Public-sector IGA success: what identity teams should take from it

TL;DR: A French public-sector identity governance project won two Cas d'Or 2026 awards for Cyber Governance and Risk Management and Public Sector after centralising identities, automating provisioning, and tightening auditability, according to Netwrix. The signal is that IGA is now a strategic control layer for complex identity populations, not a back-office admin task.

NHIMG editorial — based on content published by Netwrix: A double win at the Cas d'Or 2026: what identity governance success looks like in the public sector

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should public-sector teams govern identities across employees, contractors, and service accounts?

A: They should use one governed identity record, one lifecycle process, and one approval model wherever possible.

Q: Why does role modelling matter more than ad hoc access grants in regulated environments?

A: Role modelling reduces entitlement sprawl by tying access to business function instead of individual exceptions.

Q: What breaks when joiner, mover, leaver processes are handled differently for technical accounts?

A: Governance breaks because access outlives the business condition that justified it.

Practitioner guidance

• Unify identity records across all subject types Create a single governed inventory for employees, contractors, service accounts, and other non-human identities so access decisions are made from one source of truth.
• Automate joiner, mover, leaver transitions Tie provisioning and deprovisioning to authoritative status changes so role changes and exits remove access without waiting for manual tickets.
• Replace ad hoc grants with business roles Model access around business function and recertify those roles instead of reviewing hundreds of isolated permissions that no reviewer can explain quickly.

What's in the full analysis

Netwrix's full article covers the implementation and award context this post intentionally leaves for the source:

• How the French public-sector project was structured end to end, including the deployment approach and partner delivery model
• Which operational controls and reporting features the public-sector organisation used to prove governance and compliance
• How the platform handled integration across Active Directory, ITSM, and ERP systems in a real environment
• Why the channel partner model mattered for procurement, rollout constraints, and user-population complexity

👉 Read Netwrix's analysis of the Cas d'Or public-sector identity governance win →

Public-sector IGA success: what identity teams should take from it?

Explore further

View Full Forum →  |  NHI Foundation Course →