Identity Governance and Administration (IGA) promised to answer the fundamental question: “Who has access to what?” Yet despite significant investments and years of implementation efforts, IGA has largely failed to meet enterprise expectations. This failure stems from a complex interplay of expanding scope, organizational challenges, and technological limitations that have undermined IGA’s core mission.
The Original Promise
IGA emerged as a solution to improve the provisioning process-granting and removing access privileges while maintaining comprehensive records for compliance purposes. The passage of Sarbanes-Oxley made tracking access approvals mandatory for publicly traded companies, creating a regulatory imperative that drove adoption across industries.
The initial vision was straightforward: implement processes covering requests, approvals, grants, attestation, and removal to provide a comprehensive understanding of relationships between people and resources. However, this seemingly simple mission quickly expanded into something far more complex.
Why IGA Has Failed to Deliver
Scope Creep and Expanding Expectations
What began as a focused provisioning solution rapidly expanded to encompass governance and administration. This expansion extended IGA’s reach into human resource management, service desk operations, risk management, and security. As IGA’s tendrils grew into identity management and resource definition, the scope became increasingly unwieldy.
The early integration with Information Technology Infrastructure Library (ITIL) proved inadequate, particularly regarding identity management. While ITIL captured resource data effectively, it fell short in addressing the complexities of identity management. This technical perspective missed crucial business activities that trigger access changes-hiring, promotions, transfers, suspensions, and terminations-creating significant gaps in the governance framework.
The Business-Technology Disconnect
Perhaps the most fundamental failure of IGA lies in the disconnect between business and technology teams:
-
Business leaders focus externally, prioritizing revenue and market position over internal management processes
-
Technologists implement without guidance, making decisions that should be business-driven when business input is absent or insufficient
-
Compliance becomes a checkbox exercise rather than a strategic initiative, with original motivations diminishing over time
This divide has transformed IGA from a strategic enabler to a compliance burden, with enterprise risk management frequently sacrificed for speed-to-market demands.
Organizational Complexity Defies Modeling
IGA implementations typically assume consistent business models that can neatly categorize people and associate them with resource sets. However, modern organizations rarely fit these rigid structures:
-
Traditional hierarchies with pyramid structures and clear reporting lines
-
Matrix management creating mesh-like networks of relationships
-
Flat organizations with distributed decision-making
-
Hybrid approaches that combine multiple organizational models
The reality is that organizations continuously evolve, merge, split, and reorganize in response to market conditions. Building a digital twin of such dynamic entities within an IGA product is extraordinarily challenging, yet essential for effective governance.
Insider Threat Exposure
The piecemeal approach to information capture has exposed organizations to insider threats. Beyond regulatory compliance issues, this creates vulnerability to intellectual property theft and exposure of sensitive customer information, potentially causing significant brand damage.
The Governance Challenge
IGA introduced the concept of a closed-loop system where all activities interact within an overarching information framework. This approach brought critical concepts into focus:
-
Authority and ownership for both resources and identities
-
Data management across increasingly complex environments
-
Process and data ownership throughout the organization
However, these governance principles often clash with business realities. Business principals frequently reject responsibility for these relationships, even though such responsibility is implicit in organizational structures. They struggle to see connections between decisions and downstream effects, creating governance gaps that undermine IGA effectiveness.
Unlock the Secrets to Successful IGA
Join our live webinar to discover how to overcome these common challenges. Our industry experts will share actionable strategies to improve security and compliance. Participate in an interactive Q&A and learn how to transform your organization’s IGA approach. Register now!
Recent Comments