Continuous governance and IGA drift: what are teams missing?

TL;DR: Enterprise identity governance is shifting from periodic reviews to continuous, event-driven control as SaaS sprawl, non-human identities, and AI agents outpace manual workflows, according to Omada Identity and KuppingerCole. The real issue is that governance models built for review cycles assume access changes slowly enough to be certified later, which no longer holds.

NHIMG editorial — based on content published by Omada Identity: Why Continuous Governance Is Becoming the New Enterprise IGA Standard

Questions worth separating out

Q: How should teams move from periodic access reviews to continuous governance?

A: Start by identifying the identity events that already occur in your environment, such as joiner, mover, leaver, entitlement change, and ownership change events.

Q: Why do periodic certification campaigns become less effective as environments grow?

A: They become less effective because access changes faster than the campaign cycle, so reviewers approve or remove access against an outdated snapshot.

Q: How can organisations tell whether continuous governance is working?

A: Look for shorter time between entitlement change and governance action, fewer low-value approvals sent to humans, and better alignment between assigned access and actual use.

Practitioner guidance

• Replace calendar-based certifications with event-triggered reviews Tie review initiation to joiner, mover, leaver, role-change, and entitlement-change events so reviewers only see access that has actually changed.
• Standardise governance workflows around source-system signals Use authoritative identity and application events to start provisioning, deprovisioning, and escalation workflows instead of relying on email approvals or tickets.
• Measure entitlement drift and reviewer overload separately Track how often roles diverge from actual access usage and how many decisions each reviewer is expected to make per cycle.

What's in the full article

Omada Identity's full post covers the operational detail this analysis intentionally leaves for the source:

• The specific analyst findings the vendor uses to justify continuous governance as the next IGA operating model
• The product and workflow implications of event-driven lifecycle management for real-world identity operations
• The way Omada describes configurability, connector frameworks, and delegated administration in practice
• The market context behind real-time signal consumption and why the vendor argues it matters now

👉 Read Omada Identity's analysis of why continuous governance is becoming the new IGA standard →

Continuous governance and IGA drift: what are teams missing?

Explore further

View Full Forum →  |  NHI Foundation Course →