Why Organizations Can't Scale: The Hidden Governance Maturity Crisis

Transcript

Speaker 0:08

Welcome to the Safe Podcast. If your AI or digital initiatives keep stalling, the real problem probably isn't the technology. It's the foundation. They're built on weak identity controls, unclear ownership and messy data access are quietly slowing everything down and multiplying risk. I'm your host, Jamie Tilman, and today I'm joined by CEO of the SafePass Il Khan and transformation leader, Darrell Pace. We're digging into the hidden governance maturity crisis that's breaking progress from the inside and what it takes to fix it before, before AI simply intensifies the issue. Adele. Daryl, welcome to the show. I'm really excited to talk about this issue with you both.

Speaker 3 0:50

Thanks, Jamie. Great to be here.

Speaker 2 0:53

Thanks for having me, Jamie. Really looking forward to this conversation.

Speaker 0:57

Thanks, Darryl. Me too. Let's start with a question. We hear leadership asking most often. Why can't we move faster? You guys have both worked with some of the world's largest enterprises on governance and digital transformation. When you hear that question, what do you actually see is the real blockers to velocity?

Speaker 2 1:16

What I see over and over is that it's rarely one big, obvious blogger. It's a combination of existing infrastructure, long approval chains and layers of legacy governance that were never simplified before. People started talking about. Going faster. Uh, you've got technical debt from systems that have been around for 10 or 20 years. Uh, every time you touch them, you have to preserve old control, evidence and reports because auditors and regulators still rely on them. So instead of building for the new world teams spend most of their time maintaining the old one. That creates a huge amount of inertia. So on top of that, the approval processes and governance structures that made sense when changes were slow, just don't work. That just don't work the same way when you're deploying new services every week, uh, by the time something is approved, the business has moved on. So

Speaker 2:10

it sounds like there's kind of a go faster ambition sitting on top of a layer of go lower reality.

Speaker 2 2:17

Exactly. Uh, the messaging is we want to be agile. We want to leverage ai, we want to modernize, but the underlying machinery is still geared towards quarterly releases and paper-based evidence. Uh, that tension is what people are really feeling when they say, we can't move fast enough.

Speaker 2:36

So what does it look like when organizations try to push through that and accelerate without first fixing the governance foundation? What tends to go wrong?

Speaker 2 2:48

It gets very murky very quickly. Uh, you end up with overlapping tools, duplicated reports, and people unsure which process is the source of truth. Uh, teams rush to implement new platforms or automation and take shortcuts and processes and control designs because the deadline matters more in the moment. Uh, something important gets broken. A reckless affiliation, an approval path, a report, the auditors depend on. And there's a risk side, there's a risk side to this. When you move ahead without tightening governance, you often end up unintentionally exposing sensitive data. Uh, access models aren't thorough enough. Uh, temporary roles never get cleaned up, and suddenly people or boss can see far more than they, they should. You move fast, but you break controls rather than just cold.

Speaker 3:41

Adele, from your vantage point, how often is the blocker really the technology, and how often is the basic ownership, lifecycle controls, and good identity data?

Speaker 3 3:53

Honestly, Jamie, in, um, our client engagements, uh, technology is least of the problems. You know, the modern platforms are incredibly capable. Uh, the real friction comes from missing foundations. Uh, so typically we see that there's no clear racy, no agreement on who owns the process. The controls within those process, who approves. Access and who maintains the roles. Um, you know, in the model, uh, of your roles repository, the identity lifecycle is implemented in bits and pieces. Joiners are handled, uh, one way movers are handled differently, maybe manually. And, and that leaves, um, you know, the levers, for example, uh, handled through email or some other. Process, um, hoping that someone remembers to remove their access. And so the, uh, the data you're trying to govern is spread across multiple directories and applications that don't quite line up. Uh, so when, uh, leadership says Go faster, it and security teams know that every new initiative will collide with these realities. Uh, they can deliver the technology, but each project creates a new. Pile of exceptions and manual work or workarounds and, and, you know, for access and controls to key identities. And that's why it feels like you're pushing against the wall.

