Why IGA is becoming the control plane for identity risk

At a glance

What this is: This is an analysis of how the 2025 IGA market is shifting toward dynamic, policy-driven governance for human, machine, and AI-driven identities.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes are converging around the same problem: controlling identity risk continuously rather than point in time.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Omada Identity's analysis of the 2025 SPARK Matrix for IGA

Context

Identity governance now sits closer to the centre of enterprise security than many legacy IAM programmes were designed to allow. As SaaS sprawl, machine identities, and AI agents expand the number of identities that can request, hold, and use access, static certification cycles and spreadsheet-led approvals become too slow to control entitlement drift. Omada Identity's analysis uses the 2025 IGA market to show that the governance plane is becoming the place where policy, lifecycle, and risk decisions converge.

The practical shift is not just more automation. It is a move toward IGA as the system that rationalises roles, enforces lifecycle decisions, and exposes where least privilege is failing across human users, service accounts, and emerging autonomous workflows. For practitioners, that means treating IGA as an operating model question, not only a tooling category, with lifecycle discipline and visibility becoming as important as access provisioning.

Key questions

Q: How should security teams govern AI agents and machine identities in IGA?

A: They should treat AI agents and machine identities as governed actors with explicit lifecycle, role, and entitlement rules, not as exceptions buried in access workflows. The control objective is to define why access exists, how long it should last, what evidence proves usage, and when it must be removed. That requires IGA, PAM, and telemetry to work together.

Q: Why does SaaS sprawl make identity governance harder?

A: SaaS sprawl multiplies entitlements, connectors, and approval paths faster than manual governance can reconcile them. Each application adds its own access model, so the organisation ends up with inconsistent policy, duplicate roles, and weaker evidence. IGA becomes harder because visibility, cleanup, and certification all have to span fragmented systems rather than one directory.

Q: What breaks when access reviews are too manual?

A: Manual reviews become stale before they finish, especially in environments where access changes quickly across cloud, SaaS, and non-human identities. Reviewers approve based on old context, ignore low-signal items, or rubber-stamp broad access because the volume is too high. The result is assurance theatre rather than meaningful control.

Q: Who should own governance when IGA, PAM, and access management overlap?

A: Ownership should sit with the identity governance function, with operational execution split across PAM and access management. IGA defines policy and evidence, PAM controls elevation, and access management enforces runtime authentication and session controls. If those responsibilities are not explicit, exceptions multiply and accountability blurs.

Technical breakdown

Why IGA is becoming the governance backbone for Zero Trust

Zero Trust needs a control layer that can define entitlements, keep them current, and prove why they exist. IGA does that by combining policy definition, access governance, lifecycle orchestration, and compliance evidence, so access management is not left to disconnected rules in downstream tools. In mature environments, IGA also becomes the system of record for role rationalisation and approval logic, which is why it increasingly sits between HR events, access requests, PAM elevation, and audit reporting. Without that layer, identity risk accumulates in ad hoc workflows and local exceptions.

Practical implication: map Zero Trust identity controls back to IGA policy, lifecycle, and evidence flows instead of treating them as separate programmes.

How machine identities and AI agents change access governance

Machine identities do not behave like human users, and AI agents can introduce even more variability because their access can be used by systems that execute at runtime across multiple tools and sessions. That creates a governance problem for access scope, approval logic, and review timing. If an identity can initiate actions automatically or on behalf of a workflow, governance has to account for how access is obtained, when it is used, and what evidence remains afterward. The shift is from reviewing named users to governing actors whose usage patterns may be opaque without telemetry and policy correlation.

Practical implication: extend IGA data models to include service accounts, workload identities, and AI-mediated access paths, then correlate them with runtime evidence.

Cloud-native microservices and AI-driven analytics in IGA

The article's architectural point is that modern IGA platforms now rely on event-driven microservices, API-first integration, and analytics that support near-real-time decisions. That matters because batch workflows cannot keep pace with cloud and SaaS identity churn. AI-assisted role mining, behavioural risk scoring, and automated recommendation engines are being used to reduce manual review fatigue and surface where access decisions look anomalous. The architectural test is whether the platform can scale, reconcile, and explain decisions across hybrid environments without falling back to fragile custom scripts.

Practical implication: evaluate IGA platforms for event handling, API coverage, and decision explainability, not only for workflow completeness.

Threat narrative

Attacker objective: The objective is to turn unmanaged identity breadth into persistent access that can be used for unauthorized actions or lateral movement.

1. Entry begins through identity sprawl, where excessive entitlements, weak de-provisioning, or over-broad access create an opening inside the governance boundary.
2. Escalation follows when those entitlements are reused, retained, or approved without current context, allowing privileged actions to proceed beyond intended scope.
3. Impact lands as unauthorized access, audit failure, or delayed containment across cloud, SaaS, and machine identity environments.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA is no longer a downstream administration layer, it is the governance control plane for identity risk. The market shift described in Omada Identity's analysis reflects a wider reality: access management cannot compensate for poor policy definition, broken lifecycle orchestration, or weak evidence. When identity sprawl spans humans, service accounts, and AI-mediated access, the governance layer has to unify role design, entitlement decisions, and auditability. Practitioners should treat IGA as the place where identity risk is governed, not merely recorded.

