Legacy IGA modernization: what IAM teams are missing

TL;DR: Legacy on-prem IGA systems are increasingly mismatched to hybrid work, SaaS sprawl, and modern security expectations, with Omada’s State of Governance 2025 report saying nearly 40% of organisations still have not deployed cloud-based IGA. The governance problem is not simply migration friction, but a control model that was built for static environments and now lags the identity surface it is meant to govern.

NHIMG editorial — based on content published by Zluri: Access Management Overcome Legacy Barriers, Modernize Your IGA Now

By the numbers:

• 40% of organisations still haven’t deployed cloud-based IGA, sed IGA solutions.
• It takes years to fully implement legacy IGA, and a company with 500 employees can expect to spend anywhere between $300k to $500k on the implementation process.

Questions worth separating out

Q: How should organisations modernise legacy IGA without breaking existing access governance?

A: Start by inventorying identity sources, then evaluate which workflows can be automated before replacing the current control plane.

Q: Why do legacy IGA platforms create governance blind spots in cloud environments?

A: Because they depend on proprietary integrations, manual updates, and periodic syncs that cannot keep pace with SaaS expansion and rapid role change.

Q: When should teams prioritise modern IGA over extending on-prem tooling?

A: When provisioning, certification, or deprovisioning already depends on repeated manual intervention, or when the app estate is growing faster than connector coverage.

Practitioner guidance

• Inventory identity sources before migration Map every system that stores identity or access state, including HRMS, directories, and SaaS applications, so migration does not inherit unknown gaps or duplicate records.
• Measure workflow latency end to end Track provisioning time, deprovisioning time, certification cycle length, and manual intervention rates so you can see where governance slows down first.
• Rebuild access policies for current-state governance Replace static rules with policies that reflect role change, least privilege, segregation of duties, and continuous review in the live environment.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step migration sequence for moving from on-prem IGA to a cloud-based operating model without losing identity state.
• A practical comparison of legacy and modern IGA deployment patterns, including cost, integration effort, and time-to-value.
• Specific examples of how the vendor's platform handles connectors, workflow automation, and access review automation in practice.
• A staged approach to redesigning access policies for zero trust, least privilege, and segregation of duties.

👉 Read Zluri's analysis of legacy IGA modernisation and access governance gaps →

Legacy IGA modernization: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →