Did you hear about the importance of using multi-factor authentication, or MFA? Between the international requirements, annual campaigns, and exhortations from cybersecurity personnel to use MFA, I don’t think there’s a chance anyone works in tech and doesn’t appreciate how critical MFA is.

We agree. However, while our sector has been great at articulating the importance of MFA and implementing it, we’ve been only so-so on other cybersecurity components that are just as important. Everyone has been so focused on installing the deadbolt on the front door that we’ve forgotten who has keys, how they got them, and what they unlock.

You need MFA to stay safe. But you also need Identity Governance and Administration (IGA).

That’s why I think the Gartner® Report, IAM Leaders’ Guide to Identity Governance and Administration (IGA) is such an important asset. The report details the core functions IGA must deliver, the challenges that organizations can encounter when deploying it, how to evaluate their IGA program, and more.

Importantly, the report is just that—vendor-agnostic advice that discusses the importance and role of IGA, rather than documenting any specific solutions.

The value of IGA

According to the Gartner® Report, IAM Leaders’ Guide to Identity Governance and Administration, “The IGA discipline exists to guarantee the right people get the right access to the right resources at the right time for the right reasons.”

Gartner states that, “IGA leads to improved identity process maturity, facilitated compliance and reduced risk of unauthorized access, and also provides more visible and efficient controls to the identity life cycle administration processes.” Also, “IGA also provides several ancillary functions, usually including password management, self-service capabilities for profile management, and case management for auditing and remediating policy violations, such as SOD.”

In short, IGA can help organizations increase security, reduce risk, and be more productive—but only if they get IGA right.

The importance of analytics to IGA

Getting IGA right is easier said than done. One of the reasons that IGA is so challenging is that IGA must have visibility into all users, including human users, machine accounts, service accounts, and devices.

That’s a whole lot of ground to cover. And I think it’s because the scope of data can become so large that the report stresses the importance of analytics—in fact, the report puts identity analytics “in the center of every IGA initiative.” The report also notes that identity analytics “have been gaining more traction in IGA in the last five years to provide reports supporting human decision making, traditionally used for role mining, for example, or calculating a risk score that might be used to explain what happened and why.”

I’ve always felt that security is all about context, and integrating analytics into IGA solutions can provide security teams with that context: analytics can compare an individual account’s entitlements with similar users in their organization. Moreover, with more information, IGA solutions can provide real-time alerts and recommendations that help foster better security and continuous compliance despite a growing IT estate. It’s why RSA has built more analytics and visualizations into our latest IGA solution.

Use IGA to move to Zero Trust

Want more evidence that IGA matters? Look at CISA’s Zero Trust Maturity Model, which notes that agencies “should ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access.”

The model also says that an agency has achieved optimal identity governance capabilities when it “implements and fully automates enterprise-wide identity policies for all users and entities across all systems.”


Gartner, IAM Leaders’ Guide to Identity Governance and Administration, Brian Guthrie, David Collinson, Rebecca Archambault, Updated 16 August 2023 | Originally Published 5 April 2021

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.