IGA best practices still fail when access governance is fragmented

At a glance

What this is: This is an analysis of 8 IGA best practices and the controls needed to centralise access, reduce privilege sprawl, and improve compliance.

Why it matters: It matters because IAM, NHI, and workforce identity teams all need the same governance disciplines to keep access review, provisioning, and least-privilege controls coherent.

👉 Read Zluri's article on 8 proven best practices for IGA

Context

Identity governance and administration breaks down when access data is scattered across apps, departments, and manual review processes. Once that happens, provisioning, deprovisioning, certification, and segregation of duties stop working as one control system and start behaving like disconnected tasks.

The article’s main point is that IGA should be treated as a governance layer over the full identity surface, not just as an access-request workflow. For practitioners, that means the real problem is not whether a tool exists, but whether identity lifecycle, privilege, and audit controls are centralised enough to be enforced consistently.

Key questions

Q: What breaks when IGA is not built on a central identity view?

A: Access review loses context when identities, roles, and entitlements are scattered across systems. Reviewers cannot reliably see who has access, why they have it, or whether it is still justified. That leads to weak certifications, delayed revocation, and poor audit evidence. A central identity view is the baseline for any governance model that needs to scale.

Q: Why do least-privilege controls fail in complex access environments?

A: They fail when elevated access becomes persistent, poorly scoped, or disconnected from task completion. In that state, privilege creep hides in plain sight and teams stop distinguishing real operational need from historical entitlement. Least privilege only works when elevation is temporary, justified, and revoked quickly after use.

Q: How do organisations know whether access certification is actually working?

A: Certification is working when it finds stale access, conflicting roles, and unjustified entitlements quickly enough to drive removal or correction. If reviews mostly confirm existing access without challenge, they are reporting activity rather than governing risk. The useful signal is remediation rate, not the number of completed review cycles.

Q: Who should own segregation of duties when access spans apps and workflows?

A: Ownership should sit with the identity governance function, but enforcement needs input from application owners, risk teams, and audit stakeholders. The goal is to stop one identity from holding conflicting rights across a process, not just inside one system. SoD must be enforced across workflows, not only within a single application boundary.

Technical breakdown

Centralised identity data and entitlement visibility

IGA depends on a single operational view of identities, roles, entitlements, and access paths. When that view is fragmented across SaaS apps, HR systems, directories, and local admin panels, teams cannot reliably answer who has access, why they have it, or whether it still matches the job. Centralised identity data is what makes access review, reporting, and role governance possible at scale. Without it, every downstream control inherits incomplete context and weakens in practice.

Practical implication: unify identity and entitlement sources before expecting certification, audit, or least-privilege controls to work.

Zero trust and least privilege for high-value assets

The article ties IGA to zero trust by stressing continuous verification and restricted access to high-value assets. In practice, that means identity is no longer a one-time gate at login. Access must be evaluated against context, device state, and task need, especially for cloud apps, remote work, and dormant accounts. Least privilege also becomes operational rather than theoretical when temporary elevation is bounded and revoked promptly after use.

Practical implication: map high-value assets and enforce task-scoped access with explicit revocation points, not persistent entitlements.

Access certification, segregation of duties, and workflow automation

Access certification and segregation of duties are the controls that expose whether governance is real or merely documented. Certification tests whether access still has a business justification, while SoD prevents a single identity from holding conflicting rights that enable abuse or error. Workflow automation matters because manual review cycles cannot keep pace with modern app sprawl. The article’s deeper point is that governance quality depends on how quickly access can be reviewed, challenged, and remediated once drift appears.

Practical implication: automate certification and SoD checks so governance action happens during the access lifecycle, not after it.

NHI Mgmt Group analysis

Fragmented identity data is the real failure mode behind weak IGA. IGA best practices only work when user, role, entitlement, and app data are joined into one governance view. If access lives in separate tools and spreadsheets, certification becomes partial, revocation becomes delayed, and audit evidence becomes inconsistent. The practitioner conclusion is that governance maturity starts with identity data unification, not policy declarations.

Least privilege stops being credible when elevation is permanent or unreviewed. The article correctly points to temporary elevation, dormant account removal, and tighter access boundaries, but the deeper issue is privilege creep. Once elevated access becomes routine, teams lose the ability to distinguish operational need from structural overreach. The practitioner conclusion is that privilege lifecycle control must be treated as a governance discipline, not a one-off admin task.

