Zluri’s IGA pitch exposes where manual access governance breaks

At a glance

What this is: A vendor-authored IGA overview arguing that automation, discovery, and certification are needed because manual access governance leaves SaaS access poorly visible and hard to control.

Why it matters: It matters because IAM, IGA, PAM, and lifecycle teams need to understand where SaaS access reviews, provisioning, and offboarding fail when visibility is incomplete and change is too slow.

👉 Read Zluri's article on IGA automation, access certification, and SaaS governance

Context

Identity governance and administration only works when entitlement data is current enough to support decisions. In SaaS-heavy environments, manual reviews struggle to keep pace with onboarding, role changes, access requests, and offboarding, which leaves gaps in who has access to what.

Zluri’s article is another example of the market shifting toward automation for access discovery, certification, and lifecycle workflows. For practitioners, the important question is not whether automation exists, but whether the underlying governance model can still prove accountability across SaaS access, service accounts, and employee lifecycle changes.

Key questions

Q: How should security teams govern SaaS access reviews at scale?

A: They should start with complete entitlement visibility, then tie review decisions to business context such as usage, role, and status. Access certification is only reliable when reviewers can see current data, and when rejected access is actually revoked. If those two conditions are missing, review becomes a compliance exercise rather than a control.

Q: Why do manual access request and certification processes break down in SaaS environments?

A: They break down because the environment changes faster than the governance workflow can keep up. Role changes, onboarding, app sprawl, and shadow access create stale records, delayed approvals, and inconsistent ownership. In practice, manual processes fail when they cannot keep entitlement state current enough for confident decisions.

Q: What do organisations get wrong about ticketless access requests?

A: They often assume self-service reduces risk by itself. In reality, ticketless access only works when the catalog is tightly curated, approval logic is explicit, and exceptions are controlled. Without that, the organisation has simplified the user journey while making weak access decisions easier to scale.

Q: Who is accountable when automated deprovisioning does not happen after access review?

A: Accountability sits with the identity and application owners who defined the workflow, not with the automation alone. If rejected access remains active, the control failed at design time because the revocation path was missing, unclear, or not connected to authoritative lifecycle signals.

Technical breakdown

Why manual access reviews fail in SaaS environments

Manual access review processes depend on current, complete, and trustworthy entitlement data. In SaaS estates, that assumption breaks quickly because app sprawl, decentralized ownership, and frequent role changes create stale records and incomplete context. Access certification then becomes a snapshot of partial truth rather than a governance decision. The result is not just inefficiency but weak assurance, because reviewers cannot confidently see last login, active status, business role, or real application usage across the full estate.

Practical implication: treat visibility into SaaS entitlements as a control prerequisite, not an administrative convenience.

Ticketless access requests and the governance trade-off

Ticketless access request flows reduce friction by letting employees request approved apps through self-service. That changes the governance burden from manual approval handling to policy design, entitlement catalog quality, and fallback controls. If the catalog is poorly maintained, self-service can simply speed up bad decisions. The architectural shift is from queue-based governance to policy-based governance, where the real control is the approval logic and not the request interface itself.

Practical implication: validate catalog scope, approval rules, and exception handling before pushing self-service at scale.

Automated onboarding, offboarding, and certification as lifecycle controls

The article ties provisioning, deprovisioning, and access certification together as one lifecycle problem. That is the right framing. Governance fails when onboarding grants too much, role changes are not reconciled, and offboarding lags behind employment status. Automation helps only if it is linked to reliable HR and application signals, because otherwise lifecycle workflows become fast versions of the same stale decisions. Access reviews, deprovisioning, and role-based updates need a common source of truth to avoid drift.

Practical implication: connect lifecycle workflows to authoritative identity and HR data before relying on automation for control.

NHI Mgmt Group analysis

Manual IGA fails first as a data-quality problem, not a workflow problem. The article correctly points to incomplete visibility as the reason access reviews and access governance become unreliable in SaaS environments. Reviewers cannot certify what they cannot see, and automation cannot repair a broken entitlement inventory. Practitioner conclusion: identity governance starts with accurate access state, not with faster approvals.

