Most security and IT leaders will tell you they need identity governance, but very few will say they love their identity governance and administration (IGA) platform. Despite a crowded vendor market, too many programs end up slow, brittle, and widely disliked. This article unpacks why IGA projects so often disappoint-and what a future-ready approach to identity governance, automation, and risk management needs to look like.

Key Findings at a Glance

  • Identity is at the center of modern breaches: over the past decade, roughly a third of breaches have involved stolen credentials, and the 2024 Verizon DBIR shows the human element (errors, phishing, misuse) in about 68% of breaches. (verizon.com)
  • SaaS sprawl has outpaced most governance programs: recent benchmarks put the average organization at around 100+ SaaS apps, with companies of 200-749 employees typically using close to 100 applications-far more than most IGA/SSO stacks actually automate. (sellerscommerce.com)
  • Coverage is the dirty secret: many "modern IGA" and SSO tools only fully ps that expose robust SCIM/APIs, leaving the other 80%-often the tools people live in all day-stuck in manual provisioning and hope-based offboarding.
  • Machine identities have quietly taken over: new research shows there are roughly 82 machine identities for every human one, and around 42% of those machine identities hold privileged or sensitive access-yet most programs still define "privileged user" as human-only. (cyberark.com)
  • Identity-related incidents are now the norm: one global survey found 93% of organizations had at least two identity-related breaches in the previous 12 months, underscoring that governance gaps are not theoretical. (cyberark.com)
  • The IGA experience gap is structural, not cosmetic: industry analyses consistently point to failed implementations driven by integration pain, starting with the hardest use cases, poor data quality, and reviewer resistance-problems a nicer UI alone cannot solve. (cyberark.com)

Insight 1: Governance Built for Auditors, Not Operators

Stop Treating Identity Governance as a One-Off Compliance Project

If you look at how most IGA programs start, it's no wonder so few people love them.

Many initiatives are kicked off for a simple reason: an audit finding, a new regulation, or a looming certification like SOC 2, ISO 27001, or NIS2. Identity governance gets framed as an identity compliance checkbox, not an operational capability. The result is a massive project that tries to solve everything at once-often starting with the hardest part.

Industry practitioners have been highlighting the same failure modes for years:

  • Starting with full-blown provisioning: CyberArk notes that when IGA projects begin with provisioning-building role models, access catalogs, approval workflows, and deep integrations across dozens of apps-it can take months or years before end users see any value. (cyberark.com)
  • Integration overload: Legacy platforms expect you to wire every HR system, directory, and business app into the IGA engine. For anything beyond the top-tier apps, that often means custom connector development, long PS engagements, and an island of "too hard to integrate" systems that stay manual. (cyberark.com)
  • Access reviews that nobody can actually do: Managers are handed spreadsheets or clunky UIs with hundreds or thousands of entitlements they don't understand. Faced with impossible workloads and opaque descriptions, they rubber-stamp certifications-or ignore them entirely. (cyberark.com)

From the operator's seat-an IT manager with a three-person team at a 400-employee company-this doesn't feel like help. It feels like another system to babysit, with yet another backlog of access requests and reviews.

If Your IGA Only Wins at Audit Time, You've Already Lost

When identity governance is scoped as "the thing that gets us through the audit," everyone optimizes for the wrong outcome:

  • Auditors see evidence. You can export CSVs of who has access to what. Campaigns technically complete.
  • Operators see more work. They're still manually provisioning 40+ apps that sit outside SCIM support or pre-built connectors, chasing managers for certifications, and reconciling broken data.
  • End users see friction. Access requests sit in queues. People join and wait days for production access. Contractors leave and keep licenses for months.

In that model, no one is going to say "I love my IGA." At best, they'll say "It keeps the auditors off our back."

A future-ready governance model has to invert this:

  • Start from operator and end-user experience (fast onboarding, sane access requests, clean offboarding) and treat audit evidence as an automatic side effect.
  • Measure success in reduced manual tickets, faster time-to-access, and fewer identity incidents, not just "number of campaigns run."
  • Design governance that a lean IT team at a 200-1,000 person company can actually run without a dedicated IGA admin or a permanent consultant bench.

Insight 2: The SCIM Wall and the 80% Coverage Gap

Admit That Your "Single Pane of Glass" Only Sees a Slice of Reality

Most IGA and identity management vendors still sell a familiar promise: a single pane of glass for identity governance across your environment. In practice, that pane rarely covers your real stack.

