TL;DR: Legacy IGA tools and manual access reviews are giving way to unified, real-time governance because fragmented controls cannot keep pace with ERP, cloud, and regulatory change, according to SafePaaS and a 500-plus IT leader survey it cites. The structural shift is from retrospective compliance to continuous assurance, which changes audit, remediation, and executive accountability.
NHIMG editorial — based on content published by SafePaaS: Enterprise governance is being transformed through modern identity access governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations modernise identity governance in ERP and cloud environments?
A: They should replace periodic spreadsheet reviews with continuous controls that connect identity data, policy evaluation, remediation, and evidence capture in one workflow.
Q: Why do legacy IGA tools struggle with business change?
A: Legacy IGA tools struggle because they were built for discrete review cycles, not for environments where roles, vendors, and acquisitions constantly change access.
Q: What breaks when access reviews stay manual?
A: Manual reviews break when reviewers cannot validate current business context quickly enough to identify toxic access, orphaned accounts, or stale approvals.
Practitioner guidance
- Replace spreadsheet access reviews with continuous certification Move from periodic exports and manual attestations to live entitlement checks tied to current role, business unit, and system state.
- Unify SoD, access policy, and remediation workflows Create one control model for rule evaluation, exception handling, and evidence capture so toxic combinations are not approved in one system and discovered in another.
- Measure governance by closure speed, not review volume Track how quickly exceptions are detected, triaged, and removed after a role change, vendor onboarding, or acquisition event.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- A closer look at how unified IGA, ITGC, ITAC monitoring, and SoD controls are assembled into one governance workflow.
- The specific customer case showing how Oracle ERP Cloud access reviews moved from manual effort to real-time evidence.
- The full set of outcome metrics behind audit effort reduction, remediation speed, and control-testing automation.
- The article's discussion of embedded analytics and machine-learning driven risk models for dormant privileges and recurring exceptions.
👉 Read SafePaaS's analysis of the shift from legacy IGA to continuous assurance →
Identity governance modernization: what continuous assurance changes?
Explore further
Legacy IGA is now a control-lag problem, not a reporting problem. The article describes a market shift away from spreadsheet-driven reviews toward continuous assurance, but the real issue is that periodic governance no longer matches how access changes in ERP and cloud systems. When business change creates new entitlements faster than reviewers can certify them, the control arrives after the risk. Practitioners should treat governance latency as a first-class risk metric.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why governance programs that rely on periodic review keep missing live exposure.
A question worth separating out:
Q: Who is accountable when continuous assurance fails?
A: Accountability sits with the owners of identity governance, the application teams controlling entitlements, and the audit function that relies on the evidence. If controls are fragmented, no single party can prove that access was reviewed, enforced, and remediated in time. The answer is a shared operating model with named control ownership.
👉 Read our full editorial: Legacy identity governance is giving way to continuous assurance