IGA implementation needs phased governance, not a tool-first rollout

At a glance

What this is: This is a phased IGA implementation guide that argues access reviews, lifecycle automation, granular entitlements, identity security, and self-service should be rolled out in sequence.

Why it matters: It matters because IGA programmes fail when organisations try to govern too much too soon, and IAM teams need a sequence that works across human, NHI, and future autonomous identity workflows.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Zluri's phase-by-phase IGA implementation strategy

Context

IGA is the discipline of ensuring the right identities have the right access at the right time, but most implementations fail because teams treat it as a product deployment instead of a governance sequence. The article argues that access reviews, lifecycle automation, granular entitlement control, identity security, and self-service need to build on each other, which is the right starting point for programmes that cover human identities and, increasingly, non-human identities too.

The primary weakness in the usual approach is that it focuses on cleaning up access after drift has already happened. That model works poorly for service accounts, API keys, and other NHIs because their access often persists outside normal review cycles, so the same sequencing discipline that helps with human IGA also becomes a baseline requirement for broader identity governance.

Key questions

Q: How should organisations phase an IGA programme without creating more access drift?

A: Start with access reviews to establish ownership and visibility, then automate joiner-mover-leaver changes so access follows identity events. After that, move into entitlement-level governance and risk-based controls. The sequencing matters because each phase depends on the previous one being stable enough to support the next.

Q: Why do access reviews alone fail to control identity risk?

A: Access reviews only show you the state of access at a moment in time. They do not prevent changes between cycles, and they miss systems outside the review scope. That makes them useful for cleanup and audit evidence, but insufficient as a complete governance model.

Q: What breaks when lifecycle management is still manual?

A: Manual lifecycle management creates delays between a business event and the identity update that should follow it. New hires wait for access, movers accumulate old permissions, and leavers keep credentials longer than they should. The result is predictable drift, avoidable audit issues, and higher security exposure.

Q: How can security teams tell whether self-service access is working?

A: Self-service is working when requests route to the right approvers, approvals are consistent with policy, and provisioning happens without bypass paths or shadow requests. If users still submit tickets outside the workflow or managers routinely override decisions, the process is creating friction instead of governed speed.

Technical breakdown

Why access reviews are the usual starting point

Access reviews are point-in-time governance checks that compare current entitlements against what owners believe should exist. They work well as a first phase because they surface orphaned access, clarify ownership, and create an auditable record of decisions. But they are inherently reactive. They do not stop privilege drift between cycles, and they only improve governance where the review actually reaches the systems in scope. In practice, that makes them a visibility control, not a complete access model.

Practical implication: use access reviews to establish ownership and baseline visibility, then treat them as the start of governance rather than the end state.

How lifecycle management reduces access drift

Lifecycle management automates joiner-mover-leaver changes so that access follows identity events instead of manual tickets. The architectural shift is from periodic correction to event-driven provisioning and deprovisioning, usually with HR as the source of truth and the identity platform as the enforcement layer. That reduces the window where departing users, role changes, or department transfers retain stale access. The same logic applies to non-human accounts when their lifecycle is tied to deployment, service retirement, or vendor offboarding.

Practical implication: connect authoritative identity sources to provisioning workflows so access changes happen when the identity changes, not at the next review.

Why granular entitlements matter more than application-level access

Application-level access tells you whether an identity can enter a system, but entitlement-level access tells you what it can do inside that system. Real least privilege depends on understanding roles, permission sets, channel memberships, repository rights, and other internal controls that vary by application. Without that layer, organisations may appear governed while still allowing broad actions inside critical tools. This is where role design, resource ownership, and policy mapping become operational rather than theoretical.

Practical implication: map high-value applications down to entitlement level and define who owns each permission model before expanding automation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA fails when teams mistake periodic cleanup for governance. Access reviews are useful, but they are not a control model by themselves. They identify excess access after it exists, which means they cannot prevent drift between cycles or address systems that never enter the review scope. Practitioners should treat review outcomes as evidence for redesign, not as proof that access is inherently under control.

