Sign in Subscribe

The Future of IGA: There must be more?

Denis Ontiveros

8 min read
The Future of IGA: There must be more?
Photo by Markus Spiske / Unsplash

It usually begins in the same, almost ritualistic, way. A spreadsheet, or if you lucky a link to your IGA tool, arrives in the inbox. Rows of users, columns of entitlements, and a note from the compliance team: “Please review and certify.” Somewhere in the finance department, a manager stares blankly at the screen. Her eyes fall on a group called Finance-Reporting-Legacy-Admin, which half her team belongs to. She has no idea what it does. She hesitates, scrolls, and ticks the “approve” box.

This scene repeats across the enterprise. Legal, HR, operations — everyone plays their part in what is now an all-too-familiar dance. Tick, approve, submit. Governance is “done.”

This is IGA theatre. It satisfies the regulator, but it rarely improves security. It looks like control, but beneath the surface it does not answer the fundamental identity question: who has access to what, under what conditions, and why?

IGA was not a mistake. In its origins, it was, and still is for heritage systems, a necessary discipline. It managed joiners, movers, and leavers from HR systems like PeopleSoft or Workday. It gave auditors evidence that controls existed. But what worked for a static enterprise of employees and monolithic applications no longer works for a world of contractors, partners, SaaS ecosystems, machine identities, and AI agents. The static architecture of IGA was never designed to cope with this degree of fluidity.

Eleanor and Layers of Opache abstractions

Eleanor, CISO of InnovatiTechios (made up but I am sure it is familiar) , knew this reality in her bones. One bleak afternoon in December 2024 she sat in her office, staring at the IGA dashboard her team had struggled to keep alive. She had long suspected the system was collapsing under its own weight, but seeing it on the screen made it undeniable. The connectors were brittle, the group hierarchies opaque, the reviews meaningless.

Her identity architect Alex (also made up) walked in to deliver the latest round of access certification results. They both knew what they were about to discuss: not real governance, but theatre.

Eleanor leaned back and quoted The Mythical Man-Month, a book she had read early in her career: accidental complexity. “It’s not the essential problem,” she explained to Alex, “it’s the baggage we’ve created in the way we try to solve it.”

The essential problem of identity is simple: who has access to what, when, and why? But InnovateTech’s IGA had become a tangle of accidental complexity:

  • Illusion of control: In Office 365, site owners who knew their content best granted access directly. Yet IGA insisted this should flow through AD groups, role catalogs, and approval chains. Instead of empowering the owners, it disempowered them, adding friction without clarity.
  • Labyrinth of entitlements: Groups nested ten layers deep meant no one could truly explain what privileges a single membership provided. Governance became a guessing game.
  • Security theatre of recertification: Quarterly reviews ticked compliance boxes but told reviewers nothing meaningful. Approvals were fast, because they were meaningless.
  • Connector conundrum: Vendors promised connectors for new platforms like AWS SageMaker Studio, but the connectors were always behind, limited by APIs and innovation cycles. The IGA lagged four or five versions behind reality.
  • Data silos: Every IAM system had its own redundant data store. Each claimed to be authoritative, none were consistent. Her team had become unwilling data engineers instead of security practitioners.

“This isn’t governance,” Eleanor sighed. “It’s maintenance of the accidental complexity we’ve layered over the years. And attackers don’t wait for our quarterly reviews.”

Her words hung in the room. The crisis was real. But it was also a call to arms. What Eleanor and Alex saw in that moment was not just the failure of their tools, but the failure of a model that could not scale to the speed of modern enterprises. They needed something new — something event-driven, contextual, and alive.

From Admin-time to Event-time

Yuval Harari in his latest book Nexus, indicates how we have evaloved from the traditional organic logic of human societies to no needing to be always on due to AI. Identity Systems do not sleep and have to wait for admin time?

For decades, the world of identity was divided in two. Admin-time was the realm of provisioning and governance — accounts created, entitlements assigned, accounts revoked. Run-time was the realm of authentication — tokens issued, sessions started, MFA enforced. Ian Glazier in his blog post explains this very clearly.

Eleanor’s frustration revealed, there was always a missing dimension: event-time.

Event-time means adjusting access during a session in response to signals. It is revoking access the moment a laptop fails a compliance check. It is granting elevated rights only while an incident ticket is active. It is terminating a suspicious session the moment impossible travel is detected.

The OpenID Shared Signals and Events framework is creating the standard “dial tone” to make this possible. With Shared Signals, systems don’t need nightly connectors; they can push real-time events — password reset, credential revocation, device state change — and expect consuming systems to act.

This is not just faster; it is a shift in mindset. Instead of governance as a frozen snapshot, it becomes governance as a continuous conversation. Access is not granted once and forgotten; it is negotiated in real time, based on risk, posture, and context.

For Eleanor, this was the revelation. The problem wasn’t that governance didn’t matter. It was that governance had been locked in the wrong time dimension.

Four Components, One Fabric

But time alone doesn’t solve everything. The real question is: how do you structure an identity system that can operate at event-time?

Here, Ian Glazer’s framework of policy, orchestration, execution, and data (weaveidentity.com/blog/four-components-for-modern-identity) offers a path.

  • Policy must evolve into transparent, testable rules, ideally expressed in open engines like OPA or Cedar. Instead of roles that last forever, policies should describe conditions and contexts.
  • Orchestration must stitch (remeber the word) together signals from HR, ITSM, EDR, ITDR, and SaaS ecosystems, keeping a ledger of why entitlements were granted or revoked. This is governance as storytelling — every access change part of a narrative chain.
  • Execution is where the decisions happen: provisioning, token issuance, session termination. It must be flexible enough to plug into SaaS APIs, cloud IAM, and on-prem systems alike.
  • Data is the substrate. Without a unified identity data layer — ideally in the form of an identity graph and standards like Open IAM Data Schema — the fabric collapses into silos and duplication.

