Identity Governance and Administration (IGA): The Complete Buyer's Guide
Every time an employee changes roles, leaves the company, or joins a project, their access should change. In most organizations, access is added quickly and removed slowly if at all. The result: accounts that have accumulated years of permissions across dozens of applications, creating a sprawling attack surface where any compromised account provides far more access than it should. Identity Governance and Administration (IGA) automates access lifecycle management, enforces least privilege at scale, and provides the audit trail that compliance frameworks require.
What IGA Does
IGA platforms manage the full identity and access lifecycle:
Access request and approval
Self-service portal where users request access to applications and resources. Automated approval workflows route requests to appropriate approvers based on the resource being requested. Replaces email-based access request processes that are slow and leave no audit trail.
Role management
Define business roles (Engineer, Finance Analyst, Customer Support Representative) and the application permissions each role should have. Role mining tools analyze existing access patterns to suggest role definitions based on how access is actually used.
Automated provisioning and deprovisioning
When a new employee joins, IGA provisions accounts across all required applications automatically based on their role. When they leave, IGA deprovisions all accounts in minutes rather than days. Role changes trigger automated access adjustments.
Access certification
Periodic review processes (quarterly, annual) where managers certify that their team members' access is still appropriate. IGA platforms automate the workflow, present reviewers with risk-contextualized access data, and escalate uncertified access for remediation.
Segregation of duties (SoD)
Enforce policies that prevent a single user from having conflicting permissions that could enable fraud (e.g., cannot both create and approve purchase orders). IGA detects SoD violations at access request time and during certification.
Audit and compliance reporting
Generate reports demonstrating who had access to what and when, required by SOX, HIPAA, PCI DSS, and other frameworks. IGA maintains the historical record that manual processes cannot.
IGA vs. IAM vs. PAM
These three identity categories are frequently confused: IAM (Identity and Access Management) is the authentication and basic authorization layer: your IdP (Okta, Entra ID), directory (Active Directory), and MFA. IAM answers 'is this person who they say they are and do they have a valid account?' PAM (Privileged Access Management) governs privileged accounts: domain admins, root accounts, service accounts, and administrator credentials. PAM manages credential vaulting, session recording, and just-in-time privileged access. IGA governs application access at scale: the business roles, approval workflows, certification campaigns, and lifecycle management across all applications. The three categories are complementary: IGA provisions users into IAM, which authenticates them, and PAM governs the privileged subset of that user population.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Platform Comparison
The IGA market has a clear tier of established platforms:
SailPoint Identity Security Cloud (formerly IdentityNow)
Market leader by installed base. Cloud-native platform with strong AI-driven access recommendations and role mining. Broad connector library covering thousands of applications. Recent migration from IdentityIQ (on-premises) to Identity Security Cloud (SaaS) has introduced some feature gaps for complex on-premises deployments. Best for: large enterprises wanting market-leading capability and extensive connector coverage.
Saviynt Enterprise Identity Cloud
Cloud-native challenger with particularly strong application governance capabilities for SAP, Oracle, and Salesforce. Built-in PAM capabilities reduce the need for a separate PAM tool in some environments. Strong compliance reporting for SOX and healthcare. Best for: organizations with complex ERP access governance requirements or wanting IGA and PAM consolidated.
Omada Identity
European vendor with strong data privacy governance alignment (GDPR) and a clean user experience. Growing North American presence. Strong for mid-market organizations that find enterprise platforms over-complex. Best for: European organizations or mid-market enterprises prioritizing ease of deployment.
One Identity Manager
Highly flexible platform that can model complex governance requirements but requires significant implementation effort and professional services. Strong for organizations with unique access governance requirements that other platforms cannot accommodate out of the box.
Microsoft Entra ID Governance
IGA capabilities built into the Microsoft Entra platform (requires P2 licensing). Access Reviews, Entitlement Management, and Lifecycle Workflows cover the core IGA use cases for Microsoft-centric environments. Lower cost than dedicated IGA platforms; narrower coverage for non-Microsoft applications. Best for: organizations heavily invested in Microsoft 365 wanting IGA without a separate platform.
Access Certification: The Core Use Case
Access certification (also called access review or re-certification) is the most visible IGA capability for compliance teams. The goal: ensure that every user's access is reviewed periodically and that inappropriate access is revoked. Without IGA, certification campaigns use spreadsheets emailed to managers with manual tracking of responses. With IGA: the platform generates a campaign from current access data, presents reviewers with a UI showing each user's access with risk context, routes uncertified or rejected access for automated deprovisioning, and produces an audit-ready report with timestamps and approver decisions. Well-designed certification campaigns focus reviewer attention on high-risk access (privileged applications, sensitive data access, SoD violations) rather than asking managers to certify hundreds of low-risk application permissions per user.
