For years, identity governance and administration (IGA) has been treated as a large transformation program—something that takes years to implement and aims to solve everything at once. In theory, solving everything all at once sounds like the right choice. In practice, it’s often why IGA fails to deliver.
The pattern I see most often isn’t a lack of awareness into what IGA is or what it does—organizations understand way IGA matters. The struggle is that traditional IGA approaches assume an organization has the time, stability, and ability to build everything in one big step. In today’s environment, this is no longer realistic.
Traditional IGA worked well when the world was simpler: on-premises systems, office-based workforces, and roles that rarely changed. Roles were clearly defined, systems did not change frequently, and access decisions could be reviewed every few months without major risk
Today, everything is different. Organizations use cloud, SaaS, and distributed teams. Organizations are managing more than employee identities: they’re also responsible for contractors, partners, and even machines. Access changes all the time.
Because of this, static IGA models—with set roles, policies, and entitlements—become outdated very quickly. Many IGA programs get stuck here. They try to design everything perfectly from the beginning, but the environment keeps changing before they can deliver results.
The traditional “big bang” approach to IGA is very ambitious. It tries to onboard all applications, define all roles, and implement full governance in one program.
The challenge is that this takes time. And during that time, risks continue to grow.
Manual processes make an IGA “big bang” even more difficult. Access reviews become too large, reviewers do not always have the right context, and decisions become more about completing the task than reducing risk. Static roles become outdated, and over time, access accumulates without proper control.
In the end, organizations invest a lot, but they do not always see quick or clear value.
What we see working much better is a different mindset. Instead of trying to solve everything, start with one specific IGA problem. Something clear, something measurable, something important.
For example:
- Too many users have high-risk access in one critical application
- Audit reviews flag dormant accounts
- Some sensitive entitlements are assigned to many users but rarely used
These are real problems, not theoretical ones. And they can be solved quickly.
When an organization focuses on one IGA use case or challenge, everything becomes simpler. Teams get the right stakeholders, define success more clearly, and deliver clear results. That early win builds confidence and creates momentum for what comes next.
This is also how we think about IGA at RSA.
Instead of asking customers to do everything at once, we support a phased approach through our modular RSA® Governance & Lifecycle licensing. Customers can start with Visibility—just understanding who has access to what. This alone already brings value and insight.
Then they can move to Governance, applying controls and reviews where it really matters. And after that, they can extend into Lifecycle, to automate processes and scale.
This approach allows organizations to start small but still think big. It allows organizations to solve a real problem first, and then expand step by step—without needing to start again or redesign everything.
In modern environments, governance cannot be static. It needs to be more dynamic and more focused.
Instead of reviewing everything equally, organizations need to:
- Focus on the riskiest items first
- Use data to guide decisions
- Act quickly
The organizations that realize these steps tend to combine product capabilities with services. To realize immediate IGA wins, organizations need more than having the right tools—they also need to use them in a smart and practical way to deliver outcomes.
Another important point is flexibility, especially when it comes to deployment.
Many solutions force customers to choose between cloud or on-premises IGA solutions. But in reality, this choice can change. A company may start with a cloud-first strategy, but later face regulatory or business reasons to stay on-premises. Or organizations may need to act with greater flexibility and deploy more solutions in the cloud.
The only right solution is the one that meets the organization’s needs today and is ready to accommodate changing priorities in the future. That’s why RSA Governance & Lifecycle has full product parity between its cloud and on-premises solutions: the solution provides the same capabilities regardless of deployment.
This means customers can adapt if their strategy changes. They are not locked in. They can move forward without losing what they have already built.
Starting small does not mean limiting your ambition. It means being practical.
When an organization solves one IGA challenge or addresses a use case, it becomes easier to expand to the next application, the next risk, or the next improvement. Incremental progress can deliver significant results and build a strong, modernized IGA program.
Traditional IGA is not failing because governance is wrong. It is failing because the approach is not adapted to today’s speed and complexity.
Organizations that succeed are the ones that focus, start small, and build step by step. They look for real outcomes, not only big designs.
IGA does not need to be overwhelming. It should be practical, fast, and deliver strong value.
We’ll show you what this looks like in practice.
Join our upcoming webinar, Why Identity Governance Breaks at Scale and How AI Fixes It, where we’ll walk through how to cut through identity data, prioritize risk, and take action with confidence.
