Identity Governance & Administration (IGA)
Most breaches don’t start with a sophisticated attack. They start with a user account that should have been deactivated six months ago.
An employee leaves. IT closes the HR ticket. But the Active Directory account stays open. The SailPoint entitlement stays assigned. The access to the financial reporting system stays active. Nobody notices. Until someone does.
That’s an identity governance failure. And it’s more common than the post-incident reports suggest.
What is Identity Governance & Administration?
Identity Governance & Administration (IGA) is the discipline of managing who has access to what across your organisation and being able to prove that those rights are correct, current, and intentional.
Where Identity & Access Management (IAM) handles authentication and provisioning who can log in, and to what. IGA adds the oversight layer: who should have access, why, and for how long. It covers the full identity lifecycle, from
Joiners, Movers, and Leavers (JML) processes through to access reviews and certification, Segregation of Duties (SoD) controls, role management, and audit-grade reporting.
A working IGA programme doesn’t just answer «who has access to this system?» It answers «are those people still supposed to?»
Why IGA is more urgent now
Access governance isn’t new. What’s changed is the regulatory pressure behind it and the speed at which auditors are catching up.
NIS2, effective across EU member states since October 2024, requires organisations in critical sectors to enforce access controls, manage identities systematically, and demonstrate this to supervisory authorities. DORA, effective January 2025, extends similar obligations to financial entities and their ICT providers with incident reporting windows as tight as four hours. GDPR requires that access to personal data is controlled, reviewed, and logged. SOX remains fixed for publicly listed companies.
None of these regulations tell you to buy a specific product. They tell you to govern access properly and prove it. That’s an IGA problem.
In organisations we’ve worked with across financial services and the public sector, the most common audit finding isn’t a missing tool. It’s an access review process that exists on paper but doesn’t function in practice. Managers rubber-stamp reviews because the workflow is too slow to do properly. Certifications are completed but the data behind them is wrong. Accounts are flagged for deprovisioning but never actually removed.
The platform doesn’t fix this on its own. The governance model has to work first.
What a working IGA programme covers
IGA is a set of interconnected capabilities. They only deliver value when they’re designed to work together. Not deployed as isolated features.
Identity Lifecycle Management
The Joiners, Movers, and Leavers (JML) process is where most organisations leak access. A new hire starts before their accounts are ready. A team member changes roles and accumulates entitlements from both positions. A contractor’s access isn’t revoked for three months after their engagement ends.
Done well, identity lifecycle management is largely automated: the right access on day one, adjusted automatically on role change, fully revoked on departure. Done poorly, it’s a slow-building security risk that compounds with every restructuring.
Access Request & Approval
Ad-hoc access requests: emails to IT, Slack messages, a word with a manager. Leave no audit trail and apply no policy. A governed access request workflow routes requests to the right approvers, enforces least privilege by default, and creates a traceable record of every decision.
This matters both for security and for compliance. When auditors ask «why does this person have access to this system?», the answer needs to be in a log, not in someone’s memory.
Access Reviews & Certification
Periodic access reviews are a regulatory requirement in most regulated industries. But a review process that produces rubber stamped results. Because reviewers have 400 certifications due in a week with no supporting context – isn’t a review. It’s a checkbox.
Effective access review programmes are designed around the reviewer’s decision: give them the right information, in the right volume, at the right frequency. SailPoint’s AI-assisted recommendations can reduce review fatigue significantly by surfacing only the decisions that genuinely need human judgment.
Segregation of Duties (SoD)
SoD controls prevent a single person from holding combinations of access that create fraud risk or compliance violations. The ability to both initiate and approve a payment, or to both create and certify an account. In financial services and healthcare, SoD failures are a primary audit finding. In any organisation, they’re a control gap that’s hard to spot without tooling.
Role & Policy Management
Uncontrolled role proliferation is one of the most common IGA anti-patterns we see in practice. Organisations start with a clean role model and end up with hundreds of one-off entitlement sets that nobody owns, nobody understands, and nobody dares to touch. A structured role management programme establishes governance over how roles are created, modified, and retired. Before the model becomes unmaintainable.
Audit & Reporting
Audit-grade reporting isn’t a feature. It’s an outcome. When regulators or internal audit ask who approved a specific access grant, on what date, based on what policy, the answer needs to come from the IGA platform. Not from a spreadsheet someone assembled overnight.
