Identity Governance and Administration (IGA)

A framework of policies, processes, and technology to manage and govern digital identities and their access rights. Increasingly extended to cover non-human identities alongside human users.

Expanded Definition

Identity Governance and Administration, or IGA, is the policy and control layer that decides who or what should have access, how that access is approved, reviewed, and removed, and how exceptions are tracked over time. In modern identity programs, IGA is no longer limited to human users. It increasingly governs NHI, including service accounts, API keys, workload identities, and AI agents with execution authority. That shift matters because NHI access tends to be broader, longer-lived, and harder to review than employee access. The practical boundary with PAM, RBAC, JIT, and ZSP varies across vendors, so usage in the industry is still evolving rather than perfectly standardised. For a concise NHI context, see the Ultimate Guide to NHIs, and for a standards-oriented framing of identity governance, align the operating model with NIST Cybersecurity Framework 2.0. The most common misapplication is treating IGA as a quarterly access-review exercise, which occurs when teams ignore lifecycle events such as provisioning, rotation, and offboarding.

Examples and Use Cases

Implementing IGA rigorously often introduces process overhead and integration complexity, requiring organisations to weigh stronger assurance against slower change velocity.

• Provisioning a new CI/CD service account with approved roles, ownership, expiry, and review evidence so the entitlement is traceable from day one.
• Recertifying an AI agent’s permissions after model updates or workflow changes, especially when the agent can call tools, modify infrastructure, or access sensitive datasets.
• Revoking stale API keys during offboarding and tying the cleanup to an audit trail, as described in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
• Applying role-based access rules for administrators and workloads, while reserving privileged elevation for short windows under documented approval.
• Using governance workflows to flag orphaned secrets, mis-scoped integrations, and third-party connections that outlive the business justification for access.

In identity operations, these controls are often compared against NHI incident patterns in the 52 NHI Breaches Analysis, where weak lifecycle handling repeatedly turns routine access into exposure. For implementation language around least privilege and documentation, NIST Cybersecurity Framework 2.0 remains a useful anchor.

Why It Matters in NHI Security

IGA becomes critical when organisations realise that identities are not just accounts, they are active control points for access, automation, and change. Poor governance allows over-privileged NHIs to accumulate, secrets to remain valid after teams believe they are gone, and access to survive beyond the application, project, or vendor relationship that created it. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, a sign that governance failures are usually systemic rather than isolated. That is why the Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives both treat lifecycle control, evidence, and reviewability as core security requirements. The operational lesson is straightforward: if a team cannot answer who approved the access, why it still exists, and how it will be removed, IGA has failed even if the account technically works. Organisations typically encounter the cost of that failure only after a breach, audit finding, or incident review, at which point IGA becomes operationally unavoidable to fix.

Related resources from NHI Mgmt Group

• What is the Agentic AI identity governance framework organisations should adopt?
• What are the emerging security controls needed for Agentic AI identity governance?
• What is a Non-Human Identity (NHI)?
• What is the difference between NHI and machine identity?