This model strips away accidental complexity and puts the essentials back in focus. It reframes IGA not as a siloed product, but as one strand of a larger, dynamic fabric.

Drawing the Line: Central IGA vs Decentralized Edge

Eleanor tapped her screen again, this time on an Office 365 site. “See this?” she asked Alex. “The team owner knows their content. They know who should be here. Forcing that through AD groups and catalog approvals doesn’t add control. It adds noise. It’s accidental complexity disguised as governance.”

Alex nodded, but countered: “And what about SageMaker Studio? Projects pop up and vanish overnight. Datasets gain or lose sensitivity daily. How do you expect central IGA to keep pace with that?”

“Exactly,” Eleanor replied. “You can’t. If you try to drag it all into a central catalog, you kill the very agility those platforms are built for. Authorization has to live at the edge, governed by local context and real-time signals. The job of central IGA isn’t to control those entitlements directly. It’s to provide the scaffolding: the audit trail, the policy backplane, the data integration.”

These were just two examples — but they stood for dozens more. The principle was becoming clear: coarse-grained lifecycle access belongs in central IGA, while fine-grained, fast-changing entitlements must remain at the edge.

Or, as one industry voice has put it: “Fine grained entitlement at the edge, with real-time changes, can not be sacrificed for admin time compliance theatre.”

Still, Eleanor knew decentralization must not become fragmentation. “Whatever we do at the edge has to be interoperable,” she told Alex. “The CIO still needs to answer the timeless questions: who has access to what, what did they do with it, under what conditions? No CIO should have to phone thirty platform owners just to assemble that picture. That’s what the fabric is for — to connect the dots, not to choke innovation.”

The Infant Stage of Authorization

I have always thought that the one truth remains: authentication is an adult, but authorization is still a child.

We’ve externalized authentication into standards like OIDC and FIDO2. It is interoperable, portable, and widely implemented. But authorization remains a patchwork. Every app embeds its own rules. Developers scatter if statements through code. Group membership becomes a blunt proxy for policy.

The Authorization Academy catalogues the diversity of approaches: RBAC, ABAC, ReBAC, graph-based systems like Google Zanzibar. Each works in context, but none has become universal.

When will authorization have its OIDC moment? When will developers be able to call a standard library function — isAllowed(actor, action, resource) — and know the decision is portable, testable, and auditable across systems?

Until that happens, authorization will remain the fragile child of identity. Eleanor’s labyrinth of entitlements is the symptom of this immaturity. It is why governance feels like theatre instead of control.

Learning from Our Neighbors: Rescuing IGA Through Adjacent Domains

As Eleanor and Alex wrestled with the question of what IGA could become, a quieter realization dawned on them: maybe the future of governance doesn’t lie only inside the identity world at all.

After all, event-based architectures are hardly novel. In modern software engineering, systems have long relied on event buses and streaming platforms to keep distributed services in sync. Why should identity signals be any different? The Shared Signals framework isn’t a revolution; it’s simply applying tried-and-true event-driven patterns to our discipline.

Similarly, the dream of policy as code is not ours alone. DevOps has been practicing it for years. Infrastructure-as-code (IaC) brought consistency and automation to infrastructure management; data engineering adopted data pipelines and schema registries to tame chaos. Why not adopt those same practices — GitOps for identity policies, schema registries for entitlements, automated testing pipelines for access decisions — instead of reinventing brittle role catalogs?

Even the idea of abstracted function modules has precedent. In software, primitive functions are shared, reused, and standardized. In cloud computing, serverless platforms expose consistent building blocks across environments. So why do we still tolerate every application rolling its own authorization checks from scratch? Perhaps what’s needed isn’t another IGA monolith, but a library of identity primitives — standardized modules for evaluating access, reasoning over entitlements, or stitching event flows together.

This is where humility comes in. Identity practitioners often see our domain as special, distinct, too regulated or too complex to borrow from others. But maybe the way to rescue IGA is precisely to look beyond our nose. To admit that the future of governance may come not from the identity market itself, but from borrowing the maturity of adjacent fields and applying them with discipline.

IGA cannot be saved by more of the same. At least if have dedicated to much of my life to see it fail ;-). It must be rescued by opening the windows, letting in the fresh air of adjacent practices, and daring to admit that sometimes others have already solved problems we are still wrestling with.

Towards a Shared Future

The future of IGA is not more spreadsheets or cleverer connectors. It is a living fabric, woven from identity graphs, open policy engines, event-time signals, and shared object models.

Central IGA will remain essential for heritage systems, compliance evidence, and coarse-grained lifecycle control. But edge systems must govern themselves in real time, feeding their signals into the fabric. The role of IGA is not to suffocate them, but to normalize, audit, and orchestrate their outputs.

Meanwhile, authorization must grow up. We must externalize it the way we did with authentication. We must give developers shared libraries and policy engines, not force them to hard-code rules.

Eleanor’s spreadsheets and tangled groups may feel familiar, but they are not the future. They are the ghost of a model that has outlived its context.

Conclusion: A Fabric, Not a Theatre

The lesson from Eleanor’s story — and from the industry at large — is clear. Layering more complexity on top of brittle IGA systems is not the path forward. We need to strip away the accidental and return to the essential.

Governance must move from theatre to truth. From admin-time snapshots to event-time fabrics (I think Gartner Coined this term?). From static catalogs to living graphs. From authorization scattered in code to authorization as a shared abstraction.

Only then will identity governance stop being the ghost in the machine — and become the living system our enterprises need.

Lets save IGA! - And I did not mention AI once ;-)

References

Sign up for more like this.

Enter your email
Subscribe