Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk ITGC access control
Governance, Ownership & Risk

ITGC access control

← Back to Glossary
By NHI Mgmt Group Updated July 5, 2026 Domain: Governance, Ownership & Risk

An IT general control that governs who can access systems, data, and functions, and how that access is approved, reviewed, and removed. In audit terms, it must be demonstrable through evidence, not asserted through policy language alone.

Expanded Definition

ITGC access control is the audit-focused set of controls that governs how access to systems, data, and functions is requested, approved, provisioned, reviewed, and removed. In practice, it sits at the intersection of identity governance, privileged access management, and evidence-based compliance. For NHI programs, the same control logic applies to service accounts, API keys, automation tokens, and certificates, not just employee accounts.

Definitions vary across vendors on how broad the control boundary should be, but no single standard governs this yet. A practical reading is that access control is only “working” when an auditor can trace who approved access, what entitlement was granted, when it was last reviewed, and how removal was verified. That makes it closely related to the expectations described in the OWASP Non-Human Identity Top 10 and the lifecycle evidence discussed in Ultimate Guide to NHIs.

The most common misapplication is treating a policy or role matrix as proof of control, which occurs when access approvals, reviews, and revocations are not backed by system records.

Examples and Use Cases

Implementing ITGC access control rigorously often introduces operational overhead, requiring organisations to weigh auditability and least privilege against speed of provisioning and business continuity.

  • Quarterly user and service-account access recertification for financial systems, with signed evidence retained for audit sampling.
  • Joiner, mover, leaver workflows that remove entitlements immediately when a human role changes or a non-human workload is retired.
  • Privileged access approvals for production databases, backed by ticket history, reviewer identity, and time-bounded access records.
  • Service account governance that aligns with the lifecycle and offboarding patterns described in the Ultimate Guide to NHIs — Key Challenges and Risks.
  • Token and API key issuance controls that require documented business justification, then map the entitlement to PCI DSS v4.0 review expectations where payment data is in scope.

For identity-heavy environments, access control also includes evidence that excessive entitlements were removed after testing, contractor onboarding ended, or an integration was decommissioned. The control is strongest when the approval chain, entitlement scope, and removal proof all live in systems that can be reconciled during audit.

Why It Matters in NHI Security

Access control failures are especially dangerous in NHI environments because service accounts and machine credentials tend to accumulate access faster than people notice. NHIMG research shows that 97% of NHIs carry excessive privileges, 73% of vaults are misconfigured, and only 5.7% of organisations have full visibility into their service accounts, which means a weak control can scale into broad, silent exposure. The evidence burden is therefore not just compliance theatre; it is a way to detect privilege creep before it becomes a breach.

In practice, ITGC access control helps prove that privileged access did not persist longer than intended and that dormant accounts were not left behind after system changes. It also supports Zero Trust assumptions by forcing continuous verification rather than one-time trust. When NHI access is not governed this way, secrets often remain valid long after teams believe they are disabled, creating a control gap that can be exploited through forgotten integrations or orphaned automations.

Organisations typically encounter the consequence only after a failed audit, insider misuse, or compromise of a service account, at which point ITGC access control becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Covers NHI access governance, entitlement scope, and privilege creep risk.
OWASP Non-Human Identity Top 10NHI-02Directly addresses secret exposure, a common outcome of weak access control.
NIST CSF 2.0PR.AC-4Least-privilege access control is central to protecting identities and assets.

Inventory all non-human identities, then verify access approvals, reviews, and removals with audit-grade evidence.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org