Skip to main content

Skillber v1.0 is here!

Learn more

IAM Governance & Compliance

Checking access...

IAM governance is the framework of policies, processes, and controls that ensure identity and access management operates effectively, transparently, and in compliance with regulatory requirements. Governance answers the question: “How do we know our IAM controls are working?”

While identity management and access management are the doing parts of IAM — creating identities, provisioning accounts, authenticating users — governance is the checking part. It verifies that the doing is correct, complete, and compliant. Without governance, IAM becomes chaotic: orphan accounts accumulate, privileges creep, access reviews become rubber-stamping exercises, and audit findings pile up.

Why IAM Governance Matters

The consequences of poor IAM governance are severe and well-documented:

  • Insider threats — Former employees with active accounts (the 2024 Data Breach Investigations Report found that insider threats account for over 30% of breaches, many involving orphaned accounts)
  • Regulatory penalties — GDPR fines of up to €20M or 4% of annual revenue; HIPAA penalties of up to $50K per violation
  • Audit failures — SOX Section 404 requires management to assess internal controls over financial reporting; IAM failures are the most common material weakness
  • Fraud — Absence of segregation of duties enables financial fraud (the average occupational fraud case lasts 12 months before detection — ACFE Report)

Caution

Regulators do not accept “we trust our administrators” as a control. Governance provides provable, auditable evidence that access controls are working. Every access grant, every permission change, every review decision must be recorded, attributable, and reviewable.

Core Governance Processes

Access Certification (Access Reviews)

Access certification is the periodic review of user entitlements by resource owners and managers. It is the single most important governance process — the mechanism by which organisations confirm that current access is appropriate.

The Certification Lifecycle:

    graph TD
    A[Identify All Active Entitlements] --> B[Group by Reviewer]
    B --> C[Assign Reviewers]
    C --> D[Open Review Campaign]
    D --> E[Email Reviewers with Dashboard Link]
    E --> F{Reviewer Action}
    F -->|Certify Access| G[Record Approval with Timestamp]
    F -->|Revoke Access| H[Trigger Automated Deprovisioning]
    F -->|No Action| I[Escalate after 7 Days]
    I -->|No Action| J[Escalate to Manager]
    J -->|No Action| K[Auto-Certify or Auto-Revoke?]
    
    H --> L[Verify Remediation Complete]
    L --> M[Close Remediation Ticket]
    G --> N[Generate Campaign Report]
    M --> N
    K --> N
  

Certification Best Practices:

PracticeRationaleImplementation
Risk-based frequencyHigh-risk access reviewed more oftenAdmin access: quarterly; Standard access: annually; Low-risk: biennially
Automated remindersPrevent campaign bottlenecksDay 0: invitation; Day 7: reminder; Day 14: escalation to manager; Day 21: escalation to compliance
Closed-loop remediationEnsure revoked access is actually removedAutomated verification 24h after revocation; re-check at campaign close
Separation of dutiesReviewer independenceReviewer must be different from the person who granted the access
Evidence preservationAudit readinessStore all certification records for minimum 3 years (or per regulatory requirement)
Peer reviewCatch rubber-stampingReviewers must provide justification for certify decisions on high-risk access
Manager attestationAccountabilityDirect managers certify their direct reports’ access; application owners certify application-level access

Types of Certification Campaigns:

Campaign TypeScopeReviewerFrequency
User-to-AccessEvery user’s entitlements across all applicationsUser’s managerAnnually
Access-to-UserEvery application’s user listApplication ownerQuarterly (critical apps), annually (standard)
Role certificationRole definitions and membershipsRole ownerAnnually
Privileged accessAdmin/root/break-glass accountsSecurity team + managerQuarterly
SoD conflict reviewUsers with conflicting accessCompliance teamQuarterly
Orphan account reviewAccounts without active ownersApplication ownersMonthly

Segregation of Duties (SoD)

Segregation of duties ensures that no single person has enough access to commit fraud or cause significant damage. Conflicting access combinations must be identified, prevented where possible, and mitigated where unavoidable.

Common SoD Conflict Pairs:

Role ARole BRiskIndustry
Purchase Requisition CreatorPurchase Order ApproverCreate and approve own purchasesFinance, Procurement
Accounts Payable ClerkVendor AdministratorCreate fake vendor and pay invoices to selfFinance
Network AdministratorSecurity AuditorModify audit logs to hide unauthorised activityIT, Security
Code DeveloperCode Promoter (Production)Push un-reviewed code to productionSoftware Engineering
HR Data EntryPayroll AdministratorAdd fake employee and process payrollHR, Finance
Cash Application ClerkCustomer Credit AdministratorApply payments to own account and extend creditFinance
System AdministratorAccess Recertification ApproverCertify own excessive accessIT, Security

SoD Implementation Approaches:

  1. Preventive controls — System blocks conflicting access assignments in real time. The IAM platform checks each new entitlement request against the SoD matrix and rejects assignments that create conflicts. Strongest control — prevents the problem.

  2. Detective controls — System identifies and reports existing conflicts during periodic certification. Weaker than preventive but catches inherited conflicts (e.g., from mergers) or conflicts that arise from role changes.

  3. Mitigating controls — Compensating controls for unavoidable conflicts. When a conflict cannot be avoided (e.g., in a small organisation where one person must perform multiple roles), compensating controls include:

    • Enhanced monitoring and logging of all transactions
    • Mandatory peer review of high-risk actions
    • Transaction thresholds requiring second approval
    • Post-transaction random audits

SoD Rule Authoring Example:

{
"sodRuleId": "SOD-FIN-001",
"description": "User must not have both AP Clerk AND Vendor Admin access",
"conflictingRoles": ["AP_Clerk", "Vendor_Admin"],
"severity": "Critical",
"controlType": "Preventive",
"mitigation": {
"allowed": false,
"overrideRequired": true,
"overrideApprover": "Compliance Officer"
}
}

Audit and Reporting

IAM systems must produce auditable records that satisfy internal and external audit requirements. Audit readiness is a continuous state, not an annual exercise.