How Kommando approaches IGA implementation
We implement IGA primarily on SailPoint Identity Security Cloud, which Gartner recognises as a leader in the IGA market. We’ve delivered implementations across financial services, healthcare, and the public sector in Norway, Sweden, and Denmark.
Our approach is phased and deliberately unglamorous. We don’t start by deploying everything at once. We start by understanding what’s actually happening in your environment. What your joiner/mover/leaver process looks like in practice, where the access review process breaks down, and which systems are the highest risk if access isn’t properly governed.
From there, we build incrementally. Onboard the critical applications first. Establish a governance model that can be maintained by your team, not just by us. Deliver audit-ready reporting from the start, not as an afterthought.
Most IGA implementations that fail do so because they try to solve everything at once. We’ve seen this pattern enough times to know: scope it to what matters, get that right, then expand.
What Kommando brings
SailPoint expertise. We’re a SailPoint implementation partner operating across the Nordics. Our consultants have delivered IGA programmes in environments where the identity infrastructure ranged from clean cloud-native stacks to heavily legacy on-premises systems with fifteen years of accumulated entitlements.
No off-the-shelf configurations. Every engagement starts with your environment, your processes, and your regulatory obligations. We don’t apply a template and call it done.
Nordic context. NIS2, DORA, and GDPR are the compliance landscape our clients operate in. We understand what supervisory authorities in Norway, Sweden, and Denmark expect to see in an audit, and we design IGA programmes that produce that evidence by default.
Continuity past go-live. Identity environments change continuously. We support our clients after implementation. Updating access models as the organisation grows, refining review processes as they mature, and responding when something unexpected surfaces.
A note on what IGA doesn't fix
IGA is not a security perimeter. It doesn’t stop a determined attacker who has already compromised a valid credential. It doesn’t replace Privileged Access Management (PAM) for your admin accounts, and it doesn’t replace MFA for authentication.
What it does is reduce the attack surface that would otherwise be invisible: the orphaned accounts, the over-permissioned service accounts, the access entitlements that accumulate through role changes and never get cleaned up. For organisations where an attacker has gained initial access, a well-governed identity environment significantly limits where they can move next.
Privileged Access ManagementIf you’re also looking at controlling privileged access, our PAM service works alongside IGA to cover the full identity security picture. If you want to assess your current identity posture before committing to an implementation, Identity Advisory is a better starting point.
Talk to us
If identity governance feels overdue – or if you’ve inherited an IGA programme that isn’t delivering what it should – we’re happy to have a direct conversation about where things stand.
No pitch deck. No generic discovery call. Just a conversation with someone who has seen these environments before.
Frequently asked questions
What is the difference between IGA and IAM?
Identity & Access Management (IAM) covers authentication and provisioning: the mechanics of who can log in and access what. Identity Governance & Administration (IGA) adds the oversight layer: who should have access, based on what policy, reviewed how often, and evidenced how. IGA is a subset of the broader IAM discipline, focused specifically on governance, lifecycle management, and audit. Most organisations need both.
How long does an IGA implementation take?
A phased implementation with a manageable initial scope. Say, the ten to fifteen most critical applications, a working JML process, and access reviews in place – typically takes four to six months. Full enterprise programmes covering hundreds of applications take longer, but the initial value is delivered well before the programme is complete. We scope implementations to deliver working governance from early phases, not at the end.
Which IGA platform does Kommando implement?
We primarily implement SailPoint Identity Security Cloud. SailPoint is a Gartner Magic Quadrant leader in IGA, and it’s the platform we have the deepest experience with across Nordic environments. If your organisation has an existing IGA investment in a different platform, we can advise on optimisation and governance improvements regardless of tooling.
Does IGA help with NIS2 or DORA compliance?
What's the difference between IGA and PAM?
IGA governs access across the broad population of users and systems: employees, contractors, applications, service accounts. PAM (Privileged Access Management) focuses specifically on controlling and monitoring the highest-risk accounts: administrators, privileged service accounts, and emergency access. The two disciplines are complementary: IGA provides governance over who has what access; PAM provides controls and monitoring for the highest-privilege subset of that access.