← All terms
Identity Governance and Administration (IGA)

What is Identity Governance and Administration (IGA)?

IGA is the discipline of managing digital identities and access rights across systems, combining lifecycle automation with governance controls like access reviews.

Last updated: 13 July 2026

What IGA covers

Identity Governance and Administration combines two closely related capabilities. The administration side handles the operational work: creating accounts, provisioning access when people join or change roles, and removing access when they leave. It connects to authoritative sources such as HR systems and directories, then pushes changes out to downstream applications.

The governance side answers a different question: is the access people currently hold actually appropriate? It provides visibility into who has access to what, runs periodic access reviews, enforces segregation of duties policies, and produces the audit evidence that regulators and auditors ask for.

In practice an IGA platform maintains a central inventory of identities and entitlements, maps technical permissions to business-friendly roles, and applies policy whenever access is requested, granted, or reviewed.

Why IGA matters

Without governance, access accumulates. Employees change teams and keep old permissions, contractors retain accounts after projects end, and orphaned accounts linger in critical systems. Each of these is an attack path waiting to be exploited and a finding waiting to appear in an audit report.

Regulations and frameworks such as SOC 2, ISO 27001, GDPR, and KVKK expect organizations to demonstrate that access is granted on a need-to-know basis and reviewed regularly. IGA turns that expectation from a spreadsheet exercise into a repeatable, evidenced process.

There is also a direct security payoff: reducing standing entitlements shrinks the blast radius of a compromised account, and clean joiner-mover-leaver processes close the gaps attackers rely on.

Implementing IGA in practice

Most organizations start by connecting authoritative sources — HR platforms, Active Directory, LDAP, or databases — so the IGA system has a reliable picture of who exists and what they hold. From there, teams define roles and entitlement mappings, automate provisioning for the highest-volume applications, and schedule access reviews for the most sensitive systems first.

A phased approach works better than a big-bang rollout: begin with visibility and reporting, then add certification campaigns, then automated remediation. Success is usually measured by review completion rates, time to deprovision leavers, and the number of orphaned or excessive entitlements found and removed.

Platforms such as Monosync support this by synchronizing identities from AD, LDAP, HR, and SQL sources, mapping entitlements, and running access reviews with audit reports that serve as evidence for SOC 2, ISO 27001, KVKK, and GDPR programs.

Frequently asked questions

What is the difference between IGA and IAM?
IAM is the broader discipline covering authentication, authorization, and access management day to day. IGA is the governance layer on top: it focuses on whether access is appropriate, reviewing and certifying entitlements, enforcing policies like segregation of duties, and producing audit evidence. Most organizations need both.
Is IGA required for compliance?
No framework names IGA as a product requirement, but SOC 2, ISO 27001, GDPR, and KVKK all expect controlled provisioning, periodic access reviews, and timely deprovisioning. Doing those manually at scale is error-prone, which is why auditors commonly see IGA tooling in mature environments.
How long does an IGA rollout take?
Connecting core sources and gaining visibility typically takes weeks. Full role modeling, automated provisioning across many applications, and mature certification campaigns usually evolve over several quarters. Starting with a small scope of critical systems delivers value early.