Why IGA projects fail and what that means for identity governance

At a glance

What this is: This is an independent analysis of why identity governance and administration projects fail, and the article’s key finding is that failure usually comes from scope, alignment, and integration problems rather than a single technical defect.

Why it matters: It matters because IGA failures ripple across human access, NHI lifecycle controls, and broader identity governance, which means IAM teams need to treat programme design, ownership, and operating model as first-class security issues.

By the numbers:

• Gartner's findings reveal that over 50% of IGA deployments face distress and fail to meet functional, budgetary, or timing commitments.
• With 94% of organizations reporting an identity-related breach at some point, a solid IGA strategy is necessary.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read Zluri's analysis of why IGA projects fail and how to prevent them

Context

Identity governance and administration fails when teams treat it as a tooling project instead of an operating model change. IGA has to connect people, applications, infrastructure, and datasets across provisioning, access review, role design, offboarding, and audit evidence, so a weak programme can fail even when the technology itself is sound.

The article’s examples point to a familiar pattern in IAM programmes: the hardest part is not creating policies, but sustaining ownership, integrations, and review discipline across a living estate. That same failure mode shows up in NHI governance too, where lifecycle, access scope, and review cadence break down as environments scale.

Key questions

Q: What breaks when an IGA programme is launched without clear ownership?

A: The programme usually devolves into manual exception handling and uneven enforcement. Without clear ownership for provisioning, reviews, role maintenance, and offboarding, teams cannot keep access decisions consistent or auditable. That creates delays, unresolved exceptions, and gaps between policy and actual entitlements, which is why IGA succeeds only when the operating model is defined first.

Q: Why do identity governance projects become harder as environments grow?

A: They become harder because identity data, approvals, and entitlement changes spread across more systems than the governance process can reliably coordinate. As integrations multiply, source-of-truth mismatches, delayed deprovisioning, and stale roles increase. The result is not just more work, but weaker control fidelity across both human and non-human access.

Q: How do security teams know whether access reviews are working?

A: Access reviews are working only if they produce timely removals, clear evidence, and fewer unresolved exceptions over time. If reviewers cannot decide confidently, if stale access keeps reappearing, or if audit trails need manual reconstruction, the process is generating paperwork rather than governance. Good reviews reduce uncertainty instead of documenting it.

Q: Who should own IGA outcomes when compliance, IAM, and application teams all touch access?

A: Ownership should sit with a named governance function that can enforce decisions across IAM, compliance, and application teams. Shared visibility is not the same as shared accountability. If no single owner can resolve entitlement disputes, approve role changes, and enforce deprovisioning, the programme will fragment into disconnected local practices.

Technical breakdown

Why IGA programmes fail at the operating-model layer

IGA failures often start before implementation, when organisations cannot define what success looks like, who owns each control, or how access decisions will be maintained after go-live. In practice, that means access reviews, role design, and offboarding all depend on upstream process maturity, not just on the governance platform. When objectives are vague, teams automate confusion rather than control. That is why IGA projects frequently drift into exception management, manual reconciliation, and delayed decisions instead of durable governance.

Practical implication: define ownership, success criteria, and exception handling before automating access governance.

How identity lifecycle management breaks under complex integrations

Identity lifecycle management only works when authoritative sources, target systems, and approval workflows are aligned. The article’s discussion of HR systems, LDAP directories, and SaaS apps reflects a common failure mode: data mismatches and integration gaps create inconsistent entitlements, delayed deprovisioning, and poor auditability. The same pattern affects NHI estates when service accounts, tokens, and workload identities are managed across multiple platforms without a single lifecycle view. The control failure is not just technical compatibility, but unreliable entitlement truth.

Practical implication: inventory authoritative sources and test provisioning, deprovisioning, and review flows end to end before scaling the programme.

Why access reviews and role governance become noisy at scale

Access certification and role management fail when role definitions are stale, entitlement data is incomplete, or reviewers lack context to make decisions quickly. The article’s focus on visibility, segregation of duties, and historical tracking shows that governance depends on accurate role models and clean evidence trails. Without that, reviews become box-ticking exercises and toxic combinations remain hidden. For NHI governance, the equivalent risk is over-privileged service accounts or stale credentials that nobody can confidently certify or revoke.

Practical implication: reduce role sprawl, enrich entitlement context, and remove stale access before each certification cycle.

Threat narrative

Attacker objective: The attacker or failure condition ultimately benefits from governance blind spots that leave excessive access, weak auditability, and delayed revocation in place.