Lifecycle automation is the hinge between policy and operating reality. The article is right that joiner-mover-leaver processes are where governance either holds or collapses. When HR events do not trigger access changes in near real time, organisations create a standing gap between business change and identity state, which is exactly where orphaned access, role overlap, and audit noise accumulate. The implication is that lifecycle discipline has to be engineered into the identity stack, not documented as a manual procedure.

Granular entitlement control is where least privilege becomes measurable. Application access alone is too blunt to prove governance because it hides the real permissions inside SaaS, cloud, and collaboration platforms. Once entitlement models are mapped, teams can see whether access is role-aligned or whether they are simply preserving historical privilege. That is the point where IGA moves from registration of access to control of action.

The named concept here is sequencing debt: governance programmes fail when they attempt advanced controls before the access model, ownership model, and lifecycle model are stable. The article describes the opposite mistake by implication, where teams overbuild self-service or fine-grained policy before they can reliably answer who owns access and how it changes. Sequencing debt is what makes an IGA programme look busy while leaving core governance unresolved. Practitioners should read this as a warning about implementation order, not feature breadth.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 92% of organisations expose NHIs to third parties, which means lifecycle and ownership decisions often extend beyond internal IAM boundaries.
• That is why the NHI Lifecycle Management Guide is the right next resource when governance has to move from review cycles to continuous control.

What this signals

Sequencing debt: programmes that layer self-service and fine-grained controls before ownership and lifecycle hygiene usually create more governance noise, not less. The reader should expect implementation success to depend less on tooling breadth and more on whether identity data, approval paths, and entitlement ownership are actually reliable.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the same lifecycle discipline described here will need to extend beyond human users into machine and agent identities.

For teams that want the operational baseline, the Top 10 NHI Issues resource provides the control gaps that typically surface once IGA expands into service accounts, APIs, and other non-human access paths.

For practitioners

• Start with a controlled access review pilot Begin with high-value applications where ownership is clear, then document who approved each revoke, retain, or exception decision. Use the exercise to expose orphaned access, unclear owners, and policy gaps before expanding review scope.
• Automate joiner-mover-leaver triggers Connect HR or another authoritative identity source to provisioning workflows so hires, transfers, and exits update access without manual ticket handoffs. Prioritise immediate deprovisioning for leavers and role-based adjustments for movers.
• Map entitlements below the application layer Break critical systems into their actual permission structures, such as roles, groups, channels, repositories, or permission sets. Assign each model to a clear business owner and use that ownership in review and request workflows.
• Add risk controls after governance basics hold Once access review, lifecycle, and entitlement ownership are working, apply stronger controls to sensitive systems, including time-bound access, anomaly monitoring, and approval workflows for privileged tasks.
• Use self-service to speed governed requests Build request flows only after the access catalogue and approval logic are stable, so users can ask for what they need without bypassing policy. Track denial reasons and approval bottlenecks to refine the model.

Key takeaways

• IGA programmes fail most often because teams sequence controls badly, not because the controls themselves are unknown.
• Visibility, lifecycle automation, and entitlement ownership form the practical foundation for governable access at scale.
• Self-service and advanced security controls only work well after the access model is already stable and auditable.

Key terms

• Access Review: A structured check of who has access to what and whether that access is still justified. In mature programmes it is an evidence-gathering control, not the control itself, because it captures current state but does not prevent drift between review cycles.
• Joiner-Mover-Leaver Process: The identity lifecycle process that updates access when a person or account enters, changes role, or exits. For non-human identities, the same idea applies to service accounts and automated workloads, where lifecycle events must drive provisioning, change, and revocation without manual delay.
• Entitlement: A specific permission inside an application or platform, such as a role, group membership, repository right, or channel access. Entitlements are where least privilege becomes operational, because they define what an identity can actually do after it gets into a system.

Deepen your knowledge

IGA sequencing, lifecycle automation, and entitlement ownership are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your identity programme is now extending beyond human access into service accounts and agentic systems, it is worth exploring.

This post draws on content published by Zluri: How to Implement IGA in Your Organization: A Phase-by-Phase Strategy. Read the original.