IGA-ordlista

Identity Governance and Administration(IGA)

Identity Governance and Administration (IGA) is a framework of policies, processes, and technology that manages digital identities and controls who has access to what within an organization. It combines identity lifecycle management with access governance to make sure the right people have the right access at the right time.

What does Identity Governance and Administration actually do?

IGA sits at the intersection of two things every organization needs to manage: identities (the people in your systems) and access (what those people can do). It brings together processes like creating user accounts, assigning permissions, reviewing access, and removing accounts when someone leaves.

In practical terms, an IGA solution helps you answer questions like: Who has access to what systems right now? Does this person still need the access they were granted six months ago? When someone joins, how do they get the right accounts and permissions on day one? When someone leaves, are all their accounts actually disabled?

Without IGA, these questions get answered through manual effort — spreadsheets, email requests, IT tickets, and tribal knowledge. That works fine at 20 employees. It starts breaking down fast past 50 or 100.

How is IGA different from IAM?

People often use IGA and IAM interchangeably, but they are not the same thing.

IAM is the broader category. It covers the technical mechanisms for authentication and authorization — single sign-on, multi-factor authentication, directory services. IAM answers: "Can this person prove who they are, and are they allowed in?"

IGA is a subset of IAM that focuses specifically on governance. It answers: "Should this person have this access, and can we prove it?" IGA adds the policy layer, the audit trail, and the review processes that organizations need for compliance and security.

Think of it this way: IAM is the lock on the door. IGA is the process that decides who gets a key, tracks who has keys, and makes sure you take keys back when people leave.

Why do companies need IGA?

There are three main drivers.

Security. Accounts that should have been disabled but were not are one of the most common attack vectors. Former employees, contractors whose projects ended months ago, test accounts that never got cleaned up — these are all risks that IGA addresses. By automating the lifecycle of user accounts, you reduce the chance of orphaned accounts sitting around waiting to be exploited.

Compliance. Regulations like NIS2, SOC 2, and ISO 27001 all require organizations to demonstrate that they control access to their systems. Auditors want to see that you have a process for granting access, reviewing access periodically, and revoking it when it is no longer needed. IGA gives you the documentation and audit trail to prove this.

Efficiency. Manual onboarding and offboarding is slow and error-prone. IT teams spend hours creating accounts, assigning licenses, adding people to groups, and then doing it all in reverse when someone leaves. IGA automates these repetitive tasks so IT can focus on more valuable work.

What does IGA look like for companies using Microsoft Entra ID?

If your organization runs on Microsoft 365 and Entra ID (formerly Azure AD), IGA means governing the identities and access within that environment — managing Entra ID user accounts, group memberships, application assignments, and license allocations.

Larger enterprises often use tools like SailPoint or Saviynt for IGA, but these platforms were designed for organizations with thousands of employees and complex multi-directory environments. They come with long implementation timelines, high costs, and usually require consultants to set up and maintain.

For companies with 50 to 500 employees, that level of complexity is unnecessary. Adcyma was built specifically for this segment — organizations that need proper identity governance for Entra ID without an enterprise-grade platform that takes six months to deploy.

What are the core capabilities of an IGA solution?

A complete IGA solution typically includes user provisioning and deprovisioning (automatically creating accounts when someone joins and disabling them when they leave), access request and approval workflows, periodic access certification reviews, role-based access control, policy enforcement such as separation of duties and least privilege, and audit reporting that maintains a complete record of who had access to what and when.

Is IGA only for large enterprises?

Historically, yes. IGA tools were expensive, complex, and aimed at organizations with 5,000 or more employees. But the need for identity governance does not start at 5,000. It starts much earlier.

A company with 100 employees using Microsoft 365, Salesforce, and a handful of SaaS applications already has a real governance challenge. People join, change roles, and leave. Access accumulates. Auditors ask questions. And the IT team is often too small to manage all of this manually without things falling through the cracks.

The market is shifting. Solutions like Adcyma are making IGA accessible to mid-sized companies by focusing on the most common identity source — Microsoft Entra ID — and delivering governance features that are straightforward to set up without a dedicated IAM team.

How to get started with IGA

Start with the basics. Get a clear picture of all the identities in your Entra ID tenant — active users, guests, service accounts, disabled accounts. Document what happens (or should happen) when someone joins, changes roles, or leaves, and identify where the gaps are. Determine your compliance requirements, whether that is SOC 2, ISO 27001, or NIS2, since these will shape which IGA capabilities you need first. Then pick a tool that fits your size — you do not need a solution designed for 50,000 users if you have 200.

Se hur Adcyma hanterar detta:

Utforska plattformen

Omsatt dessa begrepp i praktiken

Adcyma gor identitetsstyrning enkelt for foretag som anvander Microsoft Entra ID.

Starta gratis provperiod