TL;DR: Many IGA initiatives fail for avoidable reasons, including weak business sponsorship, unclear objectives, broken workflow automation, poor user experience, fragmented identity data, and missing maintenance, according to Soffid. Gartner estimates 50% of these implementations are in critical condition, underscoring that governance failure is usually operational, not technical.
NHIMG editorial — based on content published by Soffid: Identity Governance and Administration: 6 Mistakes to Avoid
By the numbers:
- 50% of implementations of this type are in critical condition, according to Gartner.
Questions worth separating out
Q: How should organisations avoid IGA projects failing after implementation?
A: Start with governance ownership, not tooling.
Q: Why do IGA programmes often break when access workflows are automated?
A: Automation amplifies the quality of the underlying process.
Q: What do security teams get wrong about identity data in IGA?
A: They often treat identity data as a reporting issue instead of a control dependency.
Practitioner guidance
- Assign named business owners to access decisions Document who approves, who reviews, and who remediates exceptions for each critical access path.
- Redesign workflows before automating them Map the current approval path, remove redundant steps, and eliminate bulk-approval pressure points before turning on automation.
- Clean identity data at the source Consolidate fragmented identity records, fix attribute quality, and validate entitlement mappings before recertification campaigns begin.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- A six-point implementation checklist for assessing whether your current IGA model is ready for rollout.
- Planning questions for business sponsorship, objective setting, phased deployment, and maintenance budgeting.
- Guidance on when to simplify workflows before automation and how to think about integration scope.
- The article's Zero Trust and compliance discussion for teams that need a broader IAM operating model.
👉 Read Soffid’s article on six IGA mistakes that derail governance programmes →
IGA projects stall when strategy, data, and adoption break down?
Explore further
IGA fails first as a governance design problem, not a tooling problem. The article’s six mistakes cluster around ownership, process design, data quality, and maintenance, which means implementation breakdown is usually systemic rather than technical. That is the right lens for IGA, because access governance only works when business accountability, lifecycle controls, and identity data move together. The practitioner conclusion is simple: do not confuse deployment with governance.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% partial visibility.
A question worth separating out:
Q: Who is accountable when an IGA programme cannot prove least privilege?
A: Accountability sits with the programme owners who defined the operating model, not just the platform team. If no one owns access decisions, review cadence, exception cleanup, and role maintenance, least privilege becomes a slogan rather than an enforceable control. Governance must be assigned, monitored, and maintained.
👉 Read our full editorial: Identity governance and administration fails for six avoidable reasons