IGA RFP selection in 2026: what matters for modern identity

At a glance

What this is: This is a 2026 guide to writing and evaluating an IGA RFP, with the main finding that modern selection should centre on lifecycle automation, access reviews, JIT access, and NHI governance.

Why it matters: It matters because IAM teams now have to govern human, non-human, and AI-assisted access together, and weak IGA selection quickly becomes a lifecycle, compliance, and privilege problem.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read ConductorOne's guide to choosing the right IGA platform in 2026

Context

An IGA RFP is the point where identity strategy becomes procurement language, and that translation often exposes gaps in ownership, lifecycle scope, and governance maturity. The article is really about how to choose an identity governance platform that can support access reviews, provisioning, JIT access, and non-human identity governance across a hybrid estate.

The problem is not feature count. It is that many programmes still evaluate IGA as a human-access workflow tool, even though service accounts, API keys, and AI-assisted access decisions now sit inside the same governance boundary. For teams trying to modernise, the real question is whether the platform can govern identities across their full lifecycle without creating more manual work than it removes.

Key questions

Q: How should security teams evaluate an IGA platform for hybrid environments?

A: They should test whether the platform can reconcile identities, entitlements, approvals, and lifecycle events across cloud, SaaS, and on-prem systems. The key is not whether it connects to many systems, but whether the resulting access view is accurate enough to support review, revocation, and audit without manual stitching.

Q: Why do modern IGA programmes need non-human identity governance?

A: Because service accounts, API keys, and certificates carry real access and real risk, but they rarely fit human-centric governance assumptions. If an IGA programme cannot inventory and review those identities, it leaves a large part of the attack surface outside lifecycle control and compliance evidence.

Q: What breaks when access certification is used as the main governance control?

A: Certification breaks down when the underlying entitlement data is stale, incomplete, or too noisy to support a meaningful decision. In that case, the organisation is not certifying access in a reliable way, it is documenting uncertainty and hoping the review process compensates for weak identity hygiene.

Q: How do teams know if just-in-time access is actually reducing privilege risk?

A: They should verify that temporary access has strict expiry, clear approval traceability, and dependable revocation after task completion. If users can extend access easily or reuse temporary entitlements across multiple tasks, the programme is preserving standing privilege under a different label.

Technical breakdown

Identity lifecycle management in modern IGA

Identity lifecycle management covers onboarding, role changes, access adjustments, and offboarding across all identity types. In IGA, that means provisioning and revocation must be tied to source-of-truth events, not manual tickets, so access reflects current business need. When lifecycle logic is weak, entitlements persist after role changes and departures, which creates audit gaps and privilege creep. For NHIs, the same pattern shows up as orphaned service accounts, unused API keys, and stale certificates that never leave the environment.

Practical implication: Map each identity class to an authoritative lifecycle trigger and verify that revocation is event-driven, not calendar-driven.

Access certification and the limits of review-only governance

Access certification is the periodic validation of who or what still needs access, but reviews only work when the underlying entitlement data is accurate. In modern estates, certification fails when reviewers see stale ownership, unclear business context, or thousands of low-signal entitlements. That is why certification should be treated as a control check, not a substitute for entitlement hygiene. If the identity graph is incomplete, the review process becomes a record of uncertainty rather than a reliable governance decision.

Practical implication: Reduce review scope by cleaning entitlement data first, then target certifications at privileged and high-risk access paths.

Just-in-time access and standing privilege reduction

Just-in-time access replaces persistent privilege with time-bound access granted for a specific task. The architectural value is not only shorter exposure windows, but also a tighter link between request, approval, and use. That matters in hybrid environments because standing privilege tends to expand quietly through convenience and exception handling. For IGA, JIT is most effective when paired with strong workflow policy, clear expiration, and audit trails that prove access was actually temporary.

Practical implication: Use JIT for sensitive systems and create explicit expiry rules so temporary access cannot become de facto standing privilege.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Modern IGA selection is really a lifecycle governance test, not a feature checklist. The article correctly points readers toward access reviews, provisioning, JIT, and compliance, but the deeper issue is whether a platform can enforce identity lifecycle decisions across humans, workloads, and AI-assisted access patterns. Programmes that buy around the feature list often discover that lifecycle ownership is still fragmented after deployment. Practitioners should judge the platform by whether it closes lifecycle loops, not by how many workflows it exposes.

