TL;DR: As SaaS sprawl expands identities, permissions, and audit demands, IGA tooling is being asked to centralise provisioning, access reviews, segregation of duties, and reporting across increasingly complex environments, according to Zluri’s overview of 2026 IGA solutions. The real issue is not tool count but whether lifecycle governance can keep pace with privilege drift, offboarding delays, and review fatigue.
At a glance
What this is: This is a vendor roundup of 2026 IGA solutions, with the central finding that modern SaaS environments need stronger lifecycle governance, access review, and compliance automation.
Why it matters: It matters because IGA is now the control layer that has to reconcile human, NHI, and automated access patterns without letting privilege drift or orphaned access accumulate.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Zluri's roundup of the top 11 IGA solutions for 2026
Context
Identity governance and administration is the discipline that keeps access aligned to role, risk, and business need across software and infrastructure. In a SaaS-heavy enterprise, the problem is not just who gets access, but how quickly access becomes stale as roles, apps, and entitlements change.
This article is really about whether IGA can still act as the control plane for access lifecycle management when organisations rely on many SaaS applications, automated provisioning, access reviews, and audit reporting. The answer is that lifecycle discipline matters more than feature breadth, because unmanaged entitlement growth creates security and compliance exposure fast.
Key questions
Q: How should organisations manage SaaS access without creating entitlement drift?
A: Organisations should link provisioning, role changes, and offboarding to authoritative lifecycle events and keep app ownership current. The key is to remove access quickly when the business relationship changes and to verify that downstream SaaS permissions actually change, not just the source record. Without that linkage, entitlement drift becomes the default state.
Q: Why do access reviews often fail to reduce identity risk?
A: Access reviews fail when they validate stale roles instead of live entitlements. If reviewers cannot see inherited access, app-specific permissions, and segregation of duties conflicts, the review produces approval noise rather than risk reduction. Effective certification needs current entitlement data and business context for every decision.
Q: What breaks when segregation of duties is not enforced across SaaS apps?
A: SoD breaks when conflicting privileges exist across separate applications or when manual exceptions bypass policy enforcement. In that situation, a user can still complete risky business processes even though the central IGA policy looks clean. The control must follow the workflow, not just the directory.
Q: How do teams know if IGA automation is actually improving governance?
A: Teams should measure how quickly access changes are completed, how many revoked accounts still retain access after offboarding, and how many certification exceptions remain unresolved. If automation speeds approvals but leaves stale entitlements behind, the programme is operationally efficient but not governed well.
Technical breakdown
Identity lifecycle management in SaaS-heavy environments
Identity lifecycle management covers onboarding, access changes, and offboarding across applications and directories. In SaaS environments, that lifecycle is fragmented because permissions are created in multiple systems, often through different workflows. The operational failure is not just slow provisioning. It is the persistence of orphaned access, hidden entitlements, and outdated approvals after a role change or departure. Good IGA reduces that drift by tying identity state to business events, but only if the underlying app inventory and entitlement data are current.
Practical implication: map every SaaS application to an owner, a lifecycle trigger, and a revocation path before relying on IGA for deprovisioning.
Access certification and segregation of duties
Access certification is the periodic validation that a user still needs a given permission set. Segregation of duties prevents one identity from holding combinations of access that create fraud or misuse risk. These controls are often presented as compliance features, but technically they are decision controls that should surface entitlement drift, not just pass audits. If certifications are based on stale role data or if SoD rules are incomplete, the process becomes ceremonial and the same risky access remains in place.
Practical implication: test certification workflows against real entitlement data and SoD conflict scenarios, not against spreadsheet samples.
Why workflow automation is not the same as governance
IGA products often automate approvals, provisioning, and reporting, but automation alone does not create governance. Governance depends on policy quality, ownership, review criteria, and evidence that exceptions are handled consistently. In SaaS environments, automated workflows can move risk faster if they are not anchored to role definitions, separation rules, and offboarding triggers. The architecture works only when each decision has a clear policy source and a durable audit trail.
Practical implication: validate that every automated access decision can be traced back to a policy, an owner, and a revocation condition.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
IGA is only as strong as the lifecycle assumptions underneath it. The article correctly frames onboarding, access review, and offboarding as core IGA functions, but the real governance issue is whether those functions are tied to current identity state or stale organisational labels. When SaaS estates expand faster than entitlement ownership, review workflows become a backstop for drift rather than a preventive control. Practitioners should treat lifecycle accuracy as the first control problem, not a reporting afterthought.
