Why traditional IGA programs stall as identity estates keep growing

At a glance

What this is: This analysis argues that IGA is failing to keep pace with modern identity sprawl because legacy integrations and manual processes cannot support continuous governance.

Why it matters: It matters because IAM and NHI practitioners must govern growing populations of human and machine identities without turning access reviews and provisioning into a manual bottleneck.

By the numbers:

• More than 77% of organisations treat IGA as a core cybersecurity best practice.
• 67% of organisations revoke up to 30% of user permissions during access reviews.

👉 Read Palo Alto Networks' analysis of why IGA programs stall in modern identity estates

Context

Identity governance and administration, or IGA, is the control layer that reviews, provisions, and removes access across an organisation’s identity estate. The problem is that identity populations now include employees, contractors, interns, service accounts, and AI-driven workloads, while the application footprint keeps expanding. That combination turns governance into a continuous operating challenge rather than a periodic review exercise.

The article’s central point is that static governance models were built for slower, more uniform environments and now struggle in hybrid estates with cloud, SaaS, and legacy systems. For IAM and NHI practitioners, that means the same governance patterns must cover both human and non-human identities without assuming manual checkpoints can scale. The starting position described here is common, not exceptional, across larger enterprises.

The control problem is not simply visibility. It is integration depth, workflow automation, and the ability to make access decisions quickly enough that business teams do not route around governance. That is why modern IGA is increasingly being evaluated alongside NHI lifecycle management and privileged access controls, not as a separate compliance function.

Key questions

Q: How should organisations modernise IGA without creating more manual work?

A: Start with the applications and identities that create the most review exceptions, then automate provisioning, revocation, and recertification for those workflows first. The goal is not to automate every process at once, but to eliminate the ticket-heavy paths that consume the most time and create the most access creep. Governance improves when policy executes close to the change event.

Q: Why do traditional IGA programs struggle in hybrid environments?

A: Hybrid environments combine cloud apps, SaaS, and legacy systems that do not expose the same integration hooks or lifecycle patterns. That makes it hard to keep entitlement data current and to execute access changes consistently. When governance depends on partial connectors and manual follow-up, review quality declines and revocation slows.

Q: What is the difference between access reviews and lifecycle governance?

A: Access reviews are periodic checks that confirm whether existing permissions should remain in place. Lifecycle governance is broader because it controls access at join, move, and leave events, then keeps ownership, expiry, and revocation aligned over time. In practice, organisations need both, but lifecycle controls reduce the volume of review findings.

Q: How should security teams include non-human identities in IGA?

A: Treat service accounts, tokens, and application identities as governed assets with owners, purpose, expiry, and review cadence. Do not leave them in separate tooling or rely on ad hoc documentation. The same lifecycle discipline used for workforce access should apply to NHI populations, especially where elevated permissions or long-lived credentials are involved.

Technical breakdown

Why integration friction breaks automated IGA

Automated IGA depends on reliable connectors into every in-scope application, directory, and platform. In practice, that is where many programs stall. Cloud and SaaS systems often expose APIs, but legacy on-premises applications may not, and custom integration work becomes the hidden cost of governance. When integrations are incomplete, entitlement data is stale, access reviews lose accuracy, and revocation workflows break down. The result is not just slower implementation, but a governance model that cannot fully observe or act on the identity estate.

Practical implication: Map integration coverage by application class and treat missing connectors as governance risk, not only implementation debt.

How manual provisioning creates access creep and delay

Manual IGA depends on spreadsheets, email approvals, and tickets to move entitlements through the lifecycle. That approach creates two failure modes at once. First, it slows joiner-mover-leaver workflows, leaving users waiting for access and pushing teams toward exception handling. Second, it makes revocation harder to execute consistently, which is why access reviews often uncover permissions that should have been removed long before. In an environment with frequent application changes and growing identity sprawl, manual workflows are structurally outmatched.

Practical implication: Prioritise policy-driven provisioning and deprovisioning for the highest-risk systems before expanding review cadence.

Why modern IGA has to govern humans and NHIs together

The article’s reference to machine identities is important because governance no longer stops at workforce access. Service accounts, tokens, and application identities often bypass the controls built for human users, yet they create persistent access pathways that are harder to review. A practical IGA model must therefore align with NHI lifecycle management, secrets handling, and privileged access control. Otherwise, the organisation gets two governance systems that cannot reconcile who or what actually has access.

Practical implication: Extend governance scope to non-human identities and make entitlement ownership explicit across both human and machine accounts.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA is becoming an identity orchestration problem, not just a review problem. Access recertification matters, but the larger issue is whether the organisation can connect identity sources, entitlement stores, and application workflows fast enough to govern continuously. In modern estates, governance fails when orchestration is partial, not when policy language is missing. Practitioners should measure IGA by closed-loop execution, not by the number of reviews completed.

