Cyber Tool Stack
All categories
Identity & AccessIGA

Identity Governance & Administration

Answers the audit question 'who has access to what, and why' — running periodic reviews of every employee's permissions, modeling access by role, and proving to auditors that unneeded access gets removed.

An auditor's most basic question about security is deceptively hard to answer: who currently has access to what, and can you prove it's supposed to be that way? Over time, employees change roles, get temporary project access that's never revoked, or accumulate permissions nobody remembers granting — and without a system built to track it, "review everyone's access" turns into a spreadsheet fire drill every audit cycle.

The tool built for this runs that review on a schedule automatically, models access as roles instead of one-off grants, and produces the audit-ready evidence a compliance team needs — turning "who has access to what, and why" from a scramble into a standing, provable answer.

The problem it solves

Access tends to only grow: an employee who moves teams often keeps old permissions along with new ones, a contractor's access outlives the project, and nobody cleans it up because nobody is tasked with doing so. Multiply this across thousands of employees and dozens of systems, and the honest answer to "who can access the finance database" becomes genuinely unknown — a real risk if misused, and a real problem when an auditor asks for evidence of review.

Manually reviewing this on a spreadsheet doesn't scale — someone has to chase down every manager, get them to look, and trust them to catch a permission that shouldn't be there.

How it works

The system first pulls in a full picture of who has access to what across connected applications, then groups entitlements into roles so access can be reasoned about at the level of "sales rep" instead of hundreds of individual flags. On a recurring schedule, it runs a certification campaign: each manager gets a list of their team's current access and has to explicitly approve or revoke each item, rather than access persisting silently by default.

It also automates the lifecycle side: as someone joins, changes role, or leaves, provisioning and deprovisioning happen automatically instead of via ticket, and it can flag dangerous combinations — like one person able to both request and approve their own payments — before they're granted. Every review and change gets logged, producing the audit trail a reviewer needs.

IAM/SSO vs IGA

Everyday identity and access management is about the moment-to-moment mechanics of logging in — authenticating a user and handing them off into apps they're already approved for. Identity governance sits a layer above that and asks a slower question: should this person have this access at all, and can that be proven later? One handles real-time authentication; the other handles the ongoing, auditable judgment call about appropriateness.

In practice, they connect directly: the governance layer often triggers the grant or revocation, which the identity platform carries out. A company can run a functional SSO setup with no governance layer at all — it just won't be able to prove, later, that anyone's access was ever reviewed.

Choosing one

The main driver is usually compliance pressure — audits that require evidence of periodic access review push this from "nice to have" to "mandatory" faster than security risk alone does. Organizations feeling that pressure for the first time should weigh how much certification and role-modeling work the tool automates versus how much needs manual configuration, since a tool that just digitizes a spreadsheet review doesn't save much real effort.

It's also worth checking how well the tool connects to the mix of applications in use, especially complex systems like enterprise resource planning software — a governance platform is only as good as its visibility into entitlements actually granted in each connected system.

Capability taxonomy

What buyers typically evaluate when comparing tools in this category.

Access certification campaigns
Runs periodic manager or owner review of who has access to what.
Role-based access modeling
Groups entitlements into roles so access can be granted and reviewed at scale.
Automated provisioning & deprovisioning
Grants and removes system access automatically based on identity lifecycle events.
Segregation-of-duties enforcement
Flags or blocks toxic combinations of access that violate internal controls.
Access request workflows
Lets employees request access with approval routing and audit trail.
Compliance reporting
Produces audit-ready evidence of access reviews and policy enforcement.

Tools in this category

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.