Legacy IGA cannot keep up with dynamic identity governance

At a glance

What this is: This is an independent analysis of how legacy IGA breaks down in cloud-first environments, with the key finding that most organisations still depend on manual or partially automated governance.

Why it matters: It matters because identity teams now have to govern employees, contractors, service accounts, and SaaS access at the same time, and legacy workflows do not produce the visibility or control fidelity those programmes need.

By the numbers:

• Only 6% of organizations have a fully automated setup for managing their identity governance and administration process.
• 84% of the organizations rely entirely on manual methods
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's analysis of why legacy IGA falls short in dynamic environments

Context

Legacy identity governance breaks when the environment is no longer static. Once organisations add SaaS, hybrid work, contractors, service accounts, and shadow applications into the same access model, manual reviews and connector-based systems stop producing reliable governance outcomes.

The primary problem here is not feature parity. It is that legacy IGA was built for predictable directories and stable application estates, while modern identity programmes need unified visibility, context-aware access decisions, and lifecycle control across human and non-human identities.

Key questions

Q: How should security teams modernise identity governance in SaaS-heavy environments?

A: They should first stabilise identity data, then automate decisions. That means unifying records across HR, SSO, ITSM, and app systems, replacing department-based access with role and risk logic, and validating reviews against actual account activity. If the underlying identity data is fragmented, automation will only accelerate bad governance rather than improve it.

Q: Why do legacy IGA tools struggle with access reviews?

A: Legacy IGA struggles because it often cannot reconcile duplicate identities, stale attributes, and incomplete entitlement context across systems. Reviewers are left confirming basic facts manually, which turns certification into a delay-heavy exercise. The practical result is weaker evidence, slower closure, and a higher chance that risky access survives the review.

Q: What do teams get wrong about department-based access provisioning?

A: They treat department membership as a sufficient proxy for need. In reality, people in the same business unit can require very different application access and privilege levels. When provisioning ignores role and task context, it creates excess access that expands lateral movement risk and makes least privilege impossible to enforce cleanly.

Q: Who is accountable when fragmented identity data causes access failures?

A: Accountability sits with the identity programme owner, not the tool alone. Governance teams must own record correlation, entitlement quality, and offboarding outcomes across the lifecycle. Frameworks such as the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce that access control is a managed control, not a data quality accident.

Technical breakdown

Why legacy connectors fail in SaaS-heavy identity estates

Legacy IGA platforms were designed around stable, on-prem integrations such as directories and enterprise applications with predictable schemas. SaaS services are API-driven, change frequently, and often use different authentication and lifecycle patterns, which makes native connectors brittle. Once teams rely on custom connectors or middleware to bridge the gap, every application change becomes an identity operations event. The result is slow onboarding, broken sync logic, and inconsistent entitlement data across systems.

Practical implication: identity teams need to map where connector fragility creates governance blind spots before they treat automation as coverage.

Unified identity records and access review accuracy

A core failure in legacy IGA is record fragmentation. The same person can appear as multiple identities across SSO, ITSM, and access platforms when matching logic cannot reconcile naming variations or incomplete attributes. That leaves access reviewers working from duplicated, stale, or partial records. In practice, recertification becomes an exercise in approximation rather than a reliable control, because the system cannot confidently tell who owns what access or whether the account is still active.

Practical implication: programmes need authoritative identity correlation before they can trust access certification outcomes.

Role-based provisioning versus department-based access

Department-based provisioning assumes organisational structure is a proxy for entitlement need, but it rarely is. Developers, engineers, contractors, and administrators may sit in the same business unit while requiring very different access paths and privilege levels. When IGA maps access by department alone, it inflates standing privilege and weakens least privilege. That creates not just overprovisioning but also lateral movement potential, because broad groups often become convenient reuse points for attackers or internal misuse.

Practical implication: access models should be based on role, usage, and risk signals rather than broad departmental grouping.

Threat narrative

Attacker objective: The attacker aims to exploit weak entitlement governance and identity fragmentation to move through systems using access that should have been removed or never granted.

1. Entry occurs when legacy identity governance provisions overly broad access through department-based or manually maintained workflows that cannot reflect actual role need.
2. Escalation follows when fragmented identity records and stale entitlements leave privileged, orphaned, or mismatched accounts in place across multiple systems.
3. Impact appears as unauthorised access, audit failure, and lateral movement opportunities that arise from excessive permissions and poor review fidelity.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy IGA is failing because it assumes identity estates are stable enough for periodic governance. That assumption no longer holds in SaaS-heavy environments where users, apps, and entitlements change continuously. When identity records fragment across tools, certification becomes a retrospective cleanup exercise rather than a control. The practitioner implication is that governance must start with authoritative identity correlation, not with more review cycles.