Non-human identity governance is no longer optional in IGA RFPs. The inclusion of NHI governance in the guide reflects a structural shift in identity scope, not a niche add-on. Service accounts, API keys, and certificates already account for a large share of enterprise access risk, so an IGA programme that cannot inventory and govern them is only partially governing identity. The implication for practitioners is that human-centric IGA buying criteria are now incomplete by design.

Identity graph completeness: governance collapses when the platform cannot reliably connect identities, entitlements, and ownership across systems. Modern IGA depends on that graph to power reviews, approvals, and privilege analysis. If cloud, SaaS, and on-prem data do not reconcile cleanly, the organisation ends up certifying fragments instead of actual access relationships. Practitioners should treat graph completeness as a core buying criterion because it determines whether governance decisions are defensible.

Automation changes the operating model only when it removes review debt, not when it hides it. The guide’s emphasis on AI-native workflows and no-code automation is directionally right, but automation only helps when it compresses the cost of governance without obscuring who approved what. If teams still need to reconcile spreadsheets, exceptions, and manual evidence after each campaign, the platform has shifted the burden rather than reduced it. The practical conclusion is simple: automation should lower governance friction, not repackage it.

The market is moving toward unified governance across access review, provisioning, and privilege management. That direction validates programme consolidation, but it also raises the bar for implementation quality. Teams should re-evaluate whether they are buying a point solution for one pain point or a governance layer that can carry the full identity lifecycle across environments. Practitioners need a platform strategy that matches the complexity of modern identity sprawl.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• For broader lifecycle context, see the Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs.

What this signals

Identity graph completeness is becoming the deciding factor in whether IGA programmes can scale beyond human access reviews. Once service accounts and AI-assisted workflows enter the same governance boundary, incomplete entitlement mapping turns automation into cosmetic efficiency rather than real control.

Teams should expect procurement to shift from feature comparison toward evidence of lifecycle closure, auditability, and cross-domain ownership. The practical signal is that IGA is now converging with NHI governance and privilege management, so platform decisions have to account for all three together.

That shift is visible in the market data: 1 in 4 organisations are already investing in dedicated NHI security capabilities, and that pressure will increasingly shape IGA requirements. Programme owners who still evaluate identity governance as a human-only discipline will miss the governance model that the market is already pricing in.

For practitioners

• Define the governance boundary before issuing the RFP List the identity classes in scope, including employees, contractors, service accounts, API keys, certificates, and AI-assisted access paths. Then assign ownership for each lifecycle decision so the RFP measures actual governance coverage rather than just workflow automation.
• Test whether lifecycle events drive access removal Ask vendors to show how role changes, departures, and account retirement trigger revocation across cloud, SaaS, and infrastructure systems. Verify that the process works without manual cleanup and that orphaned access is visible in reporting.
• Separate certification quality from certification volume Measure whether reviewers receive accurate ownership, meaningful entitlement context, and usable exception handling. A campaign that reviews more items is not better if the identity data is poor, so insist on evidence that the platform reduces review noise.
• Pressure-test JIT access for exception drift Require the platform to show expiry enforcement, approval traceability, and revocation assurance for temporary access. If temporary access can be extended informally or reused across tasks, the programme still has standing privilege in disguise.

Key takeaways

• The article’s real lesson is that IGA buying decisions should be driven by lifecycle governance depth, not feature count.
• Modern identity programmes cannot be judged on human access alone because NHI governance is now part of the same operational boundary.
• Teams that cannot prove review quality, revocation, and entitlement accuracy will struggle to turn an IGA purchase into defensible control.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the discipline for defining, approving, reviewing, and revoking access across an organisation. It combines policy, lifecycle control, certification, and audit evidence so access reflects business need rather than historical convenience.
• Access Certification: Access certification is the periodic review of access rights to confirm that permissions still match the role, task, or business requirement. In practice, it only works when entitlement data is current and ownership is clear, otherwise reviewers certify uncertainty instead of access.
• Just-In-Time Access: Just-in-time access is a privilege model that grants access only when needed and removes it after the task is complete. It reduces standing privilege and narrows exposure windows, but only if expiry, approval, and revocation are enforced consistently.
• Identity Graph: An identity graph is the connected map of identities, entitlements, ownership, and relationships across systems. It gives IGA the context needed to automate decisions, but when the graph is incomplete or stale, governance processes lose accuracy and become harder to defend.

Deepen your knowledge

Identity lifecycle management and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising IGA from a human-first starting point, it is worth exploring.

This post draws on content published by ConductorOne: The Modern IGA RFP Guide: How to Choose the Right Identity Governance Platform in 2026. Read the original.