Machine identities and AI agents expose the limits of human-centric governance models. Access review cadences built for employee checklists do not map cleanly onto service accounts, workload identities, or runtime-driven AI access paths. The relevant question is not whether the identity is human or non-human, but whether the governance model can explain why access exists, when it should expire, and how usage is evidenced. Practitioners need governance designs that assume multiple identity types share the same operational estate.

Identity debt is becoming the clearest signal that IGA is lagging enterprise change. The article's emphasis on entitlement sprawl, hybrid fragmentation, and delayed role clean-up points to a structural problem, not a workflow defect. Once entitlements accumulate faster than they are removed, the organisation is carrying governance debt that compounds across audit, security, and operations. Practitioners should read rising identity debt as a maturity failure, not a tooling inconvenience.

Governance-led architecture is now a differentiator because automation without policy still scales risk. Event-driven microservices, AI recommendations, and low-code workflows only improve outcomes when they are anchored in explicit governance logic. That is why the strongest IGA platforms are evaluated on how well they connect lifecycle, compliance, role management, and continuous evidence. Practitioners should judge platforms by whether automation reduces decisions that need humans, or merely makes broken decisions faster.

Continuous compliance is replacing point-in-time assurance as the baseline expectation. The article ties modern IGA to audit readiness, certification evidence, and ongoing visibility into who had access to what and why. That reflects a broader market reality: regulators and auditors care less about static policy documents than about traceable enforcement. Practitioners should build governance processes that can defend decisions continuously, not only at review time.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• For lifecycle and governance context, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the rotation, offboarding, and visibility controls that still underpin modern identity programmes.

What this signals

Identity debt is becoming the operating signal that IGA programmes are out of step with the business. When entitlements are added faster than they are removed, the programme stops being a control system and becomes a storage layer for old decisions. Teams should watch for review backlogs, exception growth, and repeated reapproval of the same access patterns as evidence that governance is losing pace.

With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, any IGA roadmap that ignores service accounts and workload identities is already behind the risk curve. The practical implication is that access models must cover both human and non-human estates, or the organisation will keep reducing one side while privilege accumulates on the other.

Continuous evidence is replacing periodic certification as the real test of governance maturity. If a platform cannot show who approved, why it was approved, and whether access was later used as intended, audit readiness will remain fragile. Teams should prioritise systems that connect workflow, policy, and traceable evidence across the lifecycle.

For practitioners

• Rebuild access governance around lifecycle events Map joiner, mover, leaver, and exception handling to policy-driven workflows so entitlements change when business context changes. Tie the workflow to review evidence so provisioning and certification are part of the same control loop.
• Extend IGA coverage to non-human identities Bring service accounts, API keys, certificates, and workload identities into the same governance inventory as workforce users. Use the Ultimate Guide to NHIs and the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs as the reference points for rotation, offboarding, and visibility.
• Test whether role mining reduces identity debt Measure whether role cleanup, entitlement rationalisation, and peer-group recommendations actually reduce excess access over time. If approvals are faster but privilege creep still rises, the programme is automating noise rather than governing risk.
• Validate AI-assisted reviews against explainable evidence Require each recommendation to show the attribute, activity, or rule that drove the decision. If reviewers cannot explain why an access item was approved or revoked, the control is not yet audit-ready.
• Align PAM and IGA on elevated access Use IGA to define who should be eligible for elevation and PAM to control how that elevation is executed. The handoff must preserve policy intent, session traceability, and revocation logic across both layers.

Key takeaways

• IGA is moving from administrative support to the control plane for identity risk across humans, machines, and AI-mediated access.
• The strongest governance programmes are the ones that reduce identity debt, entitlement sprawl, and review fatigue at the same time.
• Enterprises need lifecycle-aware, evidence-backed IGA models or they will keep scaling access faster than they can govern it.

Key terms

• Identity Governance And Administration: IGA is the policy and workflow layer that decides who or what should have access, under what conditions, and for how long. In practice it connects role design, approvals, recertification, lifecycle changes, and audit evidence so access is governed continuously rather than managed as isolated requests.
• Identity Debt: Identity debt is the accumulation of access, roles, exceptions, and stale entitlements that outpaces the organisation's ability to review and remove them. It creates hidden risk because old permissions remain active even after the business need has changed, making audits harder and exposure larger.
• Role Mining: Role mining is the process of analysing real access patterns to identify logical role groupings that can replace ad hoc entitlement assignment. It helps organisations reduce privilege sprawl, simplify approvals, and create access models that better match how work is actually performed.
• Continuous Compliance: Continuous compliance is the practice of producing evidence and enforcing controls as identities and permissions change, not only during audit windows. For IGA, that means certification, logging, and exception handling must be traceable in near real time across human and non-human identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: Inside the SPARK MatrixTM Evaluation, why Omada leads the 2025 IGA market. Read the original.