Recent SaaS management benchmarks put the average company at around 100+ SaaS applications, with organizations in the 200-749 employee range typically using roughly 96-103 apps. (sellerscommerce.com) Add infrastructure platforms, developer tools, data platforms, OT systems, and line-of-business apps, and the true number of identities and entitlements balloons.

Now compare that to what most IGA suites and SSO tools can actually automate:

  • They rely heavily on SCIM support or rich REST APIs.
  • Many productivity and collaboration tools gate SCIM behind expensive enterprise tiers.
  • Long-tail SaaS and internal apps may have no connector at all.

Iden's own experience with growing companies is blunt: in most environments, traditional tools automate about 20% of the app stack; the other 80% stays manual. That's the coverage problem.

So you end up with:

  • A nice dashboard that shows clean identity data for a minority of apps.
  • A shadow world of spreadsheets, email approvals, and ad hoc scripts for everything else.
  • Entire categories-SaaS tools on non-enterprise plans, niche team apps, internal systems-completely outside the governance orbit.

That's not a single pane of glass. It's one pane, plus a lot of frosted windows.

When 80% of Access Stays Manual, Least Privilege Is a Fairy Tale

Organizations talk a lot about least privilege and adaptive access. On paper, the principle is simple: grant only what's needed, nothing more, and adjust as risk changes.

But if your governance and identity automation only see a fraction of real access, least privilege remains mostly a slideware concept:

  • Offboarding is incomplete. HR marks a leaver. Your IdP disables SSO accounts and revokes access in SCIM-compliant apps-but dozens of unmanaged SaaS tools still have active accounts and licenses.
  • Access control policies are partial. You can enforce groups and roles in a handful of systems, while project tools, design platforms, and data collaboration apps still use ad hoc admin decisions.
  • Identity risk management is skewed. Dashboards show neat risk scores on the governed slice of your environment while "unknown unknowns" proliferate elsewhere-exactly where attackers go looking.

Combine that with SaaS governance data points showing that roughly half of SaaS licenses go unused and a large share of apps are adopted outside IT, and you get explosive identity sprawl: too many accounts, too many entitlements, too little control. (pactalert.com)

If you want people to genuinely like their IGA, coverage has to be non-negotiable:

  • Govern every app you actually use, not just those with perfect SCIM support.
  • Treat SaaS governance and cloud governance as part of identity governance, not separate problems.
  • Make sure your "single pane of glass" is also a single place to orchestrate actions-provision, deprovision, modify, attest-not just observe.

This is why Iden's own positioning leans so hard on "coverage beyond SCIM/API" and automated joiner-mover-leaver workflows across 175+ apps, including tools with no native SCIM, no APIs, or non-enterprise plans. Without that, you can't realistically talk about least privilege or reliable offboarding.

Insight 3: Human-Centric Governance in a Machine-First World

Expand Identity Governance Beyond Employees to Service Accounts, Bots and OT

Most IGA implementations still think in human terms: employees, contractors, maybe partners. But the fastest-growing part of your identity estate isn't people.

Recent CyberArk research found that machine identities now outnumber human identities by roughly 82 to 1, driven by cloud workloads, microservices, APIs, and AI agents. At the same time, about 42% of those machine identities hold sensitive or privileged access, and yet around 88% of organizations still define "privileged user" as human-only. (cyberark.com)

Another survey from the same ecosystem reports that 93% of organizations experienced at least two identity-related breaches in the previous year, with machine identities cited as the riskiest identity type. (cyberark.com)

In other words:

  • Service accounts, API tokens, secrets, and certificates now drive a huge share of production access.
  • These non-human identities control critical paths: payments, data pipelines, OT control systems, and AI workloads.
  • Yet they often sit outside the traditional IGA design and its access control policies.

If your identity governance stops at "users in Active Directory plus a few SaaS groups," you're governing yesterday's environment.

Ignoring Machine Identities Turns Governance into a Partial Control

From a risk and compliance standpoint, leaving non-human identities outside your IGA platform undermines everything else you do:

  • OT security and production access: Hard-coded credentials and unmanaged service accounts in industrial environments become a blind spot that no amount of user attestation can fix.
  • Audit trails and audit readiness: You might have beautiful logs for user access, but no unified trail for which bots, jobs, or AI agents touched which systems and data-a major problem for regulations with strong data sovereignty and accountability requirements.
  • Policy enforcement gaps: Your access control policies say "only this role can access customer data," but machine identities with broad privileges bypass those intent-level rules.