Speaker 5:25

So what I hear you say is that it's not your, your cloud or your AI platform that's slow. It's your governance foundation that isn't ready to support the speed that you're asking for.

Speaker 3 5:36

Uh, speed on top of, uh, weak foundation equals risk and rework. Uh, speed on top of strong identity and governance foundation is where you actually get the benefit.

Speaker 5:50

Great gentlemen, let's talk about readiness, because I think a lot of people listening are maybe wondering, are we one of the organizations that you're describing? What are the basic questions that organizations should be able to answer about identity and access, and how many can actually answer them confidently?

Speaker 2 6:10

You know, at a minimum you should be able to answer a handful of simple questions. Uh, what data are we dealing with? Who generally needs access to that data to do their job? What level of access do they need? Is it view, update? Approve, create? Who owns that data or that process, and who approves the access? People currently have. When we go into organizations, we usually find that they can answer one or two of those for a few core systems, but they can't answer them consistently across the landscape. That's where you see temporary roles that become permanent access, that was added for a project and never moved, and combinations of access that nobody can fully explain anymore.

Speaker 6:54

We know that roles and responsibilities are often fuzzy or not very clear. How does that show up when you're implementing something like a new cloud ERP or a big SaaS platform? Darryl?

Speaker 2 7:07

Well, honestly, it shows up as rework. Uh, at the start of a transformation, there's usually a nice high level role model of a slide somewhere, you know, AP clerk, procurement manager, controller, uh, it looks clean, but when you get into an actual configuration of the new system down to the task and privilege level, you realize that those labels hide a lot of variation. Uh, two business users may use the same term, AP clerk very differently. Uh. Over the years, the role may have collected extra access to work around process grabs. So what happens is, and you, you hit the build phase and suddenly you're redesigning roles from scratch, debating what should, who should own approvals, trying to fix segregation of duties, issues you didn't know existed. Uh, that's when projects start slipping. And to keep dates, people sometimes over permission just to avoid blocking users, which is exactly what you don't want to do.

Speaker 8:05

Adele Lifecycle control gaps keep coming up as a recurring theme. Provisioning without deprovisioning, access without recertification. Why do these gaps persist and what's the real risk when they're ignored?

Speaker 3 8:19

Yeah, absolutely. Great question. And we hear this a lot. Uh, so I can think of a few root causes. Uh, first it's basically an under, uh, investment, sort of what Daryl alluded to earlier, right? So the role design. The identity administration and governance are seen as back office work. They don't get the same attention as new shiny revenue generating projects. Um, so they're always slightly under resourced. Uh, second, it's the technical debt. You know, most organizations we work with, uh, still rely on, uh, you know, a handful or maybe more than a handful of older applications, legacy applications. That don't really integrate easily into their modern identity platforms that they have acquired as part of their transformation. Uh, so what we see is they end up with these point solutions, manual uploads through spreadsheets, and, uh, a lot of exceptions to the processes that have been documented. In terms of controls design for identity governance, uh, adding users may be semi-automated, uh, but adjusting or removing access, you know, for example, down to the privilege level is often done manually and it's often inconsistent. A third uh, point I'd like to make here is organizations are complex. You know, any organizations with more than 500 employees. Um, that we don into has gone through some iterations of mergers, acquisitions, uh, and regional localizations variations, uh, that exist because of a global footprint. Um, all of that creates different ways of doing the same thing. You know, over time it becomes incredibly hard to standardize. Uh, the risk is straightforward. Orphaned accounts, people keeping access longer. After they've changed roles or left the company. And weak evidence, when auditors ask you to demonstrate who can do what in a critical system, uh, and when you start layering AI on top of this, uh, these gaps just become difficult, if not impossible to manage.

Speaker 10:33

I really liked the way that you explained how the customers, uh, come to us with different ways of doing things in different business units. And so I would like to ask, when you talk to a customer, is there a quick test that you can use to assess their governance? Majority.

