Identity governance and administration (IGA)

What is identity governance and administration (IGA)?

Identity Governance and Administration (IGA) is a policy-based approach to managing digital identities and their access rights within an organization​. It combines identity administration (creating, modifying, and deactivating user accounts and entitlements) with identity governance (defining and enforcing policies, performing access reviews, and ensuring compliance). 

Key components of IGA include user provisioning/de-provisioning, role management, access certifications (periodic reviews of who has access to what), and audit reporting. The goal of IGA is to ensure that every identity’s access is not only appropriate for their role but also reviewed and approved in line with business policies and regulatory requirements. 

In essence, while IAM is about the mechanisms of authentication/authorization, IGA focuses on the oversight, who should have access to what and is it granted according to proper approval processes.

How does it affect identity security?

IGA is crucial for identity security because it provides visibility and control over access across the entire organization. Without governance, users accumulate permissions over time (“permission creep”), or accounts might remain active after users depart – both scenarios create security vulnerabilities. IGA addresses this by enforcing the joiner-mover-leaver processes: new identities get the right access, changes in roles trigger access updates, and departures result in timely access removal. 

It also involves regularly reviewing access rights; for example, managers must certify that their team’s access to sensitive systems is still justified. This reduces the chance of orphaned accounts or unnecessary high privileges that attackers could exploit. Notably, a large percentage of breaches involve misuse of credentials or excess privileges – one report found that over half of breaches stemmed from stolen or misused credentials​. IGA directly tackles that risk by ensuring approvals and reviews for access, preventing uncontrolled privilege sprawl. 

In summary, IGA strengthens security by marrying identity management with compliance and oversight, ensuring security teams and business managers collectively keep access risks in check.

Case study

A case that underlines the need for IGA is the 2019 incident involving security companies Avast and NordVPN, where intrusions were traced back to forgotten or dormant accounts. In Avast’s situation, attackers leveraged a VPN profile account that had been erroneously left active and did not require 2FA to infiltrate the network. Both Avast and NordVPN disclosed that “forgotten or unknown user accounts” – essentially orphaned accounts with valid credentials – were the entry point for breaches​. 

These incidents highlight a failure in identity governance: had there been strict oversight and regular cleanup of accounts, those dormant access paths would have been closed. Following the breach, Avast invalidated and reset all internal credentials and tightened its access policies​

‍