TL;DR: Identity governance and access administration are framed as a maturity question in an on-demand CaRE webinar, according to Netwrix, with the source page also surfacing a 4.7 Gartner Peer Insights rating based on 164 reviews for its File Analysis Software market listing. The governance implication is that IGA only matters when it connects access review, privileged access, and visibility into a measurable operating model.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
Questions worth separating out
Q: How should organisations measure IGA maturity beyond a simple audit checklist?
A: Measure whether access governance is closed-loop.
Q: Why do privileged accounts create disproportionate governance risk?
A: Privileged accounts carry elevated reach, so any weakness in review or expiry has a larger blast radius.
Practitioner guidance
- Map governance coverage across identity types Inventory human users, service accounts, privileged accounts, and automation identities, then verify which ones are actually subject to access review and recertification.
- Separate privileged access from ordinary access controls Require distinct approval, expiry, and review logic for admin accounts, shared elevation paths, and emergency access.
- Tie maturity scoring to evidence of closed-loop governance Measure whether access can be granted, reviewed, revoked, and rechecked without manual workarounds.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- The CaRE programme framing used in the webinar discussion of identity governance and access administration.
- The vendor's broader identity management and privileged access portfolio context for practitioners evaluating maturity work.
- The webinar format and speaker context for teams that want to hear the source presentation directly.
👉 Read Netwrix's webinar on CaRE programme identity governance and access administration →
IGA in the CaRE programme: what does maturity actually require?
Explore further
IGA maturity is not a reporting exercise, it is a control operating model. Identity governance only matters when it can prove that access decisions are reviewed, revoked, and re-authorised across the full identity estate. Organisations that treat IGA as a dashboard layer usually have gaps between policy, enforcement, and evidence. The practitioner conclusion is that maturity should be measured by closed-loop governance, not by the number of reports produced.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should own access governance when identity spans human and machine accounts?
A: Ownership should sit with the business or application owner, supported by IAM and security operations. The key is not whether the identity is human or non-human, but whether someone is accountable for the access, the review cadence, and the removal decision when the need changes.
👉 Read our full editorial: IGA and identity governance are central to CaRE programme maturity