Speaker 3 10:50

Yeah, we often open up the, uh, initial, what we call discovery calls, um, by picking up on one or two critical, uh, mission critical applications. Uh, for example, their core ERP system or customer relationship management system. Uh, then I ask a few key questions just to see, you know, uh, assess their maturity and, uh, for example, we may ask, can you show us a list of everyone who has access, uh, what type of access. And when that access was last formally reviewed, it's a common questions that any mature organization has, uh, to deal with in their audits. And so it gives us an idea of. Where they are at their maturity level. Uh, we would also ask, uh, can you show me who owns that review process and what policies it's based on? Uh, that often tells us that, uh, you know, is it structured, is it informal? Is it optimized? Uh, so we can sort of help the customers move from where they are to the next level. And it does take, uh, multiple teams, several days to put it all together on a sizable. Uh, organization, um, uh, you know, and that's a strong signal that governance maturity is low, right? Um, if, if they can. Uh, produce that straight with the click of a button, then obviously they are optimized. So we able, we're able to judge their maturity. Another key indicator is who owns the role model, right? Uh, if the answer is vague, like it keeps, uh, you know, making changes and they kind of own it, but we have to tell them that there's a committee, but it hasn't met for a while. Uh, you know, there there's a gap between policy and reality, uh, which is, uh, becomes very evident and that helps us, uh, diagnose the current state and help guide the client towards a future state.

Speaker 12:48

Great insight there. So let's shift to what good looks like. We've talked about the challenges. Uh, when you talk about governance maturity, what do foundational, what foundational components have to be in place before you can safely scale?

Speaker 3 13:05

Yeah. For me it's uh, starts with clean, well structured identity data. Which is more of a dream than a reality to be frank. Uh, if your identity data is messy, which in most cases is uh, you'll see duplicate accounts, inconsistency in the department codes, company codes, uh, roles that mean different things in different regions. Uh, anything you build on top of that is going to be brittle and highly. Uh, risky. Uh, next, uh, you need a clear scoping, uh, and boundaries around, uh, uh, a governance process like the one we just talked about. So, which systems are in scope for governance? Um, which processes are covered? Um, what are, uh, what are you actually measuring, uh, and what are, are you enforcing? Uh, vagueness here leads to gaps. Then you need well-defined roles that map to real work, um, roles. Uh, for example, job roles should describe what someone does, not just what the system, uh, they log into, uh, which are technical roles, right? Uh, and for each of those roles, there should be a clear ownership. Who owns the process? Who owns the data? And who owns the access policy. When these, uh, pieces are in place, governance stops being a document on the shelf. It becomes embedded in how you provision across, um, your environments, uh, access and approval of that access and measurement of the controls.

Speaker 14:44

And where does identity governance fit into that picture? How do platforms like SafePass become the control layer that makes everything else possible?

Speaker 3 14:53

So, yeah, that's, uh, a key point. So identity governance is essentially the, that control layer that operationalizes all that that I just talked about. So a platform like ours, safe path, uh, enforces the, uh, you know, the basic controls of that good access management that has been, uh, adopted by, um. Uh, many of our client organizations, uh, so for example, joiner mover, lever process, segregation of Duty process, uh, and the various certification of identities, uh, you know, is done consistently and it's automated. Uh, instead of relying on spreadsheets and emails and, uh, people's, you know, memories and, and, and extraction tools, uh, you have defined, uh, policies that the system enforces. So it's consistent, uh, from the point it's designed to the place where it operates. Uh, so for example, when someone changes a role, the system can automatically remove access. They no longer need and triggers an approval. For the new access, they're requesting segregation duties, roles can prevent toxic combinations of access from every being, uh, every, uh, grant or access privilege that is being granted in the first place. Um, and access certification can be run periodically or event driven, uh, with proper, proper evidence, uh, that's captured, uh, rather than an ad hoc, uh, email approval, uh, to ensure that. Uh, the roles that are actively assigned and the privilege within those roles are. Always in compliance with your access policies. So, um, we've also learned, uh, that the, that the dream of one central tool that does everything for every system doesn't really match the reality of today. It's been a dream for 20 years and we just haven't seen that, um, that, so the organizations have decades of legacy, um, data. So we focus a lot on orchestration, which is more federated, integrating with tools, uh, that are. Already working, uh, like it service management systems. Often clients will have that as a part of their total solution for access management, provisioning, uh, requests, et cetera. In some cases, it's the HR systems and the directories, the A DFS in the old days, you know, Azure or, uh, Okta, or enter, id, you know, some of these more modern systems, so. Uh, that, that way you get the governance outcome without ripping and replacing your entire stack of technology, which is, uh, just the impractical solution for many organizations.

