Experience Identity Governance in action. Explore certification campaigns, SOD conflicts, risk scoring, and access requests with 151 sample identities across 14 enterprise applications.
โ Real IGA Workflows
โ Interactive SOD Matrix
Free โข No signup โข Works on desktop & mobile
๐๏ธ IDENTITY GOVERNANCE & ADMINISTRATION
Managing the complete lifecycle of digital identities, access rights, and compliance through certification campaigns, separation of duties, and policy enforcement.
๐ Understanding Identity Governance
Identity Governance and Administration (IGA) is the framework of policies, processes, and technologies that enable organizations to manage digital identities and their access rights across the enterprise. While IAM focuses on “who can access what,” IGA focuses on “who SHOULD access what, why do they have it, and can we prove it’s appropriate?”
IGA emerged as organizations realized that simply managing access wasn’t enoughโthey needed to govern it. Auditors, regulators, and security teams demand answers to questions that traditional IAM systems can’t provide:
- ๐ Who approved this access and when?
- ๐ Is this access still necessary for their job function?
- ๐ Does this user have conflicting permissions?
- ๐ Can we prove compliance with regulations?
- ๐ What would happen if we revoked this access?
๐ก KEY INSIGHT:
IGA is the compliance and audit layer on top of IAM. It answers the questions auditors ask: “Who has access? Why? When was it last reviewed? Who approved it?”
๐ IAM vs. IGA: Understanding the Difference
Many organizations confuse IAM and IGA or use the terms interchangeably. Here’s a clear breakdown:
| ASPECT | IAM (Identity & Access Management) | IGA (Identity Governance & Administration) |
|---|---|---|
| Primary Focus | Authentication & authorization | Compliance & oversight |
| Key Question | “Can this user access this resource?” | “Should this user have this access?” |
| Time Orientation | Real-time access decisions | Periodic reviews & audits |
| Stakeholders | IT, Security teams | Compliance, Audit, Business owners |
| Outputs | Allow/Deny decisions | Certifications, reports, risk scores |
| Regulations | Technical security standards | SOX, HIPAA, GDPR, SOC 2 |
- โข Authentication (Who are you?)
- โข Authorization (What can you access?)
- โข Single Sign-On
- โข Directory Services
- + Access Certification (Should you still have it?)
- + Segregation of Duties (Do you have too much?)
- + Policy Enforcement (Does it comply with rules?)
- + Audit & Reporting (Can we prove it?)
- + Risk Analytics (How dangerous is this access?)
IGA wraps around IAM, adding the governance layer that regulators require.
โ ๏ธ COMMON PITFALL:
Organizations often implement IAM tools expecting them to solve governance problems. Without IGA, you can manage access but cannot prove it’s appropriateโa critical gap during audits.
๐๏ธ The Three Pillars of IGA
| PILLAR | DESCRIPTION | KEY ACTIVITIES |
|---|---|---|
| ๐ Identity Lifecycle | Managing identities from joiner to mover to leaver | Provisioning, transfers, terminations, rehires |
| ๐ Access Governance | Certifying and auditing access rights | Access reviews, certification campaigns, attestation |
| โ๏ธ Policy & Compliance | Enforcing rules and regulations | SOD enforcement, RBAC, audit reporting |
๐ Pillar 1: Identity Lifecycle Management
The identity lifecycle encompasses every stage of a user’s relationship with your organization:
- Rehire โ Verify no residual access, provision fresh
- Contractor โ Time-bound access with auto-expiration
- Acquisition โ Bulk onboarding with role mapping
- Leave of Absence โ Suspend, don’t delete
๐ง KEY INSIGHT:
The “Mover” stage is where most access accumulation happens. Users get promoted or transfer but keep their old access, leading to excessive privileges over time.
