Identity Governance and Administration (IGA)

What identity governance and administration (IGA) actually is, what it includes, how it relates to IAM and SSO, and when a company needs a dedicated IGA tool.

4 min read · Last updated June 2026

Identity governance and administration (IGA) is the discipline of controlling who has access to what across an organization's apps and systems, and proving it. It covers provisioning, access requests, access reviews and certifications, policy enforcement, and the audit trail. IGA is the governance layer on top of authentication (SSO and IAM).

Also known as: IGA, Identity Governance, Identity Administration

Identity Governance and Administration (IGA) is the layer of identity management that decides what access exists, who approves changes to it, and how to prove it later. It sits on top of authentication (IAM) and covers provisioning, access certifications, access requests, audit trails, and policy enforcement across every system a user can touch.

A working IGA program answers four questions at any moment.

  1. Who has access to what?
  2. Why do they have it?
  3. Is it still appropriate?
  4. Can we prove the answer to an auditor?

If a company can't answer these without manually digging through admin panels and spreadsheets, the IGA layer is missing or broken.

What IGA includes

The components are well-defined, even if vendors emphasize them differently.

Provisioning and deprovisioning. Granting and revoking access across apps as people join, change roles, and leave. Covers human identities, contractors, and non-human identities (service accounts, API keys, AI agents).

Access requests. The flow that runs when someone needs access beyond their birthright bundle. Routing, approval, audit trail.

Access certifications (also called access reviews). Periodic or continuous review of who has what, with explicit approve-or-remove decisions per entitlement.

Policy enforcement. Role-based access control (RBAC), attribute-based policies (ABAC), separation of duties (SoD) rules, segregation between sensitive resource access.

Audit trail. A timestamped record of every grant, change, and revocation, mapped to the policy that authorized it.

Identity lifecycle. Joiner-mover-leaver (JML) flows triggered from the HRIS or another authoritative source.

How IGA differs from IAM and SSO

IAM (Identity and Access Management) is the broader category covering authentication, authorization, and access management. SSO (Single Sign-On) is a specific IAM capability: a user authenticates once and gains access to multiple systems through federated tokens.

IGA is the governance layer on top of IAM. SSO answers "can this person log in?" IGA answers "should they have this access in the first place, and how do we prove we made that decision deliberately?"

In practice, most companies have IAM and SSO running (Okta, Entra, Auth0, Google Workspace) and then face a separate decision about IGA. The two categories are increasingly bundled (Okta Identity Governance, Entra ID Governance), but the depth of governance varies significantly across products.

When a company needs dedicated IGA

The signal is usually one of these.

  • 50+ employees with 30+ SaaS apps, and growing
  • Compliance pressure (SOC 2, ISO 27001, HIPAA, NERC CIP, ITAR, FDA) with audit deadlines approaching
  • A near-miss involving access: ex-employee with active credentials, contractor with persistent access, orphaned service account
  • A board or customer questionnaire that asks about access governance specifically
  • An IT manager who can't generate a current "who has access to X" report inside an hour

Before these signals, manual identity work (spreadsheet access reviews, Slack-based access requests, runbook offboarding) is usually sufficient. After, the manual approach starts to break, and the gaps accumulate into audit risk.

How IGA tools compare

Three categories often get confused.

Legacy enterprise IGA. SailPoint, Saviynt, Oracle Identity Governance. Built for 5,000+ employee organizations. Multi-month implementations, dedicated administrators, $300K+ entry pricing. Configuration-deep, slow to change.

Modern IGA, SCIM-first. Lumos, ConductorOne, Zluri, Opal. Designed for cloud-native SaaS stacks. Provisioning through SCIM where apps support it; ticket-based fallback for the rest. Faster to deploy than legacy. Coverage limited to SCIM-supported apps in practice.

Modern IGA, full-coverage. Iden. Built to govern SCIM apps, API-supported apps, browser-only admin panels, custom internal apps, and non-human identities. No SCIM-tier upgrade required. Designed for 50 to 2,000 employee companies.

The category gap between Okta's SSO and SailPoint's enterprise IGA is where most mid-market teams currently operate, often without realizing it. The IGA work is happening; it's just being done manually.

Common adjacent terms

Often used interchangeably with IGA or as components of it.

  • Identity Lifecycle Management (ILM). Narrower: the joiner-mover-leaver portion of IGA.
  • Access Management. Narrower: the runtime authorization layer.
  • Identity Provisioning. Narrower: the create-and-modify-user portion.
  • Access Certification. The periodic-review portion of IGA.
  • Privileged Access Management (PAM). Adjacent: focused on elevated credentials specifically.
  • Customer Identity and Access Management (CIAM). Adjacent: external-user-facing identity, distinct from workforce identity.

These are not synonyms. They're components, adjacent disciplines, or subsets.

Frequently asked questions

Is IGA the same as IAM?

No. IAM (Identity and Access Management) is the broader category that includes authentication and runtime authorization. IGA (Identity Governance and Administration) is the governance layer on top: who should have access, who approved it, and how to prove it later. Most companies have IAM through their SSO and discover the IGA gap separately.

Do we need IGA if we already have Okta or Microsoft Entra?

Often yes. Okta and Entra include lifecycle features that handle SCIM-supported apps, which is about 20% of the average mid-market stack. The remaining 80% (non-SCIM SaaS, internal admin panels, legacy systems, contractors, non-human identities) is where IGA work concentrates. SSO handles authentication; IGA handles governance for everything that lives past authentication.

Is IGA only relevant for large enterprises?

No. The legacy IGA category (SailPoint, Saviynt) was built for 5,000+ employee organizations and remains overkill for most mid-market companies. Modern IGA tools cover the same governance scope at a fraction of the complexity and price. Most companies hit the IGA wall between 50 and 200 employees.

What standards does IGA usually involve?

Provisioning protocols: SCIM (System for Cross-domain Identity Management). Authentication protocols: SAML 2.0, OpenID Connect (OIDC), OAuth 2.0. Access control models: RBAC (role-based), ABAC (attribute-based), PBAC (policy-based). Compliance frameworks that reference IGA controls: SOC 2 (CC6), ISO 27001 (A.5.15-A.5.18), HIPAA (§164.308), NIST 800-53, PCI DSS, NERC CIP, ITAR.

What's the difference between IGA and PAM?

PAM (Privileged Access Management) is the subset of identity work that focuses on highly elevated credentials (root, domain admin, database superuser). IGA covers all access, including the regular employee access PAM doesn't bother with. The two overlap: just-in-time (JIT) access patterns appear in both, and modern IGA tools include PAM-like features. PAM tools (CyberArk, BeyondTrust) tend to specialize in vaulting and session brokering; IGA tools tend to specialize in lifecycle and certifications.

What's the difference between IGA and IAM?

IAM is the umbrella category for authentication, authorization, and access management. IGA is the governance discipline within IAM that handles provisioning, certifications, audit, and policy. SSO is an IAM capability; IGA is a separate discipline that operates alongside SSO.

Can a company run IGA without a tool?

Up to a point. Spreadsheet-based access reviews, Slack-based access requests, runbook offboarding, and manual provisioning constitute manual IGA. They work for small companies with limited app stacks. They break down somewhere between 50 and 300 employees, depending on stack complexity and compliance pressure. The break shows up as audit findings, orphaned accounts, and IT teams running out of bandwidth.