What Is Identity Governance and Administration (IGA)?
Identity Governance and Administration (IGA) answers a deceptively hard question: who has access to what, why, and should they still have it? It is the control plane that keeps access correct and auditable over time.
Core functions
- Access requests and approvals with a clear trail.
- Access certifications (periodic reviews) so managers confirm their people still need what they have.
- Provisioning and deprovisioning across connected systems.
- Separation of duties (SoD) to prevent toxic combinations of access.
- Role management to keep entitlements understandable.
Why it matters
Access tends to accumulate. People change roles, projects end, and permissions linger. That drift is a top audit finding and a real breach risk. IGA exists to detect and reverse it, which is why it is central to compliance with SOC 2, ISO 27001, and similar frameworks. See our audit preparation guide.
IGA vs adjacent tools
IAM handles authentication and SSO; IGA handles governance. In the cloud, CIEM does entitlement right-sizing, and PAM governs privileged accounts specifically.
Where to start
Browse IGA platforms, compare SailPoint vs Saviynt, or read how to choose an IGA platform.
Frequently asked questions
- What is IGA?
- IGA stands for Identity Governance and Administration: the policies and processes for requesting, approving, reviewing, and certifying access so it stays appropriate over time.
- What is the difference between IGA and IAM?
- IAM handles the mechanics of authentication and access. IGA adds the governance layer of certifications, access requests, and policy enforcement.
- What is an access certification?
- A periodic review where managers or resource owners confirm that users still need the access they hold, removing anything no longer justified.