In today’s hybrid IT landscape, identity governance isn’t just about provisioning access; it’s about knowing when access changes happen outside the system. That’s where SailPoint Identity Security Cloud’s Native Change Detection (‘NCD’) feature steps in, offering a smarter way to monitor and remediate out-of-band changes that could otherwise fly under the radar.

The Problem: Out-of-Band Access Changes

For instance, an administrator adds a user to a privileged Active Directory (‘AD’) group directly through Active Directory Users and Computers (‘ADUC’), bypassing SailPoint’s access request workflows. The change is invisible to SailPoint unless someone manually reconciles it. Multiply that across dozens of systems and hundreds of users, and you’ve got a governance blind spot.

These ‘native’ change modifications made directly in source systems can introduce risk, violate compliance policies, and undermine the principle of least privilege.

The Solution: Native Change Detection

SailPoint Identity Security Cloud (‘ISC’) Native Change Detection isn’t just a monitoring tool but also a governance enforcer. It looks for changes made directly in connected systems and triggers automated workflows to validate, remediate, or certify those changes. This is what makes it so powerful.

• Change detection during aggregation:NCD identifies changes during aggregation by comparing the stored information in ISC with the latest information pulled during the aggregation
• Event-driven architecture: NCD uses triggers to initiate workflows based on specific changes to the user account, such as:
  • Native Change – Account Created
  • Native Change – Account Updated
  • Native Change – Account Deleted
• Audit Events and History: Each NCD event is logged and can be queried under search and access history. Below are the events that will be logged in SailPoint ISC which can be used for generating reports:
  • Create Native Change Detected
  • Update Native Change Detected
  • Delete Native Change Detected

How It Fits into Your Identity Strategy

Native Change Detection is a strategic layer that complements SailPoint’s Lifecycle Management (‘LCM’) and access certification modules. It helps organizations:

• Maintain audit integrity by ensuring all access changes are visible and accounted for
• Reduce manual effort by automating access reviews or auto revoking the access provisioning outside the IGA system
• Strengthen compliance posture by enforcing governance even when users or admins act outside the IGA system.

Real-World Use Case

Let’s say your organization uses SailPoint to manage access to Salesforce. And a Salesforce administrator manually assigns an existing user with a sensitive role in Salesforce. NCD will detect this ‘native’ change. It can then trigger a workflow, for example, to do one or more of the following activities:

• Notify the source owner, reporting manager, compliance manager, etc
• Launch an access review either to the user’s manager or system owner or compliance manager
• Log the event for audit purposes.

Beyond Detection: Closing the Loop

Detection is only one part of the governance. SailPoint ISC also allows you to respond intelligently. NCD can, for example, do one or more of the following activities:

• Notify changes to the system owner or manager, revoke access, or request justification via access reviews using Custom workflows
• Push such events to your SIEM tools, ticketing systems, or generate email alerts using Integration hooks

Implementation Best Practices

Now that we have understood what the capabilities of NCD are, let’s discuss some of the implementation best practices that we have identified with our experience of developing NCD for our clients.

1. Define Clear Monitoring Scope
   • For initial phase of NCD implementation, select business critical applications instead of enterprise applications
   • Select critical attributes to monitor such as group memberships and roles
   • Avoid monitoring every attribute to reduce noise and system load
   • Focus on attributes that pose security or compliance risks when changed out-of-band
2. Use Event Triggers Strategically
   • Leverage the Native Change Detected event trigger to launch workflows
   • Configure triggers to differentiate between added and removed access
   • Use filters to target specific groups or entitlements rather than blanket monitoring
3. Automate Governance with Workflows
   • For correlated accounts, trigger access reviews to notify managers/ compliance managers to validate changes/ remediate
   • For uncorrelated accounts, route changes to source owners/ compliance managers to validate changes/ remediate
4. Audit and Report Native Changes
   • Maintain logs of detected changes for audit and compliance
   • Generate reports with custom scripts or external tools to capture which account got changed, what was changed, and when
   • Use these insights to refine policies and detect patterns of risky behaviour
5. Avoid False Positives
   • Be cautious with attributes that ISC itself modifies (e.g., suspended status in GSuite) as these will trigger NCD unnecessarily
   • Instead of deleting the account on “Disable” operation using connector rules, use BeforeProvisioning rule to change the “Disable” operation to “Delete” operation to avoid false positives for “Delete Account Native Change” events.

Conclusion

In a world of increasing insider threats, regulatory scrutiny, and decentralized IT, visibility is non-negotiable. Native Change Detection gives security teams the confidence that no access change goes unnoticed, even when it happens outside the expected channels.

Native Change Detection isn’t just a feature, it reflects commitment to adaptive, intelligent identity governance that keeps pace with the real-world behaviour of users and admins. If your organization is serious about closing the loop on access control, NCD is a must-have in your identity toolbox.