Challenges with a one-and-done mindset

            The core issue with treating IGA as a project is that projects have defined start and end points. That’s
            not how IGA works. It’s an ongoing process that needs to evolve alongside the organization.

            Every day, employees join, change roles or leave, and each event requires updates to access rights.
            Meanwhile, most organizations retire or replace roughly 10% of their applications annually, meaning the
            landscape of systems and access requirements is always shifting. What’s secure and appropriate today
            might be a compliance risk tomorrow.


            Access is not a “set it and forget it” task. Roles change. Responsibilities shift. Business units restructure.
            All of this requires that access privileges be continuously reviewed, adjusted, and revoked as needed.
            And it must all be done in a documented, auditable way to meet the growing demands of regulatory
            frameworks and internal controls.

            For IGA to be effective, it must be treated as a core operational function — one that is maintained by a
            dedicated IGA operations team, not run as a time-limited initiative.



            Why IGA is often treated like a project

            It often comes back to how IGA is sold or marketed. It’s often presented as the solution to address a
            technical pain point. For instance, “How can we report that we manage all of our Sarbanes-Oxley (SOX)
            applications?” Or “How do we get approvals on all our access assignments?” Then, perhaps, someone
            starts researching the need and determines that an IGA solution can solve a particular problem.


            What happens here is the IT team or whoever else is leading the charge will purchase the solution and
            think only of it as being meant to solve the specific problem – like the ability to report on SOX classified
            access. But IGA is so much more than an expensive report generator or an approval engine.



            How to move from destination to journey

            Ideally, rather than purchasing an IGA solution with only a specific problem in mind, the better approach
            is to look holistically at your organization’s IT strategy and consider how IGA could support it overall. This
            helps determine priorities and, ultimately, helps align IGA to those priorities. IGA can map into ISO27001,
            NIST,  NIS2,  DORA,  SOX,  PCI,  GxP  and  all  the  other  security  frameworks  and  industry-specific
            cybersecurity regulatory requirements.

            Defined ownership is also key. When organizations struggle with IGA, another overarching trend is that
            there’s a discrepancy over who is in charge of the IT. There is often confusion about who is ultimately
            responsible for IGA. To succeed, someone within the organization must be formally accountable for the
            IGA domain.

            Once ownership is established, the IGA operations team can be empowered to execute the solutions that
            support the broader business, IT or IGA strategy. Adhering to core IGA principles is essential for long-





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          235
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.