Joiner-Mover-Leaver (JML) Process
| STAGE | TRIGGER | IGA ACTIONS | RISK IF MISSED |
|---|---|---|---|
| Joiner | HR creates employee record | Auto-provision birthright roles, create accounts | Delayed productivity, manual provisioning errors |
| Mover | Title/dept/location change | Add new access, REMOVE old access, recertify | Access accumulation, SOD violations |
| Leaver | Termination date reached | Disable accounts, revoke all access, archive | Orphaned accounts, insider threat, compliance failure |
๐ก PRO TIP:
Integrate IGA with your HR system (Workday, SAP SuccessFactors, etc.) as the authoritative source. When HR terminates an employee, access revocation should be automaticโnot dependent on someone remembering to submit a ticket.
๐ Pillar 2: Access Governance & Certification
Access certification is the process of periodically reviewing and validating that users still require their current access. This is often the most visible IGA activity to auditors.
๐ Types of Access Certification Campaigns
| CAMPAIGN TYPE | REVIEWER | SCOPE | FREQUENCY |
|---|---|---|---|
| โ User Access Review | Manager | All access for their direct reports | Quarterly/Semi-annual |
| โ Application Review | App Owner | All users with access to their app | Semi-annual/Annual |
| โ Privileged Access Review | Security Team | Admin/elevated access only | Quarterly |
| โ Entitlement Review | Role Owner | Specific permissions/roles | Annual |
| โ SOD Violation Review | Compliance | Users with conflicting access | Quarterly |
| โ Orphaned Account Review | IT Security | Accounts without owners | Monthly |
๐ BEST PRACTICE:
Implement risk-based certification frequency: Critical access quarterly, standard access semi-annually, low-risk access annually. Don’t treat all access the sameโfocus reviewer attention where it matters most.
โ ๏ธ COMMON PITFALL: Rubber-Stamping
The #1 failure mode of access certification is “rubber-stamping”โreviewers approving everything without actually evaluating whether the access is needed.
- 100% certification rate (no revocations)
- All items certified in under 5 minutes
- No comments or justifications provided
- Items certified after business hours (auto-approve scripts?)
- Certification delegated to admin assistants
- Require justification comments for certifications
- Flag rapid certifications for compliance review
- Set revocation targets (e.g., minimum 5% revocation expected)
- Provide business context (last login, usage data)
- Escalate to manager’s manager if not completed
โ๏ธ Pillar 3: Policy & Compliance
โ ๏ธ Separation of Duties (SOD)
SOD prevents toxic combinations of access that could enable fraud, errors, or abuse of power. No single person should control all aspects of a critical process.
- User creates a fake vendor (“ABC Consulting”)
- User submits invoice from fake vendor
- User approves payment to fake vendor
- Money goes to user’s personal account
Result: Ghost vendor fraud – undetectable without SOD controls
๐จ Common SOD Conflicts by Business Function
| FUNCTION | CONFLICT | RISK | REGULATION |
|---|---|---|---|
| Accounts Payable | Create vendors + Approve payments | Ghost vendor fraud | SOX 404 |
| Accounts Payable | Enter invoices + Release payments | Fictitious invoices | SOX 404 |
| Payroll | Modify HR records + Process payroll | Ghost employees, pay fraud | SOX 302 |
| Payroll | Manage compensation + Run payroll | Unauthorized raises | SOX 404 |
| IT Operations | Deploy code + Approve deployments | Change control bypass | SOC 2 |
| IT Security | Create users + Assign admin rights | Privilege escalation | ISO 27001 |
| Procurement | Create POs + Approve POs | Unauthorized purchases | SOX 404 |
| Treasury | Initiate transfers + Approve transfers | Misappropriation | SOX 404 |
SOD Detection Matrix
| NetSuite | Workday | AWS | GitHub | Salesforce | |
|---|---|---|---|---|---|
| NetSuite | – | โ ๏ธ | โ ๏ธ | ||
| Workday | โ ๏ธ | – | |||
| AWS | – | ๐ด | |||
| GitHub | ๐ด | – | |||
| Salesforce | โ ๏ธ | – |
๐ก PRO TIP:
SOD rules should be enforced preventatively (block the access request) not just detectably (report after the fact). Pre-check during access requests catches violations before they happen.