1. Entry begins with weak identity governance design, where unclear objectives, incomplete stakeholder alignment, and poor integration planning allow excessive or mis-scoped access paths to persist across systems.
2. Escalation occurs when access review, role maintenance, and deprovisioning controls cannot keep pace with organisational change, leaving redundant privileges, toxic combinations, and untracked exceptions in place.
3. Impact is failed governance: audit gaps, compliance exposure, operational inefficiency, and higher breach likelihood because the programme cannot reliably prove or enforce who should have access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA failure is usually an operating-model failure, not a tooling failure. The article shows that projects collapse when goals, ownership, and process discipline are not defined before deployment. That is the same root cause behind many identity governance programmes that look complete on paper but cannot sustain access review, role cleanup, or offboarding in live environments. Practitioners should treat governance design as the control, not the software.

Identity lifecycle management breaks when authoritative data is fragmented. The discussion of HR feeds, LDAP, and app-level fulfilment points to a deeper truth: entitlement truth cannot be inferred when source systems disagree. The same fragmentation is now common across SaaS, cloud, and NHI estates, where service accounts and workloads need consistent lifecycle handling. The implication is straightforward: governance only scales when identity data is operationally coherent.

Identity review debt: access certification that arrives after business change is already governance theatre. The article’s emphasis on continuous monitoring, right-sizing access, and historical tracking shows that delay turns certification into retrospective documentation rather than control. In modern environments, including NHI estates, access changes faster than quarterly review cycles. Practitioners should recognise that stale review windows are not a process nuisance, they are a structural blind spot.

SoD failures expose how much IGA depends on clean role architecture. The article’s fraud-prevention and toxic-combination sections show that role design is only effective when duties are separated in a way the business actually uses. That holds across human users and machine identities alike. If role models are noisy or overbroad, the programme cannot reliably prevent conflicting access from accumulating.

Strong IGA programmes are measured by revocation speed and evidence quality, not by feature coverage. The blog repeatedly points to provisioning, offboarding, certification, and audit trails as the real test of governance maturity. That aligns with NIST CSF and OWASP NHI principles: if access cannot be removed, explained, and evidenced quickly, the control is not working as intended. Practitioners should judge maturity by control reliability, not by deployment status.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• That gap is why practitioners should also read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that translate governance intent into enforceable practice.

What this signals

Identity governance will increasingly be judged by whether it can cope with dynamic, multi-system change rather than whether it can issue access approvals. The programme signal here is that reviews, role models, and fulfilment workflows need to be designed for constant churn across SaaS, cloud, and non-human access. If they are not, IGA becomes a record-keeping layer instead of a control layer.

Identity review debt: the longer a certification cycle trails real operational change, the less it functions as a control and the more it functions as post-event documentation. For teams managing both human and NHI access, that means offboarding speed, entitlement freshness, and evidence quality will matter more than review volume.

When organisations fail to align IGA with real lifecycle data, the next pressure point is usually not policy design but operational trust in the identity sources themselves. That is where practitioners should expect more scrutiny from auditors, security leaders, and platform owners, especially as AI and machine identities become part of the same governance surface.

For practitioners

• Define control ownership before deployment Assign explicit owners for provisioning, role maintenance, certification, and offboarding so the programme does not rely on ambiguous cross-team accountability.
• Test lifecycle flows against real systems Validate onboarding, role change, and offboarding end to end across HR, directories, SaaS, and cloud platforms before expanding scope.
• Reduce role sprawl before certification cycles Collapse redundant roles and remove obsolete entitlements so reviewers are evaluating current access rather than inherited noise.
• Measure revocation and evidence quality Track how quickly access is removed, how often exceptions persist, and whether audit trails can prove each decision without manual reconstruction.

Key takeaways

• IGA fails when organisations treat identity governance as a tooling deployment rather than an operating-model redesign.
• The evidence points to a recurring pattern of poor ownership, fragmented data, and review fatigue rather than a single technical defect.
• Practitioners should measure success by revocation speed, role clarity, and evidence quality, not by whether the platform is live.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the discipline of defining, approving, reviewing, and revoking access in a way that can be audited and repeated. It sits above the mechanics of authentication and provisioning, making sure access matches policy, business role, and current need across both human and non-human identities.
• Access Certification: Access certification is the process of reviewing whether an identity still needs the permissions it has been granted. In mature programmes, it is tied to clean entitlement data, clear ownership, and timely remediation, otherwise it becomes a paperwork exercise that records stale access instead of removing it.
• Separation Of Duties: Separation of duties is a control that prevents one identity from performing conflicting or high-risk actions alone. It reduces fraud and error by splitting sensitive steps across roles or people, but it only works when roles are designed cleanly enough for conflicts to be detected before they are exploited.
• Identity Lifecycle Management: Identity lifecycle management covers the full path from onboarding to role change to offboarding. The control only works when authoritative data, approvals, and deprovisioning are aligned so that access can be granted, adjusted, and removed at the right moment for each identity type.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Why does The IGA Project Fail? Top 8 Reasons. Read the original.