Identity sprawl changes the risk model faster than traditional governance can absorb. When humans, contractors, service accounts, and application credentials all sit inside the same operational environment, the blast radius of stale permissions grows quickly. That makes governance quality a function of identity inventory quality, lifecycle discipline, and exception handling. Teams should treat sprawl reduction as a governance control, not just an administrative cleanup.

Modern IGA only works when lifecycle decisions are automated at the point of change. Waiting for quarterly reviews to remove unnecessary access is already too late in fast-moving hybrid environments. Continuous provisioning, revocation, and attestation workflows are now the practical baseline for reducing access creep. Practitioners should move from review-first thinking to lifecycle-first governance.

AI-assisted governance will not fix broken identity data or incomplete integrations. Automation can reduce manual effort, but it cannot compensate for poor source-of-truth discipline or absent application coverage. That means organisations need stronger joiner-mover-leaver foundations before they expect AI to improve governance outcomes. The right sequence is data quality, integration breadth, then automation scale.

Unified governance is the named concept this market keeps converging on. The article points to a single operating reality where IGA, NHI lifecycle control, and access review hygiene cannot be separated without creating blind spots. The practical conclusion is clear: teams should design governance around identity type, lifecycle stage, and application criticality together.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, and that confidence gap is a governance problem, not a tooling problem.
• For a broader control map, see the Ultimate Guide to NHIs and its lifecycle guidance for provisioning, rotation, and offboarding.

What this signals

Identity governance is shifting from episodic review to continuous control execution. That shift matters because the organisations that still rely on spreadsheet-led attestation will struggle to keep up with cloud app churn and expanding NHI populations. The practical programme response is to tie governance events to lifecycle triggers, then measure how often exceptions recur across the same entitlements.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the next governance gap will not be limited to human access. The reader’s programme should prepare for broader entitlement ownership, stronger third-party review, and a tighter link between access policy and application change management.

For practitioners

• Inventory connector coverage across critical applications Classify which systems support API-based governance, which require custom integration, and which still depend on manual controls. Use that map to prioritise remediation for systems handling privileged access, regulated data, or high churn joiner-mover-leaver events.
• Automate joiner-mover-leaver workflows for high-risk entitlements Replace ticket-based provisioning with policy-driven workflows for roles that repeatedly trigger access review exceptions. Focus first on accounts where delayed revocation creates measurable exposure, especially where manual handling still depends on spreadsheets and email approvals.
• Extend governance to machine identities and service accounts Bring non-human identities into the same lifecycle inventory used for workforce access, including owners, purpose, expiry, and revocation criteria. Tie this work to the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs so that machine identities are not left outside review processes.
• Track review findings as a signal of control design weakness If access reviews repeatedly remove large blocks of unnecessary permissions, treat that pattern as evidence that provisioning rules and role design need correction. Use the review output to refine role engineering, entitlement inheritance, and exception approval thresholds.

Key takeaways

• IGA breaks down when identity sprawl, weak integrations, and manual workflows outgrow the organisation’s ability to govern access continuously.
• Access review findings are telling many teams the same thing: too much access remains in place for too long, and the lifecycle controls are not removing it fast enough.
• The practical answer is to move governance closer to the change event and extend the same discipline to non-human identities, not just employees.

Key terms

• Identity Governance and Administration: IGA is the control function that manages who has access to what, when, and why across an organisation’s systems. It covers provisioning, access reviews, and revocation, and it fails when identity data, application coverage, or approval workflows are too incomplete to support continuous decisions.
• Joiner-Mover-Leaver Lifecycle: The joiner-mover-leaver lifecycle describes the access changes that should happen when a person or account is created, changes role, or exits the organisation. It is the basic operating model for keeping entitlements aligned to current need, and it becomes critical when automation replaces manual ticket handling.
• Non-Human Identity: A non-human identity is any account or credential used by software rather than a person, including service accounts, API keys, tokens, certificates, and AI agents. These identities often persist longer than human sessions and require explicit ownership, rotation, and revocation controls to avoid hidden access.
• Access Recertification: Access recertification is the periodic review of user or account permissions to confirm that access is still justified. It is useful, but it is not enough on its own because it reacts after entitlements already exist, which is why lifecycle governance must reduce the volume of exceptions before review time.

Deepen your knowledge

IGA modernisation, identity lifecycle control, and NHI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rebuilding governance for a hybrid identity estate, it is worth exploring.

This post draws on content published by Palo Alto Networks: Think IGA is challenging? Think IGA is challenging? You’re not alone. Read the original.