1. IGA Fundamentals
IGA vs IAM vs PAM
These three disciplines are related but distinct. Understanding their scope helps organizations allocate investment appropriately.
- IAM (Identity & Access Management): The broad discipline covering authentication, authorization, SSO, MFA, and directory services. The foundation layer.
- PAM (Privileged Access Management): Focused subset of IAM specifically for high-risk privileged accounts — vaulting, session recording, JIT access for admins.
- IGA (Identity Governance & Administration): The lifecycle and audit layer — provisioning new hires, managing role changes, certifying access, deprovisioning leavers, and generating compliance evidence.
- IGA answers "who has access and should they?"; IAM answers "how do they authenticate?"; PAM answers "how do we control the most dangerous accounts?"
- All three are required for a complete identity security program — they complement, not replace, each other
The Joiner-Mover-Leaver Lifecycle
Every employee's relationship with identity follows a predictable lifecycle. IGA automates and governs each phase to ensure access is always appropriate and current.
- Joiner (Provisioning): New hire triggers HR system event. IGA reads role/department attributes and automatically provisions accounts, group memberships, and SaaS licenses. Day-1 access is ready without manual IT tickets.
- Mover (Role Change): Promotion, department transfer, or role change. IGA compares old and new role profiles, removes no-longer-needed access, and provisions new access. The critical risk here is access accumulation.
- Leaver (Deprovisioning): Termination event in HR system. IGA immediately disables all accounts, revokes SSO sessions, removes group memberships, and archives the identity record. Speed is critical — disgruntled insiders can cause damage within minutes of deciding to leave.
Access Accumulation (Role Creep)
Over time, employees accumulate access that was granted for temporary needs, past roles, or one-off projects and never removed. This is one of the most pervasive identity security problems.
- A developer promoted to team lead keeps developer access plus gains manager access — but the original developer access was never reviewed
- Project team member gets temporary access to financial system — project ends, access remains for years
- Average enterprise employee has 3x more access than their role requires after 3 years of employment
- Over-provisioned accounts violate the principle of least privilege and increase blast radius of a credential compromise
- Compliance regulations (SOX, PCI DSS) explicitly prohibit role creep for segregation of duties (SoD) reasons
- Access reviews are the primary control for detecting and remediating role creep
Compliance Drivers
IGA programs are often initiated for compliance reasons, but the security value extends well beyond checkbox compliance.
- SOX Section 404: Requires documented controls over financial systems access, quarterly access reviews, and segregation of duties between transaction initiators and approvers
- PCI DSS Req 7 & 8: Restrict access to cardholder data to business need-to-know; review user access rights at least every 6 months
- HIPAA: Minimum necessary access principle; access review and workforce clearance procedures; unique user identification (no shared accounts)
- GDPR: Data access limitations, right to erasure requires knowing all systems where personal data lives
- Average enterprise uses 100+ SaaS applications — manual access governance at this scale is impossible without IGA tooling
- Orphaned accounts (former employee accounts left active) represent both a compliance violation and an attack surface — documented in virtually every breach investigation
2. Role-Based & Attribute-Based Access Control
RBAC: Role-Based Access Control
RBAC assigns permissions to roles, then assigns users to roles. It's the most widely deployed access control model and the default approach for most enterprise applications.
- Role Design: Roles should map to job functions, not individual people. "Finance Analyst," "Sales Manager," "DevOps Engineer" — not "John's Permissions."
- Role Mining: Analyze existing access patterns to discover de-facto roles. If 50 developers all have the same set of permissions, that's a role waiting to be formalized.
- Role Explosion Problem: Unconstrained RBAC leads to hundreds or thousands of roles, often more granular than necessary. Aim for manageable role counts by keeping roles broad enough to be reusable.
- Role Certification: Periodically certify that each role's permission set is still appropriate — roles accumulate permissions over time just like users do.
- Segregation of Duties: Define mutually exclusive roles (cannot be assigned together) — e.g., "AP Invoicing" and "AP Payment Authorization" should not be held by the same person.
ABAC: Attribute-Based Access Control
ABAC grants access based on attributes of the user, resource, action, and environment — enabling much finer-grained and context-aware access decisions than RBAC alone.