Audit RequirementIAM EvidenceRetention Period
Who has access to what?Entitlement reports, role membership lists, application access matricesCurrent + 3 years
Who granted the access?Approval workflow audit trails with approver identity and timestamp3-7 years (varies by regulation)
When was access last reviewed?Access certification campaign records, reviewer decisions, timestamps3-7 years
When was access removed?Deprovisioning logs with action, timestamp, and operator3-7 years
Were there unauthorised changes?Change logs, SIEM integration, anomaly detection alerts1 year (hot), 7 years (cold)
Are SoD rules enforced?SoD violation reports, override requests, approval records3-7 years
Are privileged actions monitored?PAM session recordings, command logs, credential check-in/check-out records1-3 years

Compliance Frameworks — Detailed Requirements

FrameworkScopeKey IAM RequirementsPenalties for Non-Compliance
SOX (Sarbanes-Oxley)Financial reporting controls for US publicly traded companiesAccess controls over financial systems, audit trails, SoD for financial roles, management attestation (Section 404)Fines up to $5M, executive imprisonment up to 20 years
GDPRPersonal data of EU citizensRight to erasure (Article 17), data access controls, identity verification for data subjects, breach notification (Article 33)€20M or 4% of global annual revenue
HIPAAProtected health information (PHI) in US healthcareAccess controls (45 CFR §164.312), unique user identification, automatic logoff, audit controls, integrity controls$50K-$1.5M per violation category per year
PCI DSS v4.0Payment card dataRequirement 7: Need-to-know access; Requirement 8: Unique IDs, MFA for admin access; Requirement 10: Audit trails; Requirement 12: Access reviews$5K-$100K per month by card brands, potential loss of processing ability
ISO 27001:2022Information security managementA.5.15 Access control policy, A.5.18 Access rights, A.8.2 Privileged access rights, A.8.3 Information access restriction, A.8.16 Monitoring activitiesCertification revocation, business partner trust erosion
NIST SP 800-53 r5US federal information systemsAC-1 Access control policy, AC-2 Account management, AC-3 Access enforcement, AC-6 Least privilege, AU Audit and accountabilityLoss of authorisation to operate (ATO), contract termination

IGA Technology — Identity Governance and Administration Tools

As organisations mature their governance programs, they invest in dedicated IGA tools:

IGA PlatformKey CapabilitiesBest For
SailPoint IdentityNow/IdentityIQAccess certification, SoD, role mining, lifecycle management, identity analyticsLarge enterprises, complex governance requirements
SaviyntAccess governance, SoD, cloud security, application access, data access governanceCloud-first, multi-SaaS environments
Omada IdentityAccess certification, role-based provisioning, self-serviceRegulated industries (finance, pharma)
Microsoft Entra ID GovernanceAccess reviews, entitlement management, PIM, identity governanceMicrosoft-centric organisations
Okta Identity GovernanceAccess certification, SoD, lifecycle management, workflowsOkta-centric IAM environments

IAM Maturity Model — Detailed

Governance maturity typically progresses through these stages. Understanding your organisation’s current level is the first step toward improvement:

LevelNameCharacteristicsKey MetricsTypical Org
1InitialAd-hoc, no formal processes, no access reviews, manual provisioning, no SoD enforcementNo metrics trackedStartup, < 100 employees
2DefinedDocumented policies exist, periodic manual access reviews (spreadsheet-based), basic SoD rules, some automationAccess review completion rate: 60-80%Small-medium business, 100-1000 employees
3ManagedAutomated access certification, SoD detection enforced, role-based provisioning, HR integration activeReview completion: > 95%, SoD violations identified, auto-deprovisioning SLA: < 24hMid-market, 1000-5000 employees
4MeasuredContinuous monitoring, real-time SoD enforcement, risk-based review cycles, automated remediation, KPIs trackedDeprovisioning SLA: < 1h, provisioning accuracy: > 99%, orphan accounts: < 1%Enterprise, 5000+ employees
5OptimizedPredictive analytics, AI-driven anomaly detection, automated role mining, identity fabric, continuous adaptive trustProactive risk reduction, zero-day orphan detection, automated policy generationLarge enterprise, 10,000+ employees

Tip

Most enterprises operate at Level 2 or 3. Moving from Level 3 to Level 4 requires investment in IGA tools, process automation, and organisational commitment to continuous compliance. Level 5 is aspirational for most organisations.

Key Takeaways

  • IAM governance provides auditable, provable evidence that access controls are working — it is the “checking” that ensures IAM operations are correct and compliant
  • Access certification must be risk-based (different frequencies for different risk levels), automated (reminders, escalation, verification), and closed-loop (revoke → verify → report)
  • Segregation of duties prevents fraud by identifying and blocking conflicting access combinations — implement preventive controls where possible, detective where necessary, and compensating where unavoidable
  • Multiple compliance frameworks (SOX, GDPR, HIPAA, PCI DSS, ISO 27001, NIST SP 800-53) mandate IAM controls with significant penalties for non-compliance
  • IAM maturity progresses through five levels (Initial → Defined → Managed → Measured → Optimized) — most organisations are at Level 2 or 3
  • Moving to higher maturity levels requires investment in IGA technology, process automation, and organisational commitment to continuous compliance verification