Skip to main content

Skillber v1.0 is here!

Learn more

Identity Governance

Checking access...

Identity Governance is the discipline of ensuring that the right people have the right access to the right resources — and that this access is properly controlled, reviewed, and auditable. While IAM focuses on provisioning and authentication, governance provides the accountability layer: proving that access controls are working, access is appropriate, and compliance requirements are met.

Identity Governance and Administration (IGA) platforms automate these processes, turning IAM from a technical implementation into a controlled, auditable business process.

Why Identity Governance Matters

Without governance, IAM operations are blind:

  • Who has access to what? Unknown
  • Is that access still appropriate? Unreviewed
  • Are there conflicts of interest in access? Undetected
  • Can we prove compliance to auditors? No

The consequences of inadequate governance are severe: SOX violations, GDPR fines, insider fraud, and data breaches that could have been prevented by timely access review.

Core Governance Functions

Identity Lifecycle Management

The identity lifecycle governs how digital identities are created, maintained, and removed across the enterprise:

PhaseProcessGovernance Control
JoinerAccount creation, role assignmentAutomated provisioning based on HR data
MoverRole changes, transfers, promotionsAccess recertification triggered by role change
LeaverAccount deactivation, data handoverImmediate deprovisioning, manager certification
RehireAccount restorationReactivation policy, entitlement review

Access Certification

Periodic reviews where managers and resource owners validate whether users still need their current access. Certification campaigns are the primary mechanism for detecting and remediating privilege creep.

Segregation of Duties (SoD)

SoD policies prevent any single individual from holding conflicting permissions that could enable fraud or abuse. SoD analysis detects toxic permission combinations across all of a user’s roles and entitlements.

Role Management

Roles are the building blocks of access governance. Role management includes role mining (discovering natural role groupings from existing access data), role design (creating roles aligned with business functions), and role lifecycle management (creating, updating, retiring roles over time).

Identity Analytics

Advanced analytics detect anomalies in identity behaviour: dormant accounts, unusual access patterns, privilege escalation, and potential insider threats. Analytics transform IGA from a reactive compliance tool into a proactive security capability.

Governance Frameworks and Regulations

Identity Governance is required by every major compliance framework:

FrameworkGovernance Requirements
SOXSection 404: Internal controls over financial reporting — including access controls and periodic review
GDPRArticle 5: Accountability — organisations must demonstrate compliance with data protection principles
HIPAA45 CFR §164.312(a)(1): Access control policies for ePHI; §164.308(a)(1)(ii)(D): Information access management
PCI DSS v4.0Requirement 7: Restrict access to cardholder data by business need-to-know; Requirement 9: Periodic access review
ISO 27001A.9.2: User access provisioning; A.9.2.5: Review of user access rights
NIST SP 800-53AC-2: Account management; AC-6: Least privilege; AU-6: Audit review, analysis, and reporting

IGA in the Governance, Risk, and Compliance (GRC) Context

┌─────────────────────────────┐
│ GRC Strategy │
├─────────────────────────────┤
│ ┌──────────┐ ┌──────────┐ │
│ │Governance│ │ Risk │ │
│ │ (IGA) │ │(Risk Mgmt│ │
│ └──────────┘ └──────────┘ │
│ ┌──────────┐ │
│ │Compliance│ │
│ │ (Audit) │ │
│ └──────────┘ │
└─────────────────────────────┘

IGA is the governance pillar of GRC. It provides the data and controls that feed risk management (which access combinations create risk?) and compliance (can we prove access is appropriately controlled?).

Module Roadmap

Identity Lifecycle Management

Joiner/mover/leaver processes, HR-driven provisioning, automated lifecycle events, and entitlement lifecycle.

Access Certifications

Certification campaign design, reviewer workflows, remediation enforcement, and certifying application access vs. infrastructure access.

Segregation of Duties

SoD policy frameworks, toxic combination analysis, mitigating controls, and SoD in cloud environments.

Role Management & Mining

Role engineering methodologies, role mining algorithms, role lifecycle, and role certification.

Identity Analytics

User behaviour analytics, anomaly detection, privilege creep identification, and identity risk scoring.

Self-Service IAM

Access requests, approval workflows, password management, and user experience in modern IGA.

Governance & Policies

Policy lifecycle, governance policy frameworks, policy enforcement automation, and exception management.

Compliance & Reporting

Audit evidence collection, compliance reporting, real-time dashboards, and auditor workflows.

IGA Platforms & Architecture

IGA platform capabilities, deployment models, integration patterns, and vendor landscape.

Key Takeaways

  • Identity Governance is the accountability layer of IAM — it proves that access controls are working, access is appropriate, and compliance requirements are met
  • Core governance functions include identity lifecycle management, access certification, segregation of duties, role management, and identity analytics
  • Every major compliance framework (SOX, GDPR, HIPAA, PCI DSS, ISO 27001, NIST) requires identity governance controls
  • IGA is the governance pillar of GRC, providing data and controls that feed risk management and compliance activities
  • Without governance, organisations cannot answer the most basic audit question: “Who has access to what, and is that access appropriate?”