Speaker 17:40

Darrell, from a transformation leader's perspective, what's the difference between projects where this framework exists before the project versus where you're trying to retrofit things mid-flight.

Speaker 2 17:52

Oh, oh my. The difference is definitely night and day. Uh, when the framework exists upfront decision making is faster. Uh, there's a shared understanding of what good access looks like and who gets to decide. Uh, role design workshops build on a model that people already know, and governor's questions are answered quickly because ownership is clear. Uh, when you have to retrofit like mid-flight, you're effectively running two projects at the same time. Delivering the new platform and inventing governance as you go. Uh, that means re revisiting decisions, retesting controls, and often redoing large chunks of work. When someone discovers, uh, a risk late in the game, it's not just slower, it's more expensive, and it puts teams in impossible situations where they have to choose between hitting a go live date and upholding a, a control standard. That's when you see compromises that come back to haunt you.

Speaker 18:53

I wanna shift to what's coming next because AI is the backdrop for a lot of these conversations. Organizations are rolling out AI agents, co-pilots, and automation at scale. How does this change the identity governance challenge or challenges?

Speaker 2 19:09

It completely changes the scale and the nature of the challenge. First, the number of identities you need to manage is exploding, and many of them are no longer people. You've got service accounts, uh, integration users, bots, and now AI agents that can act on behalf of users across multiple systems. Um, second in the intent behind those agents isn't always clear or static. Uh, people experiment. Uh, they connect agents to new data sources, change prompts, wire up new workflows. So you've got entities in your environment that can move quickly and do powerful things, but their job description isn't as stable as a traditional role. If you try to govern all of that within the same mindset, uh, you use for human users, just assigning a role in a single application, you'll miss the big picture. You need to know what data those agents can touch, uh, what actions they can perform, how you monitor their behavior, and how you revoke or adjust their actions when their purpose changes.

Speaker 20:16

So you made a strong point earlier that if you can't govern human identities effectively, you're not ready for machine identities. Can you expand on that a little?

Speaker 2 20:25

Uh, sure. Uh, if you're already struggling to answer who has access to what and why for employees and contractors, laying AI on top of that, uh, is like pouring gasoline on a fire. Uh, those agents will inherit all the existing role and data issues and then amplify them because they can operate at speeds and scale around the clock. If your human identities are over permissioned, your AI agents will be over permissioned. Without a strong foundation for human identities, clear ownership, lifecycle controls, clearing roles, regular reviews, you have no credible way to explain to an auditor or regulator or just your own board what these agents are doing with sensitive data. Uh, so getting the human side right isn't a nice to have. It's a pre prerequisite for safe AI adoption.

Speaker 21:21

Adele, what are you seeing in the field when AI projects collide with immature governance? Are there any examples without naming names that illustrate the risk for us?

