IGA as the control plane for identity risk management

TL;DR: Identity Governance and Administration is shifting from a compliance layer to the control plane for Zero Trust, lifecycle automation, and continuous identity risk management as enterprises absorb SaaS sprawl, machine identities, and AI agents, according to Omada Identity's review of the 2025 SPARK Matrix. Static approvals are no longer enough when entitlement complexity, audit pressure, and over-privilege all move faster than manual governance cycles.

NHIMG editorial — based on content published by Omada Identity: Inside the SPARK MatrixTM Evaluation, why Omada leads the 2025 IGA market

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern AI agents and machine identities in IGA?

A: They should treat AI agents and machine identities as governed actors with explicit lifecycle, role, and entitlement rules, not as exceptions buried in access workflows.

Q: Why does SaaS sprawl make identity governance harder?

A: SaaS sprawl multiplies entitlements, connectors, and approval paths faster than manual governance can reconcile them.

Q: What breaks when access reviews are too manual?

A: Manual reviews become stale before they finish, especially in environments where access changes quickly across cloud, SaaS, and non-human identities.

Practitioner guidance

• Rebuild access governance around lifecycle events Map joiner, mover, leaver, and exception handling to policy-driven workflows so entitlements change when business context changes.
• Extend IGA coverage to non-human identities Bring service accounts, API keys, certificates, and workload identities into the same governance inventory as workforce users.
• Test whether role mining reduces identity debt Measure whether role cleanup, entitlement rationalisation, and peer-group recommendations actually reduce excess access over time.

What's in the full article

Omada Identity's full blog post covers the operational detail this post intentionally leaves for the source:

• QKS Group's SPARK Matrix criteria and how vendors are assessed across governance, analytics, and lifecycle automation
• The platform capability breakdown behind event-driven workflows, role mining, and compliance evidence generation
• The competitive landscape section that names leaders, challengers, and emerging innovators in the 2025 IGA market
• The implementation guidance on how enterprises should modernise IGA architecture across hybrid environments

👉 Read Omada Identity's analysis of the 2025 SPARK Matrix for IGA →

IGA as the control plane for identity risk management?

Explore further

View Full Forum →  |  NHI Foundation Course →