Modern identity governance has to treat humans, service accounts, workloads, and AI agents as first-class citizens:

  • Model them all as identities with lifecycle, ownership, and risk.
  • Apply least privilege, just-in-time, and adaptive security controls to each category.
  • Integrate with PAM, certificate management, and secrets management so your IGA view of "who can do what" is truly complete.

This is exactly where Iden's own roadmap leans: "all identities, every access-human or machine-with lifecycle control more granular than SCIM and no gaps," delivered either by extending existing IGA tools or through a modern, agentic governance platform.

Insight 4: Governance Without Orchestration Just Adds Another Dashboard

Static Workflows and Manual Reviews Can't Keep Up with Identity Risk

Traditional IGA is great at describing who has access. It's much less capable of orchestrating change at the speed your environment moves.

Meanwhile, attackers are happily exploiting identity weaknesses:

  • Across recent Verizon DBIR analyses, stolen credentials have been the top initial access vector in around half of breaches, ahead of phishing and vulnerability exploits. (verizon.com)
  • Over the past decade, stolen credentials have appeared in roughly 31% of all breaches, and the human element-error, social engineering, misuse-factors into about two-thirds of incidents. (verizon.com)
  • Forrester estimates that around 80% of breaches involve misuse or abuse of privileged accounts, often due to privilege creep and overbroad access. (forbes.com)

When your response is quarterly or annual access reviews plus slow-moving change tickets, you're playing identity risk management on a huge delay.

Common patterns we still see:

  • Static birthright access: Joiners get a large bundle of access "just in case," rarely tuned back as their role changes.
  • Privilege creep: Access requests are approved without context because managers don't have time or the right UI, accumulating into toxic combinations that break least privilege.
  • Manual exception handling: Every unusual access request turns into a ticket routed through IT, even when it's low risk and could be automated.

Without strong identity orchestration and automation, identity governance becomes a reporting function-useful for post-incident analysis and audits, but weak for real-time defense.

The Future: Policy-Driven Identity Automation Across Your Real Stack

A governance platform people might actually like has to behave less like a static system of record and more like an automation and orchestration engine for identities:

  • Policy-driven identity automation: Translate access control policies (who should have which access, under what conditions) into executable workflows that drive account provisioning, deprovisioning, and modifications across all your systems.
  • Real-time signals and adaptive access: Use HR events, device posture, location, and behavioral anomalies to adjust access dynamically-tightening production access when risk is high, granting temporary just-in-time elevation when justified.
  • End-to-end JML orchestration: From HR or ITSM systems through SSO/IdP, PAM, OT systems, and SaaS tools-joiner, mover, and leaver flows should be continuous, not a patchwork of scripts and tickets.
  • Continuous governance instead of campaign-only: Automatically detect orphaned accounts, zombie privileges, and violations of separation-of-duties policies, then trigger remediation flows-rather than waiting for the next quarterly review.

This is where the market is quietly heading: identity governance as an identity orchestration fabric across your IdP (e.g., Okta), legacy IGA, PAM, SaaS management, and custom systems. Integration matters, but so does the ability to act-to update entitlements, close gaps, and produce immutable audit trails as a byproduct.

Iden's own approach reflects this shift: plug-and-play connectors that extend existing IGA platforms like SailPoint, Saviynt, SAP, Okta, Oracle, Microsoft, or One Identity, or an Evolve platform that provides automated JML, continuous governance, access reviews, and audit evidence-designed to go live in minutes, not quarters, and to be run by lean IT teams without extra headcount.

Conclusion and Next Steps: How to Stop Hating Your IGA

If your honest reaction to your current IGA is "necessary evil," you're not alone. But status quo governance isn't compatible with a world of:

  • 100+ SaaS apps per company
  • 80+ machine identities for every human
  • Breaches dominated by credential abuse and privilege misuse

To move from "we have an IGA tool" to "we actually trust and like our identity governance," a few practical steps help:

  1. Redefine what "good" looks like.

    • Go beyond audit pass/fail. Track metrics like: reduction in manual access tickets, time-to-first-day access, number of orphaned accounts, and mean time to remediate identity risks.

  2. Map your real identity landscape.

    • Catalog not just users and groups, but non-human identities, service accounts, AI agents, and OT/production access paths. If they're out of scope for your IGA, that's a governance gap by definition.

