Identity governance 2.0 is the new benchmark for digital access

At a glance

What this is: This on-demand webinar argues that identity governance and administration is entering a 2.0 phase centred on modernisation, maturity benchmarking, and broader identity control.

Why it matters: It matters because IAM teams need to judge whether their governance model still fits humans, machine identities, and privileged access patterns, not just legacy directory workflows.

By the numbers:

• 4.7 rating based on 164 ratings for all time in the File Analysis Software market as of September 2nd, 2025.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Watch Netwrix's on-demand webinar on identity governance 2.0

Context

Identity governance and administration is the discipline that determines who or what should have access, how that access is reviewed, and when it is removed. In practice, the challenge is no longer limited to human accounts, because machine identities, service accounts, and privileged access paths now carry much of the operational risk.

This webinar positions IGA 2.0 as a response to that shift, with the discussion framed around governance maturity rather than a single product capability. For teams that are modernising IAM, the core question is whether current controls can still provide lifecycle oversight, access visibility, and accountability across the full identity estate.

Key questions

Q: How should organisations benchmark identity governance maturity?

A: Benchmark maturity by asking whether the programme can discover access, assign ownership, review it, and remove it across the full identity estate. A useful benchmark measures outcomes such as certification closure, revocation completion, and privileged access accountability. Tool coverage alone does not prove governance maturity if access can still persist outside review cycles.

Q: Why do machine identities complicate identity governance programmes?

A: Machine identities complicate governance because they multiply faster than human accounts, often lack clear owners, and can keep working long after the original business context has changed. That means traditional joiner-mover-leaver processes and periodic reviews miss the identities that most need lifecycle control, especially service accounts, API keys, and tokens.

Q: What is the difference between identity visibility and identity governance?

A: Visibility tells you that an account or entitlement exists. Governance proves who owns it, why it exists, whether it was approved, and whether it was removed when no longer needed. Organisations often mistake discovery for control, but maturity only exists when access can be enforced and closed, not merely listed.

Q: What should IAM teams do when access reviews do not lead to revocation?

A: They should treat the process as ineffective until it can produce verified removal. Access reviews that do not remove stale or excessive entitlements create a false sense of control, especially for privileged and non-human identities. The fix is to link certification workflows to enforced revocation and exception tracking.

Background and context

IGA 2.0 and the shift from directory control to governance fabric

Identity governance traditionally grew around directory accounts, joiner-mover-leaver processes, and periodic access reviews. IGA 2.0 points to a broader control fabric: entitlement visibility across applications, lifecycle governance for non-human identities, and policy enforcement that follows the identity rather than the system of record. That matters because modern environments distribute access across SaaS, cloud, infrastructure, and automation layers. If governance only sees the directory, it misses the identities that now create the largest privilege and exposure gaps.

Practical implication: inventory identities beyond the directory and map governance coverage to every system where access can persist.

Privileged access governance as an identity lifecycle problem

Privileged access management is often treated as a separate control domain, but the underlying issue is lifecycle governance. Privileged credentials, tokens, and elevated roles need the same joiner, mover, and leaver discipline that human identities receive, except they often change faster and are harder to observe. Without lifecycle control, privileged access becomes standing access by default, especially for service accounts and operational accounts that are rarely reviewed with the same rigour as human users.

Practical implication: tie privileged access reviews to lifecycle events, not just periodic certification cycles.

Benchmarking maturity without confusing coverage for control

Maturity benchmarking only helps if it measures operating effectiveness, not feature coverage. A platform can discover accounts, but that does not mean it can govern them; it can report access, but that does not mean it can revoke it cleanly. The useful benchmark is whether the programme can explain ownership, prove review, and enforce removal across identity types. That is the difference between visible identity sprawl and governed identity sprawl.

Practical implication: score your programme on enforceable outcomes, such as ownership, certification closure, and revocation completion.

NHI Mgmt Group analysis

IGA 2.0 is really a governance maturity signal, not a product category refresh. The phrase reflects a broader shift from static identity administration toward continuous governance across humans, machine identities, and privileged access paths. That shift matters because modern access risk is created by identities that persist outside classic directory workflows. Practitioners should treat the label as a signal that governance scope now has to extend across the whole identity estate.

