Notifications
Clear all
Topic starter
10/06/2026 12:31 am
TL;DR: IGA tools only improve security when they combine real-time visibility, automated provisioning and deprovisioning, self-service requests, access certification, and audit reporting, according to Zluri. The deeper issue is that access governance fails when entitlements are scattered across SaaS, shadow IT, and service accounts faster than human review can keep up.
NHIMG editorial — based on content published by Zluri: 6 Key Features of Identity Governance & Administration Tools
Questions worth separating out
Q: How should security teams implement IGA for both human and non-human identities?
A: Teams should start with unified discovery, then connect onboarding, move, offboarding, and certification workflows to the same entitlement record.
Q: Why do spreadsheets fail as an access governance control?
A: Spreadsheets fail because they are static, manually maintained, and usually incomplete by the time review starts.
Q: What do organisations get wrong about access certification?
A: They treat certification as a paperwork exercise instead of a control decision.
Practitioner guidance
- Build a complete entitlement inventory first Correlate directory, SSO, HR, direct app, and service-account data before you start certifying access.
- Standardise joiner-mover-leaver workflows Map onboarding, role changes, and offboarding to explicit access actions for employees, contractors, and service accounts.
- Make certification evidence-driven Require reviewers to approve or reject access against live entitlement records, not exported spreadsheets.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Nine discovery methods used to map SaaS, identity, finance, and directory data into one governance view.
- Step-by-step onboarding, offboarding, and certification workflow examples that show how the platform is configured.
- The Employee App Store approach to self-service access requests, including approval routing and changelog handling.
- Audit report generation and template-driven access review setup for practitioners already past the strategy stage.
👉 Read Zluri's article on the key features of identity governance and administration tools →
Identity governance tools: which features matter for access control?
Explore further
10/06/2026 9:39 pm
Identity governance fails first at visibility, not at approval. The core problem in many IGA deployments is that teams cannot govern what they cannot map across SaaS, directories, and service accounts. Spreadsheets and fragmented discovery create a false sense of control because the review process starts after the inventory is already incomplete. The practitioner conclusion is that visibility quality is a governance control, not a reporting feature.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for human identities.
A question worth separating out:
Q: Who should be accountable for service-account access in IGA programmes?
A: Service-account access should be owned by the business or technical team that depends on the account, with governance enforced by IAM and security teams. That accountability matters because non-human identities often outlive the people who created them, which makes ownership, review, and offboarding essential to limiting lingering risk.
👉 Read our full editorial: Identity governance tool features that actually reduce access risk