- User Attributes: Department, job title, security clearance, geographic location, employment status, project membership
- Resource Attributes: Data classification (Confidential, Restricted), business unit, project, data sensitivity labels
- Environmental Conditions: Time of day, network location (on-prem vs remote), device compliance status, risk score
- Example Policy: "ALLOW access to patient records IF user.department = 'Clinical' AND user.clearance >= 'PHI' AND device.compliant = true AND time.hour BETWEEN 7 AND 20"
- ABAC is the model underlying Zero Trust — continuous, context-aware authorization rather than static role assignment
- XACML (eXtensible Access Control Markup Language) and OPA (Open Policy Agent) are standards for implementing ABAC policies
| Model | Access Decision Basis | Flexibility | Management Complexity | Best Use Case |
|---|---|---|---|---|
| RBAC | Role assignment | Low — binary role membership | Low-Medium — roles manageable at scale | Standard enterprise applications, ERP, HR systems |
| ABAC | User, resource, and environment attributes | High — fine-grained, contextual | High — policy authoring requires expertise | Zero Trust, cloud data platforms, healthcare |
| PBAC (Policy-Based) | Centralized policy engine | Very High — arbitrary logic | Very High — centralized policy governance | Multi-cloud, microservices, complex regulatory |
| ReBAC (Relationship-Based) | Graph relationships between entities | High — handles hierarchies naturally | Medium — graph model is intuitive for some cases | Google Zanzibar-style document sharing, social platforms |
3. Access Reviews & Certification
Review Design & Cadence
Access reviews are periodic certifications that each user's access is still appropriate. Done well they catch role creep, orphaned accounts, and SoD violations. Done poorly they become checkbox exercises that reviewers rubber-stamp.
- Manager-Driven Reviews: Each manager certifies the access of their direct reports. Managers understand what their team members actually need — IT does not.
- Risk-Based Prioritization: Review high-privilege access (admin, financial, PHI) quarterly. Review standard user access semi-annually. Low-risk access may be annual.
- Automated Recertification: Low-risk, well-governed roles with no recent changes can be auto-certified based on policy rules, freeing reviewer time for high-risk decisions.
- Default Deny on Non-Response: If a reviewer does not respond to a review request within the deadline, the access is automatically revoked. Removes the rubber-stamp problem.
- Role Certification: In addition to user access reviews, certify role definitions — ensure each role's permission set is appropriate quarterly.
Access Review Workflow
A structured workflow ensures reviews are completed, decisions are documented, and remediation is automated — not dependent on human follow-through.
- Notify: IGA platform sends email to each reviewer with a list of access items to certify, context about each entitlement, and deadline
- Review: Reviewer sees user, application, entitlement, last login date, and risk indicators. Can approve (keep), revoke, or escalate to someone with better context.
- Approve or Revoke: Approvals are logged. Revocations trigger automatic deprovisioning — reviewer does not need to open a ticket or call IT.
- Escalate: High-risk items or uncertain decisions escalate to security team or application owner for second-level review.
- Report: Compliance reports generated automatically: who reviewed what, decisions made, access revoked, open items, SoD violations found.
IGA Tooling for Access Reviews
Manual access reviews using spreadsheets are unscalable beyond 50 users and fail audits. IGA platforms provide the workflow, automation, and evidence generation needed for compliance.
- SailPoint IdentityNow / IIQ: Market leader for enterprise IGA. Strong connector library, role management, policy enforcement, and compliance reporting. IdentityNow is cloud-native SaaS.
- Saviynt Enterprise Identity Cloud: Strong cloud application governance, converged IGA+PAM capabilities, AWS and Azure native integrations.
- One Identity Manager: Strong for hybrid environments with heavy Active Directory investment. Good for organizations without heavy SaaS footprint.
- Microsoft Entra ID Governance: Access reviews and entitlement management built into Azure AD. Good for Microsoft-heavy organizations.
- NIST 800-53 AC-2: Requires account management procedures including review, modification, disabling, and removal — IGA platforms generate this evidence automatically.
4. Automated Provisioning & Deprovisioning
SCIM: The Provisioning Standard
SCIM (System for Cross-domain Identity Management), defined in RFC 7643 and 7644, is the industry standard API for automated account provisioning and deprovisioning across SaaS applications.
- SCIM defines a REST API and JSON schema for user and group objects — any SCIM-compliant app can receive automated provisioning from any SCIM-compliant IGA platform
- Core operations: Create (new hire), Read (sync), Update (attribute changes), Delete/Disable (termination)
- Group provisioning: SCIM Group objects map to application roles — IGA manages group membership, SCIM pushes it to the app
- Most major SaaS apps (Salesforce, Workday, ServiceNow, GitHub, Slack, Zoom) support SCIM provisioning via Okta, Azure AD, or direct IGA connector
- SCIM provisioning is event-driven: an HR system change triggers near-real-time provisioning, not a nightly batch job
HRMS as Identity Source of Truth
The HR system (Workday, SuccessFactors, ADP, BambooHR) is the authoritative source of identity truth. When HR says someone is terminated, every downstream system must react immediately.
