What Is IGA?
Identity Governance and Administration (IGA) — sometimes called Identity Governance — focuses on ensuring that access rights across an organization are appropriate, properly authorized, and regularly reviewed. While IAM handles day-to-day authentication and access, IGA provides the governance layer that answers: "Should this person have this access?"
Core IGA Capabilities
- Access Requests: Self-service portals where users request access with approval workflows
- Access Certification: Periodic campaigns where managers review and confirm (or revoke) their team's access
- Role Management: Define and manage roles that bundle permissions for job functions
- Lifecycle Management: Automate joiner/mover/leaver processes as employees change roles or leave
- Segregation of Duties (SoD): Prevent toxic combinations of access that enable fraud
- Policy Enforcement: Enforce organizational access policies automatically
- Audit and Reporting: Provide evidence of access governance for auditors
Why IGA Matters
- Compliance: SOX, HIPAA, PCI DSS, and SOC 2 all require evidence that access is appropriate and regularly reviewed
- Reduce risk: Excess privileges accumulate over time ("privilege creep") as employees change roles
- Efficiency: Automate manual access provisioning and certification processes
- Visibility: Understand who has access to what across all systems
IGA vs. IAM vs. PAM
| Discipline | Question | Focus | |---|---|---| | IAM | Can you authenticate? | Login, SSO, MFA | | IGA | Should you have this access? | Governance, certification, lifecycle | | PAM | Is your privileged access controlled? | Admin access, vaulting, sessions |
Leading IGA Vendors
Major IGA vendors include SailPoint, One Identity, Saviynt, Microsoft Entra ID Governance, Omada, and CyberArk (through its acquisition of Idaptive).