๐ญ Role-Based Access Control (RBAC)
RBAC organizes access into logical roles that align with job functions, simplifying both provisioning and governance.
| ROLE TYPE | DESCRIPTION | EXAMPLE | GOVERNANCE |
|---|---|---|---|
| ๐ผ Business Role | Aligned to job function | Financial Analyst, HR Manager | Certified by business owner |
| ๐ป Technical Role | Aligned to system access | Database Admin, Network Engineer | Certified by IT owner |
| ๐ Entitlement | Specific permission | Read Customer Data, Export Reports | Most granular certification |
| ๐ฏ Birthright Role | Auto-assigned on hire | Employee Basic Access, Email | Rarely revoked, low risk |
| ๐ Privileged Role | Admin/elevated access | System Admin, Security Admin | Quarterly certification required |
๐ง KEY INSIGHT:
Good role design follows the principle of least privilege: users get only the access they need to do their job, nothing more. Over-permissioned roles are a governance nightmare.
๐ Risk Scoring & Analytics
Modern IGA systems calculate risk scores to prioritize attention on the highest-risk identities:
| FACTOR | POINTS |
|---|---|
| Base Score | +10 |
| Admin access to critical system | +25 |
| Each SOD violation | +20 |
| Orphaned account (no manager) | +15 |
| Stale access (unused 90+ days) | +10 |
| High-risk application access | +15 |
| Excessive entitlements (>50) | +10 |
| Failed recent certification | +15 |
| External/contractor status | +10 |
| Access to PII/financial data | +15 |
Risk-Based Certification Strategy
| RISK LEVEL | CERT FREQUENCY | REVIEWER | AUTO-REVOKE? |
|---|---|---|---|
| ๐ด Critical | Quarterly | Manager + Security | Yes, if not certified in 7 days |
| ๐ High | Quarterly | Manager | Yes, if not certified in 14 days |
| ๐ก Medium | Semi-annual | Manager | No, escalate instead |
| ๐ข Low | Annual | Manager | No |
๐ Regulatory Compliance
IGA is essential for meeting regulatory requirements. Here’s how IGA maps to major regulations:
| REGULATION | IGA REQUIREMENTS | KEY CONTROLS |
|---|---|---|
| SOX Section 404 | Financial system access controls | SOD enforcement, quarterly cert of financial apps |
| SOX Section 302 | CEO/CFO certification of controls | Evidence of access reviews, audit trails |
| HIPAA | Healthcare data protection | Minimum necessary access, PHI access logging |
| GDPR | Data subject rights | Access transparency, right to be forgotten |
| SOC 2 | Service organization controls | Access reviews, change management, logging |
| PCI DSS | Payment card security | Least privilege, quarterly reviews, MFA |
| GLBA | Financial data protection | Access controls, monitoring, incident response |
| CCPA | Consumer privacy rights | Data access inventory, deletion workflows |
- โ Complete audit trail for all access changes
- โ Evidence of periodic access certifications
- โ SOD policy documentation and violation reports
- โ Role definitions and ownership assignments
- โ Terminated user access revocation proof
- โ Privileged access inventory and justifications
- โ Access request and approval workflows
- โ Exception documentation and compensating controls
๐จ IGA Failure Case Studies
Case Study 1: The Orphaned Account Breach
๐ข Company: Major Healthcare Provider (2023)
What Happened: A former IT contractor’s account remained active 18 months after contract termination. The attacker purchased the contractor’s credentials on the dark web and used them to access patient records.
Root Cause:
- No integration between contractor management system and IAM
- No orphaned account detection process
- Annual certifications missed the dormant account
โ LESSON LEARNED: Implement automated deprovisioning triggered by HR/contractor systems. Run monthly orphaned account scans. Flag accounts with no login activity for 90+ days.
Case Study 2: SOD Violation Enables Fraud
๐ข Company: Manufacturing Firm (2022)
What Happened: An accounts payable clerk created 47 fake vendors and processed $2.3M in fraudulent payments over 3 years.
Root Cause:
- Same user could create vendors AND approve payments
- No SOD rules defined in ERP system
- Rubber-stamp certifications never questioned the access
โ LESSON LEARNED: Define and enforce SOD rules preventatively. Require compensating controls (dual approval) when SOD exceptions are necessary. Train certifiers to actually evaluate access.
