Identity Governance & Administration (IGA)
Status: Final
Identity Governance & Administration (IGA) manages the lifecycle of identities — who should have access to what, based on their role, and whether that access has been reviewed and approved. IGA failures (orphaned accounts, over-provisioning, uncertified access) are a primary contributor to the privilege escalation attack surface.
What IGA Does
| Function | Description |
|---|---|
| Joiner/Mover/Leaver (JML) | Automate provisioning when users join, change roles, or leave |
| Access certification | Periodic campaigns where managers certify or revoke employee access |
| Role management | Define business roles → map to technical permissions |
| Separation of Duties (SoD) | Enforce policies preventing one person from holding conflicting access |
| Access request workflows | Self-service requests with approval chains |
| Reporting and audit | Evidence for compliance (SOX, ISO 27001, PCI DSS) |
Why IGA Failures Create Attack Surface
| IGA Failure | Attack Path |
|---|---|
| Orphaned accounts (ex-employee not deprovisioned) | Account reuse, credential stuffing on stale credentials |
| Excessive privilege left from role change | User retains access from previous role → privilege creep |
| Unreviewed service accounts | Service account with old high-privilege — Kerberoasting target |
| No SoD enforcement | Single account can initiate and approve transactions — fraud/insider |
| Unmanaged application accounts | Shadow IT apps with no provisioning pipeline — no visibility |
| Over-broad role definitions | Role grants more permissions than needed — blast radius |
Major IGA Vendors
SailPoint
Market leader in enterprise IGA. Strong in financial services, healthcare, US government.
| Component | Function |
|---|---|
| IdentityIQ (on-prem) | Full IGA lifecycle, access certification, SoD |
| Identity Security Cloud (SaaS) | Cloud-native IGA |
| Non-Human Identity (NHI) Security | Manage and govern service accounts, API keys, machine identities |
| File Access Manager | Data access governance (who can read what files) |
| IdentityAI | ML-based access risk scoring and recommendations |
Saviynt
Cloud-native IGA with Application Access Governance and infrastructure integration.
| Component | Function |
|---|---|
| Identity Cloud | Unified IGA + PAM + App Access Governance |
| Application Access Governance | Fine-grained SoD for SAP, Salesforce, etc. |
| Cloud PAM | Lightweight privileged access with session recording |
Omada
European IGA vendor, strong in mid-market and Nordic/EU enterprises.
One Identity Manager
SAP-adjacent IGA suite, tight integration with SAP GRC and Microsoft stack.
IGA and ITDR Intersection
IGA and ITDR are complementary layers:
| IGA Provides | ITDR Uses It For |
|---|---|
| Current access inventory | Contextualize alerts — does this user normally access this resource? |
| Role definitions | Detect out-of-role access patterns |
| Account lifecycle events | Alert on login from deprovisioned account |
| Access certification results | Track who explicitly re-certified their access (accountability) |
| SoD violation reports | Feed risk scoring for ITDR analytics |
A common ITDR use case: SailPoint + Splunk + Microsoft Sentinel — SailPoint provides access context, Sentinel provides sign-in and activity telemetry, and correlation between them identifies access events that violate IGA policy.
Non-Human Identity (NHI) Governance
The fastest-growing IGA problem is managing non-human identities — service accounts, API keys, CI/CD tokens, OAuth app registrations. Traditional IGA was designed for human users; NHI adds complexity because:
- NHIs outnumber human accounts 10–100:1 in modern enterprises
- NHIs often have no "owner" — they are tied to projects, not people
- NHIs are rarely reviewed in access certification campaigns
- NHIs are rarely rotated
Vendors addressing NHI governance: Astrix Security, Veza, Oasis Security, SailPoint NHI Security.
Cross-Links
| Topic | Link |
|---|---|
| PAM | pam-overview |
| ITDR Vendors | itdr-vendor-landscape |
| Identity Attack Surface | identity-attack-surface |