Identity governance fails when it stops at visibility. Discovering accounts is not the same as proving ownership, enforcing review, or removing access. The control gap is especially visible in non-human identities, where service accounts and secrets are often created quickly and retired slowly. Teams should read this as a reminder that maturity is measured by closure, not inventory.

Privileged access and lifecycle governance are converging. Elevated access cannot be governed as an isolated exception when it is embedded in application, automation, and infrastructure workflows. That convergence means IAM, PAM, and IGA teams need a shared operating model rather than separate reporting lines. Practitioners should align review, revocation, and escalation workflows across those domains.

Benchmarking identity maturity only matters if it exposes the real control gap. Organisations often benchmark too early against tooling presence instead of governance effectiveness. The better question is whether access can be validated, attributed, and removed across all identity types before it becomes a blind spot. Practitioners should use maturity assessments to surface operational failure points, not just scorecards.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often governance lags behind operational sprawl.
• For a broader view of governance, review Ultimate Guide to NHIs -- Lifecycle Processes for Managing NHIs for lifecycle controls that close the gap.

What this signals

Identity governance programmes are moving toward control closure, not just account discovery. The practical test is whether ownership, approval, review, and removal happen in sequence across humans and non-human identities. When governance stops at reporting, the organisation ends up with visibility into exposure but no mechanism to reduce it.

Standing access debt is the failure mode to watch. The more identities accumulate without clean offboarding, the more likely access reviews become ceremonial. Teams that still rely on periodic certification alone should expect growing friction between what the programme can report and what it can actually remove, especially across service accounts and privileged roles.

As benchmarking becomes more common, the organisations that benefit will be the ones that can connect maturity scores to lifecycle evidence. That means proving closure, not simply saying the programme is complete, and using internal reference material like Top 10 NHI Issues to prioritise the controls that most often fail in practice.

For practitioners

• Expand governance scope beyond human accounts Map every identity type that can create access, including service accounts, API keys, tokens, and elevated roles. Then confirm which of those are covered by joiner, mover, leaver, review, and revocation processes, and which remain outside the governance model.
• Measure lifecycle closure, not discovery coverage Track whether access reviews end in verified removal, whether ownership is assigned, and whether privileged entitlements are actually closed after certification. Discovery without closure should be treated as a control gap, not maturity.
• Unify IGA and PAM operating processes Align privileged access workflows with governance events so that elevation, certification, and offboarding are handled in one control chain. That reduces the chance that privileged accounts remain active after a role or relationship changes.
• Benchmark against enforceable outcomes Use maturity assessments to test whether the programme can enforce revocation across systems, not just report on them. The benchmark should show who owns access, who approved it, and how quickly it was removed when it no longer had a business need.

Key takeaways

• Identity governance 2.0 is about whether the programme can control access across the full identity estate, not just catalogue it.
• The most common maturity gap is lifecycle closure: organisations can often find access faster than they can remove it.
• Teams should benchmark on ownership, revocation, and privileged access accountability because those are the controls that turn visibility into governance.

Key terms

• Identity governance and administration: Identity governance and administration is the set of processes that decides who or what should have access, who approves it, and when that access is removed. It combines policy, review, and lifecycle control so access can be justified, monitored, and revoked across the identity estate.
• Non-human identity: A non-human identity is any machine or workload identity that authenticates and gains access without a person directly operating it. Service accounts, API keys, tokens, certificates, and bots all fall into this category, and they need lifecycle, ownership, and revocation controls rather than user-centric assumptions.
• Lifecycle governance: Lifecycle governance is the discipline of managing identity from creation through change and removal. In practice, it means knowing who owns the identity, when access should change, and how to prove offboarding, rotation, or revocation happened before the identity becomes a standing risk.
• Privileged access: Privileged access is any elevated entitlement that can change systems, data, or security settings beyond ordinary user rights. It becomes a governance issue when elevated rights persist without review, when ownership is unclear, or when the access path is shared across people and machines.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: Révolutionner la gouvernance des identités à l'ère numérique : l'IGA 2.0. Read the original.