IGA as the identity control plane: what changes for IAM teams

TL;DR: As SaaS sprawl, remote work, and delayed revocation erode perimeter controls, identity governance and administration has become the mechanism for enforcing least privilege, continuous access review, and audit-ready accountability, according to Zluri. The governance problem is no longer authentication alone, but whether access is still justified across human and non-human identities.

NHIMG editorial — based on content published by Zluri: Access Management Identity-First Security: How IGA Became the Core of Modern Cyber Strategy

By the numbers:

• According to IBM’s 2024 Cost of Data Breach report, stolen or compromised credentials remain the leading cause of breaches, with an average cost of $4.9 million per incident.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern access when identity data is spread across IdP, HRIS, and SaaS apps?

A: They should treat IGA as the control plane that reconciles entitlement data across systems, then use that view to drive approvals, reviews, and revocation.

Q: Why do identity-first programmes still fail even when SSO and MFA are in place?

A: SSO and MFA authenticate the session, but they do not govern whether the entitlement is still needed, whether it was approved, or whether it was revoked everywhere it exists.

Q: What do security teams get wrong about access reviews?

A: They often turn reviews into calendar-driven paperwork instead of lifecycle-driven control checks.

Practitioner guidance

• Map every entitlement source Build a complete inventory that includes IdP, HRIS, SaaS applications, service accounts, and any shadow integrations so governance decisions are based on actual access, not partial reports.
• Trigger access review from lifecycle events Use joiner, mover, leaver, contractor offboarding, and risk signals as review triggers instead of relying only on quarterly certifications.
• Standardise revocation across SaaS apps Define a consistent offboarding workflow that verifies access removal in each application, not just in the central directory, and require evidence of completion before closure.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• The integration model across IdP, HRIS, and SaaS systems, including how access data is correlated in practice.
• The specific automation flow for access reviews and remediation playbooks in a SaaS-first environment.
• The product-oriented explanation of how Zluri structures discovery, certification, and deprovisioning workflows.
• The implementation detail behind time-bound and context-aware access rules for critical applications.

👉 Read Zluri's analysis of identity-first security and IGA as cyber strategy →

IGA as the identity control plane: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →