How do organisations know whether their IGA programme is actually working?

Why This Matters for Security Teams

IGA should be judged by whether it improves identity hygiene, not whether review campaigns were completed on time. When access governance is working, organisations see fewer orphaned accounts, fewer stale entitlements, and fewer exceptions that need manual escalation. That matters because weak identity controls often persist long after a process claims success. NHI Management Group’s Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts, which is a reminder that completion metrics can hide weak underlying inventory and entitlement quality. The same logic applies to human IGA programmes: if access certification only produces inbox activity, but entitlement data keeps degrading, the programme is not reducing risk. Security teams should look for evidence that reviews are uncovering less unnecessary access over time, that owners are making faster and better decisions, and that provisioning and deprovisioning events are being reconciled cleanly against authoritative sources. The NIST Cybersecurity Framework 2.0 is useful here because it frames governance as ongoing risk management, not a checkbox exercise. In practice, many security teams discover IGA failure only after audit exceptions, toxic access, or termination gaps have already accumulated.

How It Works in Practice

A healthy IGA programme creates a measurable feedback loop between source systems, entitlement catalogues, access decisions, and periodic review outcomes. The goal is not just to close tickets, but to reduce the amount of bad identity data entering the system in the first place. That means tracking whether joiner, mover, and leaver events are correctly reflected in downstream applications, whether access is assigned from approved roles or policies, and whether certifications are actually removing unnecessary entitlements. Useful indicators usually include:

• Declining orphaned account counts after joins, moves, and terminations
• Fewer unresolved segregation of duties conflicts at the end of each review cycle
• Lower rates of redundant approvals for the same access pattern
• Shorter time from termination to access revocation
• Fewer repeat exceptions for the same users, roles, or applications

The strongest programmes also separate activity metrics from outcome metrics. Completion rate is an activity metric. Reduction in toxic access is an outcome metric. Entitlement freshness, exception aging, and remediation closure time are often better indicators of control effectiveness than how many reviewers clicked approve or revoke. NIST guidance on access control and continuous monitoring supports this approach, and the governance lens in the Ultimate Guide to NHIs is a useful reminder that identity programmes fail when visibility, lifecycle control, and revocation are not actually connected. These controls tend to break down when identity sources are fragmented across HR, ITSM, and application-owned directories because reconciliation errors make the programme look healthier than it is.

Common Variations and Edge Cases

Tighter IGA controls often increase operational overhead, so organisations have to balance review depth against reviewer fatigue and admin cost. That tradeoff becomes more obvious in large environments, delegated business ownership models, and application portfolios with weak entitlement naming standards. Best practice is evolving, and there is no universal standard for how many access review exceptions is “too many.” Some teams treat a rising exception count as a sign of better detection, at least early on. Others see it as evidence that role models are stale or that entitlements have drifted too far from business function. The right interpretation depends on whether the exception rate declines after remediation, whether similar exceptions recur in the next campaign, and whether owners can explain the same access requests consistently. A few edge cases deserve special attention:

• Mergers and acquisitions, where duplicate identities and inherited access distort baseline measurements
• Privileged access populations, where a small number of accounts can create a disproportionate risk signal
• Legacy applications with poor entitlement metadata, where “clean” review results may simply mean poor visibility
• Third-party or contractor access, where leaver controls often fail faster than internal user controls

This is where governance maturity matters. If the programme cannot show trend improvement in entitlement quality, revocation speed, and exception reduction, then high campaign participation is just busywork, not control effectiveness.

Related resources from NHI Mgmt Group

• How do organisations know if IAM documentation is actually working?
• How do organisations know whether federated governance is actually working?
• How do organisations know whether AI governance is actually working?
• How do teams know whether AI-assisted IGA is actually working?