Notifications
Clear all
Topic starter
24/06/2026 7:02 pm
TL;DR: Identity governance and administration 2.0 is a maturity question for organisations that need broader visibility, stronger lifecycle control, and better governance across identities and access, according to Netwrix. The strategic issue is not tooling breadth alone, but whether governance can keep pace with expanding identity populations and modern access patterns.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations benchmark identity governance maturity?
A: Benchmark maturity by asking whether the programme can discover access, assign ownership, review it, and remove it across the full identity estate.
Q: Why do machine identities complicate identity governance programmes?
A: Machine identities complicate governance because they multiply faster than human accounts, often lack clear owners, and can keep working long after the original business context has changed.
Practitioner guidance
- Expand governance scope beyond human accounts Map every identity type that can create access, including service accounts, API keys, tokens, and elevated roles.
- Measure lifecycle closure, not discovery coverage Track whether access reviews end in verified removal, whether ownership is assigned, and whether privileged entitlements are actually closed after certification.
- Unify IGA and PAM operating processes Align privileged access workflows with governance events so that elevation, certification, and offboarding are handled in one control chain.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- The assessment framework used to benchmark identity governance maturity across modern environments.
- The speakers' practical interpretation of what IGA 2.0 means for identity programmes.
- The webinar's broader discussion of identity management, identity governance, and privileged access context.
- How the source frames the evolution of governance in a digital identity landscape.
👉 Watch Netwrix's on-demand webinar on identity governance 2.0 →
Identity governance 2.0: what changes for IAM teams now?
Explore further
25/06/2026 4:08 am
IGA 2.0 is really a governance maturity signal, not a product category refresh. The phrase reflects a broader shift from static identity administration toward continuous governance across humans, machine identities, and privileged access paths. That shift matters because modern access risk is created by identities that persist outside classic directory workflows. Practitioners should treat the label as a signal that governance scope now has to extend across the whole identity estate.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often governance lags behind operational sprawl.
A question worth separating out:
Q: What should IAM teams do when access reviews do not lead to revocation?
A: They should treat the process as ineffective until it can produce verified removal. Access reviews that do not remove stale or excessive entitlements create a false sense of control, especially for privileged and non-human identities. The fix is to link certification workflows to enforced revocation and exception tracking.
👉 Read our full editorial: Identity governance 2.0 is the new benchmark for digital access