Case Study 3: Access Accumulation Over Time
๐ข Company: Financial Services Firm (2024)
What Happened: An employee who had been promoted 4 times over 10 years had access to every department’s systems. When terminated for cause, they downloaded customer data from 6 different applications.
Root Cause:
- No access removal during role changes (Mover process)
- Certifications focused on current role, not historical access
- No visibility into total access footprint
โ LESSON LEARNED: Implement the Mover processโdon’t just add access, remove old access. Calculate and display total entitlement counts. Flag users with access exceeding their peers.
๐ฎ Advanced IGA Topics
AI & Machine Learning in IGA
Modern IGA platforms leverage AI for:
| CAPABILITY | HOW IT WORKS | BENEFIT |
|---|---|---|
| Role Mining | Analyzes existing access patterns to suggest roles | Faster RBAC implementation |
| Anomaly Detection | Flags unusual access requests or usage | Early threat detection |
| Certification Recommendations | Suggests revoke/certify based on peer comparison | Reduces rubber-stamping |
| Access Recommendations | Suggests appropriate access for new hires | Faster onboarding |
| Risk Prediction | Predicts which access combinations are risky | Proactive SOD prevention |
Continuous Access Certification
Moving beyond periodic campaigns to real-time governance:
โ ๏ธ Problem: 3-month gap where changes go unreviewed
โ Benefit: Reviews happen when context is fresh
๐ก PRO TIP:
Start with traditional campaigns, then layer in continuous triggers for high-risk events (privileged access grants, SOD violations, dormant account reactivation).
๐ฎ Try the Interactive Demo
Experience IGA concepts hands-on with our interactive demonstration featuring:
- โ 151 sample identities with realistic access patterns across departments
- โ 14 enterprise applications (AWS, Salesforce, Workday, NetSuite, etc.)
- โ Access certification campaigns with approve/revoke workflows
- โ SOD conflict matrix showing application-to-application conflicts
- โ What-if analysis to test proposed access changes
- โ Risk scoring with identity analytics dashboard
- โ Access request workflows with real-time SOD pre-check
- โ Audit reports and compliance evidence generation
๐ LAUNCH GOVERNANCE DEMO โ
๐ IGA Implementation Best Practices
- Start with high-risk applications – Focus on financial, HR, and admin systems first. Don’t try to govern everything at once.
- Clean your identity data – Garbage in, garbage out. Invest in data quality before implementing governance.
- Define roles before implementing – Role mining and design is critical. Bad roles make governance harder.
- Integrate with HR – Your HR system should be the authoritative source for identity lifecycle events.
- Automate where possible – Manual processes don’t scale and introduce errors.
- Train your certifiers – Explain WHY certification matters, not just HOW to click buttons.
- Get executive sponsorship – IGA requires organizational change, not just technology.
- Measure and improve – Track certification completion rates, revocation rates, time-to-deprovision.
๐ง KEY INSIGHT:
The most successful IGA implementations start small (one business unit, one critical application) and expand incrementally based on lessons learned. Perfect is the enemy of goodโstart governing something today.
๐ IGA Vendor Landscape
| VENDOR | PRODUCT | STRENGTH | BEST FOR |
|---|---|---|---|
| SailPoint | IdentityNow / IIQ | Enterprise features, AI | Large enterprises |
| Saviynt | Enterprise IGA | Cloud-native, PAM integration | Cloud-first orgs |
| Okta | Identity Governance | IAM integration | Okta customers |
| Microsoft | Entra ID Governance | M365 integration | Microsoft shops |
| One Identity | Identity Manager | AD/on-prem strength | Hybrid environments |
| IBM | Verify Governance | Compliance reporting | Regulated industries |
| Oracle | Identity Governance | ERP integration | Oracle ERP customers |
๐ก PRO TIP:
Choose an IGA vendor that integrates well with your existing IAM stack and target applications. The best features don’t matter if connectors don’t exist.
IAM Gatekeepers – Securing Digital Identities Through Governance