Role-based access control in IGA: where teams still struggle

TL;DR: Role-based access control remains a practical way to align entitlements with job functions, reduce excess privilege, and simplify access reviews, according to SailPoint. The real governance challenge is not the model itself but whether organisations can engineer, maintain, and certify roles fast enough to keep pace with changing access patterns.

NHIMG editorial — based on content published by SailPoint: Mature your IGA solution with a role-based framework

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams implement role-based access control without creating role sprawl?

A: Start with a small set of business-validated roles, then expand only when repeated entitlement patterns justify it.

Q: When does role-based access control stop improving least privilege?

A: RBAC stops improving least privilege when roles become broad containers for exceptions, inherited access, or historical convenience.

Q: What do teams get wrong about role mining in identity governance?

A: Teams often treat role mining as a technical discovery exercise when it is really a governance design activity.

Practitioner guidance

• Rebuild roles around current business functions Start by validating whether each role still maps to an actual job function, shared process, or privileged task.
• Set review thresholds for role breadth Define limits for entitlement count, inherited privilege depth, and exception volume so a role cannot quietly accumulate access.
• Separate discovery from approval Let automation surface candidate roles and entitlement clusters, but require business owners and identity teams to approve the final structure before it enters production governance.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• Role modelling steps for building bottom-up, top-down, and hybrid RBAC structures
• Practical examples of role mining inputs drawn from user, entitlement, and business-function relationships
• Implementation guidance for using AI to suggest roles without losing governance oversight
• How SailPoint frames role-based access in its IdentityNow and Access Modeling context

👉 Read SailPoint's blog on role-based access frameworks for IGA →

Role-based access control in IGA: where teams still struggle?

Explore further

View Full Forum →  |  NHI Foundation Course →