Speaker 3 21:33

Yeah, Jamie, we're seeing a consistent pattern here, so I'll share a couple examples here. Uh, let's say a business unit wants to move quickly, uh, with an AI assistant, there's a pressure from the, uh, executive office, from the board. Uh, maybe something can be summarized like for example, financial data that is really critical for our clients. Uh, that tend to be publicly listed and they have disclosure requirements, 10 Ks, 10 Qs, and so, you know, a quick, uh, AI solution would be to help them answer. Uh, these types of questions will for investor relations, for customer queries, uh, and uh, even automate some of the approvals in, in financial management side of the house to get going. They, uh, uh, you know, give it a broad access, uh, to ai, uh, and they give it all the necessarily service accounts and privileges that are needed to take over the modern agent AI agent platforms and enable that into your. Financial system, uh, because that's the easiest way to demonstrate value, um, to your senior stakeholders and management, uh, in the proof of concept. All it looks great. Um, it's fast, it's impressive, you know, great charts and screen and great insight, right? And it saves time. You can see that. But under the hood. You now have an agent that can see far more than it should, and no one has really thought through how its actions are logged. I would even say what its intent is, um, and who reviews them, right? And how, uh, you would take that access away if something changed. Uh, this wake up moment often comes when, uh, someone asks a simple. Question, like exactly which AI identities can access this highly sensitive financial data, let's say. Um, if the answer is we're not sure, um, that's a governance failure in my mind, right? Um, our goal is to help organizations avoid that moment by putting identity governance in front of AI deployments not behind them.

Speaker 23:39

So for organizations who are listening and maybe thinking this sounds a little too close for comfort, where should they start? Uh, what are the building blocks to get governance maturity right before the next wave hits? Darryl?

Speaker 2 23:54

I definitely say they should start with clarity, uh, and not necessarily technology. Uh, get the right people in the room, uh, the business owners, uh, it, uh, security compliance, and agree on ownership and, and erase it. Who owns critical processes? Uh, who can approve access? Who is accountable for role models and policies? Then do the hard work of understanding your data and access patterns. Which roles actually need which cap capabilities to do their jobs. Where are the high risk areas? Uh, that often means running focused workshops before you launch a big transformation, uh, project. Instead of trying to do it in parallel with everything else, if you skip that and go straight into system configuration, you're effectively designing your governance while you're building the plane. That's why we see transformations get off track.

Speaker 3 24:50

Great point, Darryl. And I just add to what you said that once you've got that clarity, focus on strengthening lifecycle controls for human identities as well, right? So make sure that, uh, joiners, movers and leavers, uh, processes are clearly, um, defined and actually implemented. Automate what you can, especially around removals of these sensitive roll changes, um, uh, that can impact, uh. The, uh, the financial results, uh, and, and, uh, other, uh, other risks in the organization, operational risks in the organization. Uh, make sure you're, uh, capturing, uh, defensible evidence. Who approved access when, and based on what policy? Uh. When that pattern is working for people extended to non-human identities as well, uh, treat service accounts, integration users, uh, and AI agents as first class identities that go through their own lifecycle and review process, not just technical details that sit in a configuration file in a back office. Uh, the organizations that do this well, don't try to boil the ocean. Uh, in my experience with massive centralized. Uh, programs, it can take years. So, uh, our suggestion would be to pick a few critical domains, uh, build solid pla uh, patterns, and then re replicate those patterns across the rest of the landscape.

Speaker 26:21

Darl, if you could leave leaders with one takeaway about governance and scale, what would it be?

Speaker 2 26:27

One takeaway. Um. I'd say don't mistake speed for progress. If your governance foundations aren't there moving faster, just get you to risk and rework sooner. Uh, spend the time to get clarity and ownership, right, it feels slow, but it's the only way to make transformation sustainable.

Speaker 3 26:47

And my takeaway would be to that governance is not a tax on innovation. It's really an enabler of innovation, right? Uh, when you treat identity and access governance as a strategic capability, uh, rather than compliance checkbox, you can create, uh, the right conditions to move faster with confidence rather than constantly worrying about what you might have broken in the process.

Speaker 27:14

Adele Darrell, this has been a very insightful conversation. You've made it clear that the real barrier to scaling digital and AI initiatives isn't the platform or the model. It's whether the organizations have done the really hard work behind the scenes on identity access and their governance foundations. And for everyone listening, if you're experiencing project delays, last minute surprises on your audits or anxiety about rolling out AI agents. That's not just how it is. It's a signal that your governance maturity needs attention. Stepping back to strengthening lifecycle controls, clarify ownership, and improve your identity. Data is what turns speed into sustainable scale instead of unmanaged risk. If you'd like to learn more about how SafePass helps organizations build those foundations across both human and non-human identities, visit safepass.com. Or you can check out Darrel's LinkedIn