Access certification is only useful when it is continuous enough to catch drift. Scheduled reviews help, but if they are too sparse or too manual, they confirm yesterday’s access state instead of governing today’s. That is why SoD, certification, and automation belong together: each compensates for the blind spots of the others. The practitioner conclusion is that review cadence and remediation speed matter as much as the policy itself.

Identity governance now spans workforce, NHI, and automated access patterns. The same governance logic that applies to employees also applies to service accounts, API-driven access, and other non-human identities that hold persistent rights. If organisations do not extend lifecycle and certification discipline beyond human users, they leave a structural gap in the identity plane. The practitioner conclusion is to govern access by behaviour and lifecycle, not by whether the subject is a person.

Continuous compliance is a control outcome, not an audit afterthought. The article links compliance tracking, documentation, and access analysis to everyday governance operations, which is the right model. Compliance fails when it is treated as a reporting layer added after identity decisions have already been made. The practitioner conclusion is that auditability must be designed into provisioning, review, and deprovisioning from the start.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why governance gaps often begin outside the core IAM stack.
• That visibility problem is one reason readers should also look at NHI Lifecycle Management Guide for the provisioning, review, and offboarding controls that prevent access drift.

What this signals

Identity governance is shifting from process management to control-plane management. As SaaS sprawl, remote access, and non-human credentials accumulate, the teams that win are the ones that can see entitlements, review them continuously, and remove them without waiting for a manual cleanup cycle. The governance problem is no longer access request volume alone, it is the time gap between entitlement creation and entitlement correction.

Access review is becoming a detection mechanism as much as a compliance one. When review cycles surface dormant accounts, over-privileged roles, and conflicting duties, they are doing operational security work, not just audit preparation. That is why organisations should treat certification outputs as risk signals and route them into remediation workflows immediately.

Zero trust only becomes meaningful when identity lifecycle is covered end to end. Continuous verification at login does little if access later drifts through role change, contractor onboarding, or machine account sprawl. The programme signal is clear: if lifecycle governance is weak, zero trust becomes a front door control with no interior enforcement.

For practitioners

• Centralise identity and entitlement data Build a single governance view across SaaS, directories, HR feeds, and admin systems so access review can use complete context instead of partial records.
• Tighten elevation around high-value assets Define which systems require continuous verification, short-lived elevation, and explicit revocation after task completion, especially for remote and cloud access.
• Automate certification and remediation workflows Use scheduled review cycles, fallback reviewers, and auto-remediation paths so access can be challenged and removed before stale privileges accumulate.
• Apply segregation of duties to conflicting roles Block role combinations that let one identity initiate, approve, and dispose of the same business process, and test those rules during access review.
• Extend lifecycle governance beyond human users Treat service accounts, API access, and other non-human identities as governed subjects with provisioning, review, and offboarding requirements.

Key takeaways

• The article’s main warning is that IGA fails when access governance is fragmented across systems and manual processes.
• The strongest evidence from the source is that governance problems spread across provisioning, certification, SoD, and compliance, not just one control gap.
• Practitioners should centralise identity data, automate review and remediation, and extend lifecycle governance to non-human identities.

Key terms

• Identity governance and administration: Identity governance and administration is the control discipline that decides who or what should have access, why that access exists, and when it should be removed. It combines policy, entitlement management, access review, and audit evidence so access decisions stay aligned with business need and compliance obligations.
• Segregation of duties: Segregation of duties is a control that prevents one identity from holding conflicting permissions that could enable fraud, error, or abuse. In practice, it separates request, approve, execute, and dispose functions across roles so no single user or account can complete a sensitive process alone.
• Access certification: Access certification is a periodic review process where owners confirm whether existing access is still justified. It is most effective when reviews are tied to remediation, because the point is not just to validate entitlements but to remove stale or risky access before it becomes an incident.
• Zero trust: Zero trust is an access model that assumes trust must be continuously earned rather than permanently granted. It uses context, verification, and least privilege to narrow access decisions, which makes it especially relevant when users, contractors, and non-human identities move across cloud and SaaS environments.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance 8 Proven Best Practices To Optimize IGA. Read the original.