Department-based provisioning is a standing-privilege model in disguise. Grouping access by organisational unit creates broad entitlement bundles that ignore actual task need and privilege variance. That inflates access surface area and weakens least privilege across human and non-human identities alike. Practitioners should treat department-based access as a risk pattern, not a governance shortcut.

Identity blast radius: fragmented governance turns every access mismatch into a larger control failure. Once one identity record is duplicated, stale, or uncoupled from reality, the error propagates into approvals, certifications, and offboarding. The result is not just bad data, but a compounding governance defect that spreads across the lifecycle. The practitioner implication is that blast-radius reduction becomes a core identity design objective.

Next-gen IGA is less about automation volume and more about decision quality. Automation that merely speeds up broken inputs will scale the wrong outcome faster. Contextual entitlement decisions need identity, application, and activity signals together so that access is granted and removed with evidence. Practitioners should measure whether governance decisions are becoming more accurate, not just more efficient.

Identity governance now has to cover humans, contractors, and non-human identities in one control plane. The article’s SaaS and service-account examples show why lifecycle discipline can no longer be segmented by identity type. Access review, provisioning, and offboarding all fail when the programme treats each identity population as an isolated problem. The implication is a single governance model with differentiated policy, not separate process islands.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be managed as one lifecycle, not separate tasks.

What this signals

Identity governance programmes should expect more variance, not less, as SaaS estates and non-human identities expand. The practical signal is that access models based on fixed departmental structures will keep producing exceptions, manual overrides, and stale access unless identity correlation becomes the primary control objective.

Fragmented identity data is now a governance risk, not just an operations inconvenience. When reviewer confidence depends on manual confirmation, certification quality drops and remediation slows. Teams should watch for increasing review cycle time, rising exception rates, and repeated owner-chasing as leading indicators that the programme is losing control fidelity.

Access review, offboarding, and entitlement design need to converge around lifecycle discipline. A governance model that cannot distinguish active, inactive, and orphaned identities will keep exposing the same control gaps. For practitioners, the signal is simple: if lifecycle workflows do not resolve identity truth first, they will not reduce risk at scale.

For practitioners

• Unify identity records before scaling certification Correlate SSO, ITSM, HR, and application records into one authoritative identity view so reviewers stop working from duplicate or mismatched accounts.
• Replace department-based access with role and risk rules Use role, usage, and sensitivity signals to drive provisioning decisions instead of broad departmental group membership that overstates entitlement need.
• Target orphaned and inactive accounts in every review cycle Flag identities with no recent use, missing owners, or unclear employment status, then require explicit disposition before recertification closes.
• Map connector fragility as a control risk Inventory where SaaS and legacy integrations depend on custom connectors or middleware, then treat those dependencies as governance weak points rather than implementation details.

Key takeaways

• Legacy IGA fails when it is asked to govern dynamic identity estates with static assumptions.
• The strongest evidence in this piece is not feature comparison but governance friction: most organisations still depend on manual or partially automated identity operations.
• Practitioners need unified identity records, role-aware provisioning, and lifecycle discipline before automation can improve control outcomes.

Key terms

• Legacy IGA: Legacy identity governance and administration is an older access governance model built for stable directories, predictable applications, and slower change. It often relies on rigid connectors, manual reconciliation, and periodic reviews that work poorly when identities, apps, and entitlements change continuously across cloud and hybrid environments.
• Identity correlation: Identity correlation is the process of matching records from different systems to determine which entries represent the same person or account. In modern governance, it is essential for accurate reviews, offboarding, and entitlement visibility because fragmented records otherwise create duplicate identities and unreliable access decisions.
• Standing privilege: Standing privilege is access that remains continuously available rather than being granted only when needed. In governance terms, it increases risk because broad, persistent entitlements are easier to misuse, harder to review accurately, and more likely to survive long after the original business need has changed.
• Entitlement recertification: Entitlement recertification is the periodic review of whether an identity should still have a given access right. It only works when identity data is current and complete, because stale ownership, duplicate records, or missing usage context can turn the process into a box-ticking exercise instead of a control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: Access Management How Next-Gen IGA Addresses The Shortcomings Of Legacy IGA. Read the original.