  3. Interrogate coverage claims.

    • For each vendor (including your current one), ask: How many of my top 50 apps can you fully automate-including fine-grained permissions-on the plans we actually own, not just enterprise tiers with SCIM support?

  4. Prioritize orchestration, not just visibility.

    • Look for platforms that can execute your access control policies: trigger account provisioning, revoke access on leaver events, orchestrate access requests, and generate audit-ready evidence automatically.

  5. Consider "extend vs. replace."

    • If you already have a legacy IGA suite embedded for certifications, it may be more realistic to extend it with modern connectors and orchestration than to rip and replace. That's the philosophy behind Iden's "Extend" approach-wrapping existing IGA with AI-driven, fully managed connectors.

  6. Design for lean teams.

    • Assume you will not get a dedicated IGA admin. Favor tools that go live in hours or days, with zero custom code, so a 2-5 person IT team can own identity governance end-to-end.

Identity governance is too important to be something everyone quietly resents. The organizations that get ahead will be the ones who treat IGA not as a once-a-year compliance exercise, but as a continuous, automated layer of identity security-spanning humans and machines, SaaS and OT, cloud and on-prem, with policies you can explain and automation you can trust.

Frequently Asked Questions

How is identity governance different from SSO or PAM?

Single sign-on (SSO)/IdPs like Okta focus on authentication and user convenience: who can log in, using which factors. Privileged access management (PAM) focuses on protecting high-risk admin and production access-session control, password vaulting, just-in-time elevation.

Identity governance and administration (IGA) sits above both:

  • It defines and enforces who should have access to what-across regular and privileged accounts, human and non-human identities.
  • It handles lifecycle events (joiner, mover, leaver), access requests, certifications, and policy enforcement for least privilege.
  • It provides audit trails and evidence for identity compliance and regulatory frameworks.

In a mature program, SSO, PAM, and IGA are integrated: the governance layer drives policies and automation; SSO and PAM enforce them at login and during privileged sessions.

Can we fix our existing IGA, or do we have to replace it?

In many organizations, ripping out a legacy IGA is unrealistic-too much sunk cost, too many existing integrations. The more practical approach is often:

  • Stabilize the core: Keep using your existing IGA for what it's already decent at (e.g., access reviews in a few critical systems).
  • Extend coverage: Add modern, fully managed connectors and orchestration to bring in the 80% of apps and non-human identities that were previously out of scope.
  • Automate the JML basics: Start with high-impact flows like onboarding, offboarding, and contractor management across all major apps.

This "extend rather than replace" pattern is why tools like Iden's connectors exist-plugging into platforms such as SailPoint, Saviynt, SAP, Okta, Oracle, Microsoft, or One Identity to deliver deeper coverage and automation without restarting your entire program.

What's the right way to bring non-human identities into governance?

Treat non-human identities as first-class identities with:

  • An owner and accountable team.
  • A defined purpose and permitted scope (which systems, which data, what actions).
  • Lifecycle events (creation, rotation, decommissioning) just like human accounts.

Practically, that means:

  • Integrating your IGA with PAM, secrets management, and certificate management so you can see and control service accounts, keys, and certificates.
  • Applying least privilege and just-in-time models to machine identities as well as users.
  • Including machine identities in your identity risk management dashboards and remediation workflows, not just in separate specialist tools.

Given that machine identities already outnumber humans by more than 80:1 and a large fraction hold privileged access, leaving them outside governance is no longer acceptable. (cyberark.com)

Where do least privilege and zero trust fit into IGA?

Least privilege and zero trust are security principles; identity governance is one of the main ways you operationalize them.

  • IGA defines who should have which baseline access (roles, groups, policies) and enforces that across systems.
  • It orchestrates account provisioning and deprovisioning so users and machines don't quietly accumulate excessive privileges.
  • Integrated with IdPs and PAM, it supports adaptive access-adjusting permissions based on risk signals, device state, or context.

Without accurate, automated identity governance, least privilege and zero trust remain mostly aspirational. With strong governance, they become concrete: stricter access control policies, faster removal of unnecessary rights, and better resilience when credentials are inevitably phished, guessed, or leaked.

Meta description: Why do so many identity governance (IGA) programs disappoint despite a crowded vendor landscape? This article breaks down the structural reasons customers rarely "love" their IGA, from SCIM-limited coverage and machine identity blind spots to brittle automation, and outlines practical steps toward a future-ready, automation-first governance model.