TL;DR: Only 6% of organisations have fully automated identity governance, while 84% rely entirely on manual methods and another 10% use partial legacy automation, according to Zluri’s 2025 survey. Legacy IGA still dominates identity governance because static access models cannot keep pace with SaaS sprawl, mixed identity types, and review processes that depend on fragmented data.
NHIMG editorial — based on content published by Zluri: Access Management How Next-Gen IGA Addresses The Shortcomings Of Legacy IGA
By the numbers:
- Only 6% of organizations have a fully automated setup for managing their identity governance and administration process.
- 84% of the organizations rely entirely on manual methods
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams modernise identity governance in SaaS-heavy environments?
A: They should first stabilise identity data, then automate decisions.
Q: Why do legacy IGA tools struggle with access reviews?
A: Legacy IGA struggles because it often cannot reconcile duplicate identities, stale attributes, and incomplete entitlement context across systems.
Q: What do teams get wrong about department-based access provisioning?
A: They treat department membership as a sufficient proxy for need.
Practitioner guidance
- Unify identity records before scaling certification Correlate SSO, ITSM, HR, and application records into one authoritative identity view so reviewers stop working from duplicate or mismatched accounts.
- Replace department-based access with role and risk rules Use role, usage, and sensitivity signals to drive provisioning decisions instead of broad departmental group membership that overstates entitlement need.
- Target orphaned and inactive accounts in every review cycle Flag identities with no recent use, missing owners, or unclear employment status, then require explicit disposition before recertification closes.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Connector and integration specifics for cloud applications that legacy IGA tools struggle to support
- Workflow examples for role-based onboarding, approval routing, and offboarding actions
- Examples of contextual review fields such as activity history, inactive status, and privileged access flags
- Detailed product walkthroughs for teams evaluating next-gen IGA replacement projects
👉 Read Zluri's analysis of why legacy IGA falls short in dynamic environments →
Legacy IGA and the governance gap in dynamic IT environments?
Explore further
Legacy IGA is failing because it assumes identity estates are stable enough for periodic governance. That assumption no longer holds in SaaS-heavy environments where users, apps, and entitlements change continuously. When identity records fragment across tools, certification becomes a retrospective cleanup exercise rather than a control. The practitioner implication is that governance must start with authoritative identity correlation, not with more review cycles.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when fragmented identity data causes access failures?
A: Accountability sits with the identity programme owner, not the tool alone. Governance teams must own record correlation, entitlement quality, and offboarding outcomes across the lifecycle. Frameworks such as the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce that access control is a managed control, not a data quality accident.
👉 Read our full editorial: Legacy IGA cannot keep up with dynamic identity governance