Notifications
Clear all
Topic starter
11/06/2026 11:32 pm
TL;DR: Cross-functional buy-in is the difference between an IGA programme that scales and one that stalls, because teams adopt access controls only when they see reduced workload, clearer auditability, and faster lifecycle handling, according to Zluri. The hard part is not platform deployment but aligning security, IT, HR, and business owners around shared accountability.
NHIMG editorial — based on content published by Zluri: Access Management Getting Everyone on Board: Guide to IGA Buy-In
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams get buy-in for identity governance programmes?
A: Start by showing each stakeholder the problem they already own.
Q: Why do identity governance programmes fail when access ownership is unclear?
A: They fail because the control depends on decisions being made by the teams closest to the business event.
Q: How can teams measure whether IGA adoption is actually working?
A: Measure outcomes that reflect control, not activity.
Practitioner guidance
- Map access ownership by decision type Document who approves, reviews, and revokes access for each major system, plus who handles exceptions and audit evidence.
- Start with one visible, high-friction use case Use a narrow rollout such as offboarding in a high-turnover team or access reviews for a sensitive SaaS application.
- Tie each team to a concrete win Show HR how lifecycle triggers reduce manual chase work, show security how certification evidence improves audits, and show app owners how policy-based approvals reduce back-and-forth.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- A practical stakeholder mapping approach for IT, security, HR, compliance, and app owners
- Examples of success metrics for pilot IGA rollouts, including revocation timing and review completion
- A structured way to frame IGA value by team, so each group sees a direct operational benefit
- Guidance on scaling governance without adding unnecessary meeting overhead or process drag
👉 Read Zluri's guide on getting buy-in for identity governance →
IGA buy-in and the governance gap teams keep missing?
Explore further
12/06/2026 8:15 am
IGA is a governance discipline, not a tooling purchase. The article is correct that executive approval is not the same as operational adoption. Identity Governance and Administration only works when the teams that grant, review, and remove access accept that those actions are part of their own accountability. Practitioners should treat buy-in as a control design problem, not a communications problem.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who should be accountable for access governance in a cross-functional programme?
A: Accountability should be distributed by lifecycle responsibility, not concentrated in IT. HR should trigger employee state changes, app owners should own entitlements, security should define policy and thresholds, and IT should operationalise the workflow. That division keeps the programme aligned to the actual business process.
👉 Read our full editorial: IGA buy-in fails when access governance stays an IT-only project
