Legacy IGA and the governance gap in dynamic IT environments

TL;DR: Only 6% of organisations have fully automated identity governance, while 84% rely entirely on manual methods and another 10% use partial legacy automation, according to Zluri’s 2025 survey. Legacy IGA still dominates identity governance because static access models cannot keep pace with SaaS sprawl, mixed identity types, and review processes that depend on fragmented data.

NHIMG editorial — based on content published by Zluri: Access Management How Next-Gen IGA Addresses The Shortcomings Of Legacy IGA

By the numbers:

• Only 6% of organizations have a fully automated setup for managing their identity governance and administration process.
• 84% of the organizations rely entirely on manual methods
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams modernise identity governance in SaaS-heavy environments?

A: They should first stabilise identity data, then automate decisions.

Q: Why do legacy IGA tools struggle with access reviews?

A: Legacy IGA struggles because it often cannot reconcile duplicate identities, stale attributes, and incomplete entitlement context across systems.

Q: What do teams get wrong about department-based access provisioning?

A: They treat department membership as a sufficient proxy for need.

Practitioner guidance

• Unify identity records before scaling certification Correlate SSO, ITSM, HR, and application records into one authoritative identity view so reviewers stop working from duplicate or mismatched accounts.
• Replace department-based access with role and risk rules Use role, usage, and sensitivity signals to drive provisioning decisions instead of broad departmental group membership that overstates entitlement need.
• Target orphaned and inactive accounts in every review cycle Flag identities with no recent use, missing owners, or unclear employment status, then require explicit disposition before recertification closes.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Connector and integration specifics for cloud applications that legacy IGA tools struggle to support
• Workflow examples for role-based onboarding, approval routing, and offboarding actions
• Examples of contextual review fields such as activity history, inactive status, and privileged access flags
• Detailed product walkthroughs for teams evaluating next-gen IGA replacement projects

👉 Read Zluri's analysis of why legacy IGA falls short in dynamic environments →

Legacy IGA and the governance gap in dynamic IT environments?

Explore further

View Full Forum →  |  NHI Foundation Course →