IGA in action: why identity governance is breaking down

At a glance

What this is: This on-demand webinar argues that modern IGA is now the control layer for fragmented identity environments, showing how lifecycle automation, attestation, delegation, and time-bound access are meant to replace manual access handling.

Why it matters: It matters because IAM teams cannot govern access cleanly across human and non-human identities when entitlement sprawl, orphaned accounts, and standing privilege outpace review cycles.

👉 Watch Netwrix's on-demand webinar on modern identity governance

Context

Identity governance breaks down when access decisions are scattered across tickets, spreadsheets, approval chains, and disconnected systems. In that model, teams lose the ability to answer three basic questions consistently: who has access, why it exists, and who approved it.

The governance problem is broader than human joiner-mover-leaver flow. As identities span on-premises systems, cloud, SaaS, and non-human accounts, IGA has to enforce lifecycle control across different actor types without assuming that any one access process can cover the full estate.

Key questions

Q: How should teams replace manual access requests with governed IGA workflows?

A: Start by centralising request, approval, provisioning, and removal into one governed process so every entitlement has a clear owner and audit trail. Use policy to decide who can approve which access, then automate the lifecycle steps so human review is reserved for exceptions and high-risk access rather than every routine request.

Q: When should organisations prioritise access reviews over new access automation?

A: Prioritise access reviews when the main risk is accumulated privilege, orphaned access, or unclear ownership. If teams cannot reliably show who currently holds access and why, certification campaigns will often reduce risk faster than adding more provisioning logic. Automation matters, but stale permissions must be cleaned up first.

Q: What breaks when access decisions stay trapped in tickets and spreadsheets?

A: Governance becomes inconsistent because approvals are hard to verify, removals are easy to miss, and audit evidence is scattered. Over time, entitlement creep grows faster than review cycles, and access becomes a record of old decisions rather than current business need. That is a control failure, not just an operational inconvenience.

Q: What is the difference between delegated access and time-bound access?

A: Delegated access assigns decision-making to a business owner or approver, while time-bound access limits how long the permission can exist. Delegation answers who can authorise access, but expiry answers when that access must be revalidated. Mature governance needs both, otherwise delegated approvals can turn into standing privilege.

Background and context

Why ticket-based access management fails at scale

Ticket-based access management works only when access requests are isolated, slow-moving, and easy to audit after the fact. In practice, fragmented systems create too much context switching, too many manual approvals, and too little consistency in how access is granted or removed. That leads to entitlement creep, orphaned accounts, and permissions that outlive the business reason for which they were created. IGA tries to replace that brittle workflow with policy-driven governance so access is tied to role, lifecycle state, and approval record instead of a one-off request history.

Practical implication: replace request-by-request access handling with governed policies that can be enforced and reviewed centrally.

How lifecycle automation and attestation work together

Lifecycle automation handles the provisioning and deprovisioning side of identity governance, while attestation checks whether existing access still makes sense. Together, they create a control loop: access is granted based on role or business need, then periodically reviewed, and then removed when it is no longer justified. The value is not speed alone. It is the ability to make access decisions repeatable, auditable, and less dependent on individual memory or manual follow-through.

Practical implication: automate joiner-mover-leaver workflows and pair them with scheduled access certification campaigns.

Why time-bound access is a governance control, not a convenience feature

Time-bound access changes the default assumption that privileges are permanent until someone remembers to remove them. By setting access to expire after a defined window, organisations reduce standing privilege and force revalidation when the task, project, or role changes. This matters especially where approvals are delegated to business owners, because delegation without expiry can quietly turn into long-lived entitlement inheritance. In IGA terms, time-based access controls are a governance mechanism that reduces drift between authorised access and actual need.

Practical implication: use expiry-based access for elevated or sensitive permissions so access cannot become permanent by default.

NHI Mgmt Group analysis

Identity governance is no longer an administrative layer, it is the control plane for access legitimacy. When organisations cannot explain who has access, why it exists, or who approved it, they do not have governance, they have recordkeeping. The article reflects a familiar pattern across human and non-human identities: manual processes scale badly once the environment spans cloud, SaaS, and on-premises systems. Practitioners should treat IGA as the mechanism that restores answerability, not as a reporting add-on.

