.avif)
The Future of Identity Governance is Employee-Centric. Here's Why.
Poor access management practices are one of the most significant security risks facing any IT team. In fact, a recent Verizon report found that 43% of breaches are performed via applications as an entry point—underscoring how traditional access management paradigms are no longer cutting it.
Today, teams are hybrid, spanning multiple networks and devices. Most companies rely on an exploding SaaS and now also AI stack—each tool expanding the attack surface. AI agents are starting to request access alongside human users—non-human identities, but they are still introduced by: humans! And all of this is happening as regulations like NIS2, the EU AI act and DORA demand more transparency, stricter controls, and faster incident response. Shifting toward an employee-centric access management model is not only a scalable and secure solution for today's workforce, but it is mission critical if you expect to reduce access-related risk, shrink your attack surface or cut down the operational overhead that comes with manual access management—to finally tackle the problem where it arises.
Every IT & Security team we interact with is experiencing the same challenge: Teams often don't comply with their governance and don't stick to the process. Employees don't care about access tickets (and why should they), they just create access. Employees are doing this not because they are malicious, but because they are busy. Therefore, employees need an identity governance process that makes it easy, helps them understand why it matters, and implements solutions that bring them value.
So let's dive into employee-centric access controls and see why this strategy has become the gold standard for so many teams—and how AI can help shape an employee-friendly approach.
Employee-Centricity and RBAC are NOT Mutually Exclusive
It’s easy to think of the “black and white” Role Based Access Controls (RBAC) and Employee-Centric Access Controls (ECAC) as being mutually exclusive.
Think of RBAC as a building’s default floor plan (who can go where) and employee-centric controls as personalized keycards that can be updated based on evolving needs without rebuilding the whole structure.
Here’s how to properly combine the two for the best possible outcomes (as we know it today):
1. Use RBAC as a Foundation and Keep IT in Ultimately Charge:
- Create well-defined roles that match your organizational structure (e.g., Sales Rep, Finance Lead).
- Assign permissions conservatively (principle of least privilege).
- Extra for your employees: It’s good for them too if there is a clear cut and everyone knows what team gets what access!
2. Allow Scoped Exceptions or Extensions to Serve Employee Needs:
- Layer attribute-based or task-based access on top of roles.
- Example: An SEO Analyst (within “Marketing” role) may get temporary or project-based access to a PPC dashboard if they're covering during PTO.
3. Enable Self-Service:
- Based on the birthright role-based access (again: which is a great start for new employees, see above), enable every employee to request additional access in an easy-to-follow and intuitive (!!!) manner.
4. Monitor and Adapt:
- Use workflows that notify IT/security for review, logging everything for audit. Things need to be kept in order and tracked for audits such as ISO 27001 compliance—so central teams don’t have to chase people in order to find out who has access to what.
- Use tools like dynamic access reviews to remove stale or excessive permissions.
In other words: Employee-centric access controls are an adaptive approach to identity governance in which access rights are granted, monitored, and revoked based on a holistic view of the employee—their current role, responsibilities, context, behavior patterns, and risk level at any given moment. And in a manner that makes it easy for people to contribute to identity governance as a shared responsibility. AI will massively help simplify these processes—and that’s almost a paradox: AI is making the problem worse (more access!), but it’s also helping to bring access under control.
Speaking of distributed responsibility: One of the key underlying aspects of employee-centric access controls is the concept of decentralization. Recently, we spoke with Siebert Timmermans, an Information Security Officer & Advisor who works with startups and scaleups to help them implement better security practices. He told us:
"One of the worst things you can do from a risk and time perspective is having one or two super admins in every single tool; they have to manage all configuration and access controls for everyone in the company. If you do this, you're setting yourself up for failure. . .a better way is to decentralize it; having the people who actually work with these tools day in and day out treat them in a responsible manner. They are responsible for configuring and maintaining the tool, for giving access, changing access, managing privileges, etc. Clarify what the responsibilities and expectations are and hold them accountable." -Siebert Timmermans, Information Security Officer & Advisor
And he's completely right. So many other aspects of a business' operations are decentralized, so why should the full onus of identity governance fall solely on your IT team? The crux is, every owner needs to contribute to Identity Governance and Administration (IGA) and the process. Rather than one IT team owning all tools, issues, troubleshooting, and adoption processes, each power user or app "champion" in a department should be able to handle day-to-day issues while the IT department manages and oversees overall security infrastructure to mitigate risk and create a team-based model. We are saying it again: IGA is a shared responsibility.