Implementation Considerations
IGA implementations are consistently underestimated in complexity and timeline. Key factors:
Application connector coverage
IGA value depends on connecting all applications the platform will govern. Custom connectors for in-house applications require development effort. Plan connector development as a significant project phase.
Role definition is the hardest problem
Role mining tools analyze existing access patterns but producing clean, governable role definitions requires significant business stakeholder involvement. Budget 3 to 6 months for role definition alone in complex environments.
Joiner-mover-leaver process redesign
IGA automates provisioning and deprovisioning, but the trigger events (new hire, role change, departure) must come from HR systems (Workday, SAP SuccessFactors) via an authoritative source integration. HR system integration quality determines IGA automation effectiveness.
Phased deployment
Do not attempt to connect all applications at once. Phase deployment by application criticality: start with your most sensitive applications (financial systems, HR, source code repositories) to achieve high-value governance first.
The bottom line
IGA solves the access accumulation problem that makes every compromised account more dangerous than it should be. The technology works; the challenge is the business process work required to define roles, connect applications, and run certification campaigns in ways that produce meaningful access reduction. Invest in the business process design as much as the platform selection.
Frequently asked questions
How long does an IGA implementation take?
Enterprise IGA implementations typically take 12 to 24 months for full deployment across a large organization. Phase 1 (core infrastructure, HR integration, first application set): 3 to 6 months. Phase 2 (role development and additional applications): 6 to 12 months. Phase 3 (advanced features like role mining, SoD enforcement, and certification automation): 6 to 12 months. Organizations that attempt to go live with all applications simultaneously typically fail. Phased deployment targeting highest-risk applications first is the proven approach.
What is role mining and how accurate is it?
Role mining analyzes existing user access patterns to identify clusters of permissions that are commonly granted together, suggesting these clusters represent business roles. Machine learning-based role mining can identify candidate roles automatically. Accuracy depends on data quality: if existing access is already highly inconsistent (ad-hoc grants, accumulated permissions), role mining produces noise. Most organizations use role mining as a starting point that requires significant human review and refinement rather than as a source of production-ready role definitions.
What is segregation of duties (SoD) and why does IGA matter for it?
Segregation of duties is an internal controls principle from accounting: no single person should control all phases of a financial transaction or sensitive business process. In IT access terms, SoD violations occur when a user has both 'create vendor' and 'approve payment' permissions in an ERP system, enabling potential fraud. IGA enforces SoD by maintaining a ruleset of conflicting permission combinations, checking access requests against the ruleset before granting access, and running periodic SoD violation reports. This is a primary driver for IGA in financial services and organizations subject to SOX.
Does IGA integrate with privileged access management (PAM)?
Yes. IGA and PAM integration is a common deployment pattern. IGA governs who should have privileged access (via role policies and approval workflows), while PAM governs how that privileged access is used (credential vaulting, session recording, just-in-time access). The integration ensures that privileged accounts are provisioned and deprovisioned in the PAM vault based on IGA lifecycle events. Saviynt and CyberArk have pre-built integrations; SailPoint and BeyondTrust also offer integration connectors.
How does IGA help with SOX compliance?
Sarbanes-Oxley (SOX) Section 404 requires management to assess and report on internal controls over financial reporting, which includes IT general controls (ITGC). Auditors specifically examine access controls for financial systems: who has access, is it appropriate, is it reviewed periodically, and are SoD conflicts prevented. IGA provides: documented access certification campaigns with audit trails (who reviewed what and when), SoD violation detection and remediation tracking, automated deprovisioning records, and role-based access reports. Without IGA, SOX ITGC evidence collection for access controls requires significant manual effort that IGA automates.
What is entitlement management and how does it relate to IGA?
Entitlement management is the process of defining, requesting, approving, and governing fine-grained access rights (entitlements) within applications. Microsoft Entra Entitlement Management is a specific feature within Entra ID Governance that manages access packages (bundles of application and group access) with approval workflows and expiration. In broader IGA terms, entitlement management covers the governance of application-specific permissions (e.g., SAP transaction codes, Salesforce permission sets, GitHub repository access). It is a subset of what enterprise IGA platforms manage across all applications.
Sources & references
- Gartner Magic Quadrant for Identity Governance and Administration 2025
- KuppingerCole IGA Leadership Compass 2025
- SailPoint IdentityIQ Documentation
- NIST SP 800-53 AC-2 Account Management Controls
- Forrester IGA Wave 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.