Entitlement creep is the named failure mode hiding inside manual access workflows. The problem is not simply excess permissions in the abstract. It is the slow accumulation of access that no longer matches role, ownership, or business need, often because removal never keeps pace with change. That is exactly where lifecycle automation and attestation belong in the governance stack. The practitioner conclusion is straightforward: if access can drift indefinitely, the programme has already lost control.

Time-bound privilege is the governance answer to permanent-by-default access models. Standing access survives because many governance processes assume approval once means approval forever. That assumption fails in environments where access is delegated, reused, and forgotten across business boundaries. The implication is that identity governance must be built around expiry, revalidation, and lifecycle change rather than static entitlements.

Non-human accounts bring the same governance problem into a more fragile operating model. As environments mix people and machine identities, manual approval workflows become harder to trust because they cannot reliably distinguish temporary operational need from durable privilege. This is where IGA, NHI governance, and access review discipline converge. Practitioners should stop treating non-human access as a separate exception path and govern it through the same accountability model.

Policy-based access becomes the only scalable alternative once identity sprawl crosses system boundaries. The article points toward a world where access decisions must be governed by policy, lifecycle state, and review rather than ad hoc human intervention. That aligns with NIST Cybersecurity Framework 2.0 and the broader access control discipline. The practitioner takeaway is to design for repeatability first, because consistency is the only way auditability survives growth.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• For the broader control-model context, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to map lifecycle governance from policy to deprovisioning.

What this signals

Identity governance programmes are moving from request handling to entitlement control. The practical shift is that teams can no longer rely on approvals alone to prove legitimacy. As access spans cloud, SaaS, and non-human accounts, the operating model has to prove removal as rigorously as grant. That is where lifecycle automation and certification become programme-level controls rather than workflow conveniences.

The named concept here is entitlement creep: access accumulates faster than business change, until permission sets no longer reflect current need. For practitioners, the signal is that review cadence, delegation rules, and expiry logic now matter more than the original approval path. If those three controls are weak, the programme will drift even if the ticketing process looks orderly.

If your IAM estate already mixes users, service accounts, and delegated approvals, the next maturity step is to align governance evidence with lifecycle events, not static role inventories. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises govern and protect functions together, but the operational test is simpler: can you remove access as confidently as you grant it?

For practitioners

• Define the access questions your programme must answer Make every access path answer who approved it, why it exists, when it expires, and which lifecycle event will remove it. If a system cannot answer those four questions, treat it as outside governed IGA scope.
• Automate joiner, mover, and leaver workflows Map JML events to provisioning and deprovisioning logic so role changes remove old rights as reliably as they add new ones. This reduces orphaned accounts and shortens the period during which stale access can persist. Review the lifecycle rules first for high-risk applications and shared accounts.
• Use certification campaigns to remove outdated access Run access reviews on a fixed schedule for sensitive applications, privileged roles, and delegated entitlements. Require reviewers to make a removal decision, not just confirm ownership, and track unresolved items to closure.
• Apply expiry to elevated and delegated access Set time-based controls for privileges that are tied to a project, incident, or temporary business need. This prevents access from becoming permanent by default and forces revalidation when the work changes.

Key takeaways

• Modern IGA is about proving access legitimacy across fragmented environments, not just processing requests.
• Manual workflows create entitlement creep, orphaned access, and audit gaps that scale with the estate.
• The strongest control pattern is lifecycle automation plus attestation plus expiry, because access must be governed as a changing state.

Key terms

• Identity Governance and Administration: Identity Governance and Administration is the set of processes and controls used to manage who gets access, why they get it, and when it should be removed. It combines provisioning, reviews, approvals, and audit evidence so access stays aligned with business need across human and non-human identities.
• Entitlement Creep: Entitlement creep is the gradual accumulation of permissions that no longer match a user, service account, or workload's current role or business purpose. It usually happens when grants are easy, removals are delayed, and reviews do not keep pace with change.
• Time-bound Access: Time-bound access is permission that expires automatically after a defined period unless it is explicitly revalidated. It is used to reduce standing privilege, especially for elevated or temporary access, by making expiry part of the governance model rather than an afterthought.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: IGA in Action, a practitioner’s guide to modern identity governance. Read the original.