organisations need to prove that non-human identities are controlled, not just present. Weak access review processes, undocumented changes, and poor secret handling can invalidate audit reliance and leave automation with more privilege than it should have. The NHI Mgmt Group reports that Ultimate Guide to NHIs — Standards shows only 5.7% of organisations have full visibility into their service accounts, which is a strong signal that many ITGC programs do not yet extend cleanly to non-human credentials.

That gap matters because ITGC is often the only control family that can prove who changed a secret, when access was granted, and whether recovery procedures actually work. It also maps naturally to NIST Cybersecurity Framework 2.0, which expects organisations to manage identity, recoverability, and governance in a coordinated way. Organisations typically encounter failed audits, unexpected privilege accumulation, or recovery breakdown only after an incident or control testing cycle, at which point ITGC becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What are prevent controls in NHI security?
• What NHI security controls are mandatory for autonomous Agentic AI?
• What governance controls should every enterprise put in place before deploying AI agents?
• What are the emerging security controls needed for Agentic AI identity governance?