Light IGA vs full IGA: where governance breaks down in practice

TL;DR: Many organisations are pushed toward Full IGA by Gartner’s Light IGA decision tree even when budgets, legacy systems, and phased programmes make that path unrealistic, exposing a governance gap between what is deployed and what is actually governed, according to Gathid. The binary choice is useful as a diagnostic, but insufficient as an operating model because contextual visibility and continuous access insight are often missing.

NHIMG editorial — based on content published by Gathid: Daily Trust, A Smarter Path to Identity Governance, Part Two

By the numbers:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations decide between Light IGA and Full IGA?

A: They should decide based on governance scope, not feature labels.

Q: Why do Light IGA programmes often fail in mixed estates?

A: They fail because mixed estates include legacy, custom, air-gapped, and contractor-heavy systems that do not fit a simple access-review model.

Q: What do security teams get wrong about bundled IGA features?

A: They assume bundling equals completeness.

Practitioner guidance

• Inventory the systems outside your current IGA boundary List every application, database, contractor workflow, and legacy platform that is not fully represented in current provisioning and review flows.
• Separate governance coverage from platform maturity Assess which controls are already working for connected SaaS estates and which controls still fail on disconnected, on-prem, or custom-built systems.
• Define when lightweight governance is no longer enough Set explicit triggers for moving beyond bundled Light IGA features, such as entitlement catalogue needs, segregation of duties enforcement, or role mining across multiple identity sources.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• How Gathid positions the Light IGA decision tree against real enterprise constraints such as budget, legacy systems, and phased rollouts.
• The specific examples it uses for regional healthcare, not-for-profit, and financial services environments.
• The capabilities it says light governance tools usually cover and the ones they typically do not.
• The practical argument for a contextual layer that wraps existing identity platforms without replacing them.

👉 Read Gathid's analysis of the Light IGA versus Full IGA decision tree →

Light IGA vs full IGA: where governance breaks down in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →