1 Introduction

Identity Governance & Administration (IGA) is one of the core disciplines within Identity & Access Management (IAM). It serves three main capability areas, which are

• Identity Provisioning
• Identity Lifecycle Management
• Access Governance

Identity Provisioning provides the technical integration to target systems via connectors. These connectors can either rely on open interfaces and standards such as SCIM (System for Cross-Domain Identity Management), LDAP (Lightweight Directory Access Protocol), SQL, and others, or use proprietary APIs (Application Programming Interfaces) of the target systems for connecting to these. While a growing number of modern SaaS (Software-as-a-Service) applications supports the SCIM standard, many older applications as well as on-premises applications and services may require custom connectors. Identity Provisioning can provide changes to the connected systems and thus for instance trigger the creation or deletion of user accounts and the mapping of these to security groups. Identity Provisioning solutions also should be able to read the current status of users and access entitlements from the connected systems, both as full set of data and delta of changes, to reconcile changes and to provide the “as is” status for Access Governance. Reconciliation describes the approach of automatically identifying changes in the target systems in comparison to the “to be” status that is expected based on preceding provisioning activities.

Identity Lifecycle Management adds workflow support for implementing user and entitlement management processes such as JML (Joiner, Mover, Leaver), but also processes for managing roles or the request and approval of additional entitlements. Ideally, IGA solutions provide a standard set of processes for rapid deployment of the solution, plus a high degree of flexibility in adjusting workflows and adding new ones. Many of today’s solutions build on no-code/low-code approaches. Due to the essential role of IGA for security, controlling user accounts and their entitlements, and the long average lifetime of IGA solutions in organizations, the development of workflows must support SDL (Secure Development Lifecycle) concepts and good coding practices such as code documentation as well as integration into CI/CD (Continuous Integration/Deployment) infrastructures.

Access Governance as the third area is focused on managing entitlement models and supporting access review and analytics to ensure that the “as is” state meets the “to be” state that has been defined in the IGA solution via automated and manual access requests. Entitlement models are commonly defined using roles. Role Management thus is an established capability within Access Governance, despite role projects frequently turning out to cause significant complexity. More rarely, IGA solutions also support policy-based approaches for a dynamic definition of access entitlements and simplified description of policies (versus rules). Recertification or access reviews are another core capability within Access Governance, supporting the review of the entitlement status by responsible users such as departmental managers. The definition of SoD (Segregation of Duties) entitlements is another important capability of Access Governance. Most Access Governance solutions today also provide a certain level of Access Analytics capabilities for identifying anomalies and critical entitlement combinations. Some also come with integrated ITDR (Identity Threat Detection & Response) features.

Over the past years, IGA solutions commonly have shifted from a traditional on-premises deployment model to IDaaS deployments. IDaaS provides a range of advantages, from simplified deployment, patching, and updating to a focus on configuration over customization by coding. Customers are released from the complexity of operating an on-premises IGA platform and benefit from the elasticity of IDaaS deployments.

IDaaS can also support the requirements of customers in data segregation and data security as well as regulatory compliance. Most providers have solutions such as local datacenters in place for supporting even complex customer requirements.

IDaaS solutions also commonly provide a means for integrating with on-premises applications and services. Integration frequently utilizes gateways for security and performance reasons and simplified integration. While sometimes being perceived as more complex than integrations of on-premises target systems to on-premises IGA solutions, there is no factual difference caused by the IGA deployment model.

The vast majority of customers nowadays expects IDaaS support when choosing IGA solutions.

Figure 1: Most IGA deployments are delivered as IDaaS.

In the past year, the share of full IDaaS deployments grew from 11.4% to 22.5%, while the share of partial IDaaS deployments saw an increase from 25.7% to 37.3%. This validates the trend towards IDaaS deployments also for IGA, for both replacement and initial deployments of IGA as for modernization of IGA deployments with shifting on-premises solutions of a vendor to IDaaS.

KuppingerCole Analysts expects more than 80% of IGA deployments in 2026 to be IDaaS deployments, either multi-tenant or single-tenant.

Aside of the deployment trend, we expect seeing more fundamental changes in the way IGA is done, with supporting JIT (Just-in-Time) provisioning and policy-based, dynamic access controls becoming the norm. This will help organizations in overcoming many of today's challenges in IGA that arise due to the complexity of role management and recertification.