- IGA platforms poll or receive webhooks from HRMS for employee lifecycle events
- Attributes from HRMS (department, manager, job code, location, start/end date) drive automated access decisions
- Critical: termination events must trigger immediate disable, not wait for next day's batch run. Real-time webhook integration with HRMS is essential.
- Contractors and vendors often live outside the HRMS — establish a separate lifecycle process (often via ticketing or a secondary identity store) that is equally rigorous
- Rehire scenarios: ensure returning employees get a new access review cycle, not their old access automatically restored
| Attribute | Manual Provisioning | Automated SCIM Provisioning |
|---|---|---|
| Speed (new hire) | 1-5 days (IT ticket queue) | Minutes (event-driven) |
| Speed (termination) | Hours to days (manual process) | Seconds to minutes (immediate disable) |
| Accuracy | Error-prone, inconsistent across apps | Deterministic, policy-driven, consistent |
| Audit Trail | Inconsistent, often missing | Full event log: who provisioned what, when, why |
| SaaS Coverage | Limited — high-effort per app | Broad — one connector serves all SCIM apps |
| Compliance Evidence | Manual, spreadsheet-based | Automated reports for SOX/SOC 2/ISO 27001 |
| IT Staff Required | High — per-account manual work | Low — exception handling only |
Deprovisioning Latency is a Real Risk
The average organization takes 2-3 days to fully deprovision a terminated employee across all systems. During that window, the former employee retains access to email, file shares, SaaS apps, and potentially production infrastructure. IGA automation targets same-day deprovisioning. For high-risk terminations (involuntary, with system access), target minutes — not hours.
5. IGA Platforms & Compliance
Enterprise IGA Platforms
Enterprise IGA platforms provide the full lifecycle management, access review, role management, and compliance reporting capabilities needed at scale.
- SailPoint IdentityNow: Cloud-native IGA SaaS. Best connector library in the market (2000+ connectors). AI-based access recommendations and anomaly detection. SOC 2 and ISO 27001 compliance reporting built-in.
- SailPoint Identity IQ: On-premises/private cloud version. Highly customizable with BeanShell/Java. Preferred for complex, highly regulated environments with unique requirements.
- Saviynt Enterprise Identity Cloud: Converged IGA and PAM. Strong cloud governance for AWS, Azure, GCP IAM. Real-time SoD conflict detection.
- One Identity Manager: Strong AD/Exchange/O365 integration. Good for organizations with Microsoft-heavy infrastructure that don't need heavy SaaS governance.
Microsoft Entra ID Governance
For organizations already invested in Microsoft 365 and Azure AD, Entra ID Governance provides native IGA capabilities without a separate IGA platform for many use cases.
- Access Reviews: Built-in access review campaigns for group membership, application role assignments, and privileged roles. Reviewers get email prompts with one-click approve/deny.
- Entitlement Management: Access packages bundle multiple permissions (groups, apps, SharePoint sites) that users can request. Catalog of packages with approval workflows and expiration.
- PIM (Privileged Identity Management): JIT access for Azure AD roles and Azure resource roles. Activation requires justification and can require MFA or approval.
- Lifecycle Workflows: Automate joiner/mover/leaver tasks (send welcome email, assign licenses, revoke access) triggered by HR attribute changes.
- Entra ID Governance is the right choice for primarily Microsoft environments; organizations with extensive non-Microsoft SaaS may still need a dedicated IGA platform for connector breadth.
Compliance Evidence Generation
IGA platforms are not just security tools — they are compliance evidence machines. Auditors for SOX, SOC 2, ISO 27001, and HIPAA need documentation that access is controlled and reviewed.
- SOX Audit Evidence: Automated export of quarterly access review completion rates, SoD violations found and remediated, privileged access list changes, terminated employee deprovisioning timeliness
- SOC 2 Type II: Continuous access monitoring evidence, change control for access grants, logical access reviews for CC6.2/CC6.3 controls
- ISO 27001 A.9: Access control policy compliance, user registration and deregistration procedures, management of privileged access rights
- HIPAA: Workforce clearance procedure evidence, minimum necessary access enforcement, unique user identification compliance
- IGA platforms generate these reports on demand — auditors get clean PDFs instead of teams spending weeks pulling spreadsheets from disparate systems
Every Day an Offboarded Account Remains Active is Liability
Orphaned accounts — active credentials for terminated employees — are found in virtually every data breach investigation involving insider threat or credential-based attacks. Beyond the security risk, active accounts for departed employees are explicit compliance violations under SOX, HIPAA, and PCI DSS. An automated IGA deprovisioning workflow that triggers within minutes of an HR termination event is one of the highest-value, lowest-complexity security controls available. Automate it, test it monthly, and audit it quarterly.