Ticketless access is a policy design problem disguised as user convenience. Self-service request flows work only when the application catalog, approval path, and exception handling are tightly governed. Otherwise the organisation has accelerated distribution of weak access decisions. Practitioner conclusion: the control point is not the request form, it is the entitlement policy behind it.

Lifecycle automation only works when joiner, mover, and leaver signals are authoritative. Zluri frames onboarding, role changes, and offboarding as one continuous access problem, which is the right mental model for IGA. If HR and application data disagree, provisioning and deprovisioning become mechanically efficient but operationally untrustworthy. Practitioner conclusion: automation should follow authoritative state, not substitute for it.

Continuous access certification is becoming the only scalable answer to SaaS sprawl. Periodic reviews are too slow if access changes occur every time roles, apps, and business units shift. The governance model needs tighter coupling between usage context, owner accountability, and revocation pathways. Practitioner conclusion: certification programmes should be measured by how quickly they surface and resolve entitlement drift.

Identity governance is now a lifecycle discipline across human and machine-facing access, not a point-in-time control. Although this article stays focused on employees and SaaS, the same governance logic increasingly applies to service accounts, integrations, and other non-human access paths. Practitioner conclusion: teams should design IGA so it can extend beyond people without rebuilding the operating model from scratch.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader control baseline, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that underpin access governance.

What this signals

Access governance is shifting from review cadence to data freshness. When access state is incomplete, certification quality drops regardless of how polished the workflow looks. The practical signal for programme owners is whether reviewers are making decisions from live entitlement data or from stale snapshots. For a governance baseline, map your review process against the NIST Cybersecurity Framework 2.0 identify, protect, and detect functions.

Ticketless request models create a policy-management burden that many IAM teams underestimate. The less time users spend waiting, the more important it becomes to maintain approved-app scope, exception handling, and ownership clarity. This is where the OWASP Non-Human Identity Top 10 is useful as a reminder that entitlement control fails when governance is treated as interface design.

Lifecycle automation is only durable when it is anchored to authoritative identity state. If HR, IAM, and SaaS records disagree, onboarding and offboarding will remain operationally fast but governably weak. The next programme checkpoint is whether access changes are driven by a single source of truth rather than by ad hoc workflow triggers.

For practitioners

• Audit entitlement visibility across SaaS apps Check whether access review owners can see last login, app usage, department, status, and permission level for every reviewed account before certification begins.
• Redesign self-service around approval policy Treat the app catalog as a policy object, then document which apps are pre-approved, which require review, and which need exception handling before request automation expands.
• Tie provisioning and offboarding to authoritative lifecycle signals Connect onboarding, mover events, and deprovisioning workflows to HR and identity sources that define employment status and role changes, then reconcile any mismatch before automation runs.
• Measure certification against revocation speed Track how quickly rejected or modified access is removed after review, because a certification process that cannot trigger timely deprovisioning is only recording risk.
• Extend governance design to non-human access paths Use the same lifecycle and review logic for integrations, service accounts, and other non-human access where SaaS operations depend on persistent credentials or delegated permissions.

Key takeaways

• Manual SaaS governance fails when reviewers cannot see current entitlement state, so visibility is a control requirement rather than an efficiency gain.
• Ticketless access only reduces risk when the approval model, catalog scope, and exception handling are governed as policy, not as convenience features.
• Lifecycle automation matters most when it is tied to authoritative identity and HR signals that keep provisioning, mover, and leaver actions aligned.

Key terms

• Access Certification: A formal review process where an owner confirms whether a user or account should keep a given entitlement. In practice, certification is only meaningful when the reviewer can see accurate, current access context and when denied access can be removed without delay.
• Ticketless Access: A self-service access request model that removes manual ticket handling and routes requests through predefined policy and approval logic. It can improve speed, but it only remains safe when catalog scope, exception paths, and ownership are tightly controlled.
• Lifecycle Automation: Automation that connects joiner, mover, and leaver events to provisioning, changes, and deprovisioning. For identity governance, its value depends on authoritative input data and clear revocation paths, otherwise the workflow simply executes stale decisions faster.
• Entitlement Visibility: The ability to see who has access to which applications, permissions, and contexts at a usable level of detail. Without it, access review is guesswork, because certifiers cannot validate whether a grant is still justified or should be removed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Zluri: Why is Zluri the Best IGA Platform in 2026? Read the original.