What Is Identity Governance and Administration?

By SC Editorial Intelligence, expert reviewed

Excessive access permissions create direct paths for both insider threats and compromised accounts to reach sensitive data. When employees change roles or leave the organization, orphaned accounts and lingering permissions expand the attack surface without security teams knowing who has access to what. Identity Governance and Administration (IGA) controls who gets access to what resources and ensures those decisions stay current.

Unlike privileged access management systems that control sessions once access is granted, IGA platforms make the upstream decisions about granting, maintaining, and removing access rights across enterprise systems. IGA combines three core functions: access governance (policy-driven decisions about appropriate access), access certification (formal reviews of existing permissions), and access provisioning (automated account and entitlement lifecycle management). The technology enforces separation of duties controls, manages role definitions, and provides audit trails for compliance reporting.

Access certification specifically refers to the formal process where designated reviewers attest that users' current access remains appropriate for their role. This differs from access reviews, which encompass broader ongoing monitoring activities including automated policy violations, risk scoring, and continuous compliance checking.

Why Identity Governance Matters

Access sprawl compounds over time as users accumulate permissions across multiple role changes, temporary project assignments, and system migrations. Without systematic review processes, privileged access spreads beyond the users who actually need it. The business impact shows up in compliance audit findings, regulatory penalties, and data breach exposure from accounts that should have been deprovisioned months earlier.

Regular certification cycles with clear accountability for access decisions reduce risk exposure through administrative oversight. The tradeoff is increased workload for managers and application owners versus faster incident response when security teams have current visibility into access patterns and can quickly revoke compromised accounts.

Core Capabilities

Policy-Driven Access Controls

IGA platforms enforce role-based access control (RBAC) and attribute-based access control (ABAC) policies that automatically assign permissions based on user attributes like department, title, and security clearance. Policy engines evaluate access requests against predefined rules and either auto-approve, auto-deny, or route requests for manual approval.

Separation of duties controls prevent users from holding conflicting roles that could enable fraud. For example, the same user cannot both initiate and approve financial transactions above defined thresholds. Test your SoD rules by running conflict reports monthly and investigating any violations that automated controls missed.

Access Certification Workflows

Certification campaigns systematically review user access across applications and systems. The platform identifies reviewers (typically managers or application owners), generates lists of users and their current permissions, and presents certification decisions through web interfaces or email notifications.

Reviewers can certify (confirm access is appropriate), revoke (remove specific permissions), or escalate (request additional review) for each user-entitlement combination. The platform tracks response rates, sends reminder notifications, and automatically revokes access when certifications are not completed within defined timeframes.

Choose certification scope carefully: comprehensive reviews covering all access provide complete visibility but create reviewer fatigue. (Source: www.nist.gov) Risk-based approaches focusing on privileged accounts or recent access changes reduce workload but may miss dormant high-risk permissions. (Source: learn.microsoft.com)

Automated Provisioning and Deprovisioning

IGA connectors integrate with target systems to automatically create, modify, and delete user accounts when access decisions are made. Joiner-mover-leaver workflows trigger provisioning when HR systems report employee lifecycle changes. This eliminates manual account management tasks and ensures consistent policy enforcement across systems.

Automated deprovisioning addresses the critical security gap when employees leave the organization. Without automated controls, terminated user accounts often remain active for weeks or months after departure. Configure immediate deprovisioning for high-risk roles and delayed deprovisioning for standard users to allow for potential data recovery needs. (Source: www.ibm.com)

Analytics and Risk Scoring

IGA platforms analyze access patterns to identify anomalies, unused permissions, and privilege escalation trends. Risk scoring algorithms consider factors like access volume, privileged entitlements, policy violations, and user behavior to prioritize security attention.

Analytics capabilities surface insights like users with excessive access compared to peer groups, applications with overprivileged service accounts, and roles that grant more permissions than typical users in those positions actually use. Use these analytics to refine role definitions and identify candidates for access reduction.

Getting Started Checklist

Inventory Current State

Establish access request approval workflows with clear decision criteria
Create separation of duties policies for critical business processes
Set certification frequencies (quarterly for privileged access, annually for standard users)
Define access review responsibilities by system and user population

Define Governance Framework

Establish access request approval workflows with clear decision criteria
Create separation of duties policies for critical business processes
Set certification frequencies (quarterly for privileged access, annually for standard users)
Define access review responsibilities by system and user population

Configure Platform Foundation

Integrate with authoritative identity sources (HR systems, Active Directory)
Connect to target applications through native connectors or APIs
Set up automated provisioning rules based on role assignments
Configure certification workflows with appropriate reviewer assignments

Implement Controls and Monitoring

Deploy automated deprovisioning for terminated employees
Enable policy violation monitoring and alerting
Establish metrics for certification completion rates and access remediation
Create audit reports for compliance documentation requirements

Pilot and Scale

Run initial certification campaign with limited scope
Validate automation workflows with test accounts
Train reviewers on certification decision criteria and platform usage
Expand coverage incrementally to additional systems and user populations

Test your readiness by running a mock certification campaign: can reviewers easily understand what access they're certifying and make informed decisions within your defined timeframes?

Diagram: Access Certification Lifecycle

  
    
        Trigger Events →
        Reviewer Assignment →
        Access Review →
        Decision Outcomes →
        Remediation
      

        ↓
        ↓
        ↓
        ↓
        ↓
      

    
        • Scheduled cycle
        • Manager-based
        • User access
        • Certify
        • Maintain access
      

        • Risk threshold
        • App owner-based
        • permissions
        • Revoke
        • Remove permissions
      

        • Policy violation
        • Role-based
        • entitlements
        • Escalate
        • Flag for investigation
      

        • Employee change
        • Custom rules
        • review GUI
        • No response
        • Auto-revoke (timeout)
      

  

Trigger Events →	Reviewer Assignment →	Access Review →	Decision Outcomes →	Remediation
• Scheduled cycle	• Manager-based	• User access	• Certify	• Maintain access
• Risk threshold	• App owner-based	• permissions	• Revoke	• Remove permissions
• Policy violation	• Role-based	• entitlements	• Escalate	• Flag for investigation
• Employee change	• Custom rules	• review GUI	• No response	• Auto-revoke (timeout)

Access Review Checklist

Review Scope Definition

Define user population (all users, privileged only, specific departments)
Select applications and systems for review
Set review period (current access vs. historical access patterns)
Identify sensitive entitlements requiring special attention

Reviewer Selection

Assign application owners for system-specific access
Designate managers for direct report access reviews
Identify data owners for sensitive information access
Configure backup reviewers for unavailable primary reviewers

Decision Criteria

Document job role requirements and appropriate access levels
Define criteria for revoking unused or excessive permissions
Establish escalation paths for uncertain certification decisions
Set standards for documenting exception approvals

Exception Handling

Create process for temporary access extensions
Define approval requirements for policy violations
Establish risk acceptance procedures for business-critical exceptions
Document remediation timelines for identified access issues

Completion Verification

Track reviewer response rates and send reminder notifications
Verify that revocation decisions are implemented in target systems
Document certification results for audit and compliance purposes
Schedule follow-up reviews for escalated or exception cases

Sources

This content was reviewed and approved by a cybersecurity practitioner participating in CyberRisk Alliance's Expert Review Program. Reviewers assess technical accuracy, relevance, and alignment with current industry practices.