We see this model in a number of other business functions as well:
- Content production/social media: Rather than one team creating and approving all content across locations and departments, local teams should instead create their own content that's tailored to their specific audience, while adhering to pre-approved templates and branding guidelines. The marketing team comes in to ensure everything is compliant with overall principles and on-brand (just like: RBAC). This makes the content more authentic and aligns with local trends while ensuring company wide processes are adhered to.
- Budget management: If one finance department acts as the decisionmaker for each team, needs often get overlooked or improperly prioritized. But when department leads are empowered to manage their own budgets (with general oversight from the finance team), it allows for quicker and more effective decisionmaking based on deeper understanding of their teams' needs.
- Customer Relationship Management: Decentralized CRM teams facilitate stronger client relationships. It empowers each rep to manage their clients based on actual interactions, rather than theoretical guidance from the top. Again, a centralized team should be empowered to oversee and ensure processes are adhered to.
Implementation: What to Consider Before Rolling It Out
1. Align Stakeholders Across Departments
- Management must (!) make identity governance and administration a top priority organization-wide and clearly communicate the imperative nature of everyone to stick to the process—ideally this starts with CEO messaging WHY this matters
- Engage IT, InfoSec, HR, Compliance, and business unit leaders early and regularly
- Clarify roles in policy creation, access approvals, and recertification
- Identify and assign data owners/system owners in a distributed manner
2. Assess Current State of Identity & Access
- Process:
- Audit existing access control methods (RBAC, manual provisioning, AD groups, etc.)
- Map out identity lifecycle stages and current automation gaps
- Existing access:
- Identify where privilege creep or orphaned accounts currently exist
- Inventory specifically critical applications, systems, and data that need governance
3. Define Governance Policies And Processes
- The ultimate goal is to implement a process that is clear to users, gives freedom to them (while being clear about their obligations to stick to the process), and that orchestrates IGA in a distributed manner in which IT & Security oversee rather than doing everything themselves
- Map triggers for role-based onboarding, role change, leave of absence, and offboarding (JMLs!)
- Automate provisioning/deprovisioning based on role, location, contract status
- Set rules and workflows for temporary or just-in-time access
4. Choose the Right IGA Platform or Stack
- Chose a platform that can automate your key processes, allows your to consolidate all access data—and, guess what: That is not only great for IT & Security teams, but also easy to use for your entire organisation
- Otherwise you’ll find yourself back to square one—people will ignore your system
5. Establish Monitoring, Reporting & Auditing
- Ensure real-time monitoring of user activity and contextual anomalies
- Prepare audit-ready reports for GDPR and DORA inspections
6. Pilot and Test Before Full Rollout
- Run a controlled pilot with a test group
7. Train Users and Communicate Clearly
- Educate managers on your new process
- Create end-user guides for your new self-service process
8. Plan for Continuous Improvement
- Schedule periodic reviews of your entire process
Not sure where to start? Cakewalk has you covered…
Cakewalk Helps Future-Proof Your Identity Strategy
Traditional IGA models can't keep up with global teams, hybrid environments, and the increase in contractual labor. Ever-tightening regulations require companies not just to be reactive in a very short timeframe, but also to implement more proactive measures. As your company continues to evolve and adopt new platforms, your IGA strategies have to keep pace without holding back your potential to scale quickly.
Cakewalk provides the ability to consolidate all access, apps and AI agents, fully automate workflows, and get guidance based on insights. We enable your teams while reducing your attack surface all while ensuring you're complying with incoming cybersecurity regulations.
Book a demo to find out how Cakewalk can improve your IGA process.
