TL;DR: Identity Governance and Administration is shifting from a compliance layer to the control plane for Zero Trust, lifecycle automation, and continuous identity risk management as enterprises absorb SaaS sprawl, machine identities, and AI agents, according to Omada Identity's review of the 2025 SPARK Matrix. Static approvals are no longer enough when entitlement complexity, audit pressure, and over-privilege all move faster than manual governance cycles.
NHIMG editorial — based on content published by Omada Identity: Inside the SPARK MatrixTM Evaluation, why Omada leads the 2025 IGA market
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI agents and machine identities in IGA?
A: They should treat AI agents and machine identities as governed actors with explicit lifecycle, role, and entitlement rules, not as exceptions buried in access workflows.
Q: Why does SaaS sprawl make identity governance harder?
A: SaaS sprawl multiplies entitlements, connectors, and approval paths faster than manual governance can reconcile them.
Q: What breaks when access reviews are too manual?
A: Manual reviews become stale before they finish, especially in environments where access changes quickly across cloud, SaaS, and non-human identities.
Practitioner guidance
- Rebuild access governance around lifecycle events Map joiner, mover, leaver, and exception handling to policy-driven workflows so entitlements change when business context changes.
- Extend IGA coverage to non-human identities Bring service accounts, API keys, certificates, and workload identities into the same governance inventory as workforce users.
- Test whether role mining reduces identity debt Measure whether role cleanup, entitlement rationalisation, and peer-group recommendations actually reduce excess access over time.
What's in the full article
Omada Identity's full blog post covers the operational detail this post intentionally leaves for the source:
- QKS Group's SPARK Matrix criteria and how vendors are assessed across governance, analytics, and lifecycle automation
- The platform capability breakdown behind event-driven workflows, role mining, and compliance evidence generation
- The competitive landscape section that names leaders, challengers, and emerging innovators in the 2025 IGA market
- The implementation guidance on how enterprises should modernise IGA architecture across hybrid environments
👉 Read Omada Identity's analysis of the 2025 SPARK Matrix for IGA →
IGA as the control plane for identity risk management?
Explore further
IGA is no longer a downstream administration layer, it is the governance control plane for identity risk. The market shift described in Omada Identity's analysis reflects a wider reality: access management cannot compensate for poor policy definition, broken lifecycle orchestration, or weak evidence. When identity sprawl spans humans, service accounts, and AI-mediated access, the governance layer has to unify role design, entitlement decisions, and auditability. Practitioners should treat IGA as the place where identity risk is governed, not merely recorded.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
A question worth separating out:
Q: Who should own governance when IGA, PAM, and access management overlap?
A: Ownership should sit with the identity governance function, with operational execution split across PAM and access management. IGA defines policy and evidence, PAM controls elevation, and access management enforces runtime authentication and session controls. If those responsibilities are not explicit, exceptions multiply and accountability blurs.
👉 Read our full editorial: Why IGA is becoming the control plane for identity risk