Access certification fails when review criteria lag actual entitlement behaviour. Reviewing access is only meaningful when reviewers can see current privileges, business context, and SoD conflicts in one place. In many environments, certifications are built from incomplete app integrations or outdated role models, which means the organisation is certifying yesterday’s access picture. The practitioner takeaway is that review quality matters more than review frequency.
Segregation of duties is a control design problem, not a checkbox. The article highlights SoD as a feature, but SoD only works when conflicts are defined around real business processes and enforced across connected applications. If access paths outside the IGA layer are ignored, SoD becomes partial coverage with a false sense of control. Teams should treat SoD as an entitlement modelling exercise that must be continuously maintained.
Named concept: access lifecycle drift. In SaaS-heavy environments, identity state changes faster than governance records, and that gap is where orphaned accounts, over-entitlement, and audit findings accumulate. This is not just a provisioning issue. It is a structural mismatch between business change and access change, which means practitioners must align lifecycle triggers to actual operational events, not calendar-based review habits.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Another NHIMG finding shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- For the control side, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle mechanics behind revocation and review.
What this signals
Access lifecycle drift is the pattern identity teams should watch most closely as SaaS estates and governance workflows expand. Zluri’s roundup reflects a broader market reality: many programmes can automate requests and reviews, but far fewer can prove that access actually disappears when the business need ends. That gap is especially visible in non-human access, where delayed revocation becomes an attack surface rather than an administrative delay.
In practical terms, IGA leaders should expect demand to shift from feature checklists to evidence of control effectiveness. The control set increasingly needs to cover revocation, review quality, and SoD enforcement across connected systems, not just central directory workflows. For a baseline on access-control architecture, NIST Cybersecurity Framework 2.0 remains a useful reference point for govern, protect, detect, respond, and recover alignment.
The stronger programmes will be the ones that treat access governance as a living system, not a quarterly campaign. That means joining lifecycle events, entitlement ownership, and audit evidence into one operational model. Without that, organisations will keep producing clean reports while leaving real access risk untouched.
For practitioners
- Inventory SaaS applications by lifecycle owner Create a complete application list with a named business owner, technical owner, and revocation path for each system before expanding IGA workflows.
- Validate access reviews against live entitlements Run certification campaigns using current permissions, not exported role spreadsheets, and require reviewers to see inherited access and SoD conflicts.
- Tie offboarding to authoritative source events Trigger removal of access from HR, contractor, or vendor status changes so revoked identities do not retain standing access in downstream SaaS tools.
- Model SoD around real business processes Define conflict rules from finance, operations, and admin workflows, then verify that the rules apply across every connected application and manual exception path.
Key takeaways
- IGA is most effective when it governs live identity lifecycle events, not static role records or stale access exports.
- Access certification and segregation of duties only reduce risk when they are connected to current entitlements and real business workflows.
- The practical test for any IGA programme is whether it can revoke access cleanly, prove it, and keep pace as SaaS environments change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle revocation and rotation are central to this IGA discussion. |
| NIST CSF 2.0 | PR.AC-1 | Access control governance underpins provisioning, review, and offboarding. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust depends on continuous access validation across SaaS and directories. |
Tie IGA workflows to PR.AC-1 and confirm access decisions are policy-driven and current.
Key terms
- Identity Lifecycle Management: Identity lifecycle management is the process of creating, changing, and removing access as people, systems, or vendors move through business states. In practice, it connects authoritative events such as hire, role change, contract end, or system retirement to provisioning and revocation across connected applications.
- Access Certification: Access certification is the periodic validation that an identity still needs the permissions it has been granted. It is only effective when reviewers can see current entitlements, inherited access, and business context, otherwise the process becomes a procedural sign-off rather than a real control.
- Segregation of Duties: Segregation of duties is a control that prevents one identity from holding combinations of access that enable fraud, misuse, or unsafe dual control. It depends on clearly defined conflict rules and continuous enforcement across all relevant systems, not just the central directory or IGA console.
- Entitlement Drift: Entitlement drift is the gap between the access an identity should have and the access it still holds after business conditions change. It shows up as stale permissions, orphaned accounts, and exceptions that persist longer than intended, which turns access governance into cleanup rather than prevention.
Deepen your knowledge
Identity lifecycle management and access review design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to connect SaaS governance to non-human access patterns, it is a relevant next step.
This post draws on content published by Zluri: Security & Compliance Top 11 IGA Solutions for Your Organization in 2026. Read the original.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
