Identity governance and administration (IGA) is a strategic component of identity and access management (IAM). It is designed to help manage digital identities and entitlements across multiple systems and applications. IGA tools are paramount to achieving compliance, as they help ensure that only the right people get access to the right applications and data at the right times and for the right reasons.

To accomplish this, IGA tools aggregate and correlate disparate identity and entitlement data that is distributed throughout the IT landscape to enhance control over user access. IGA solutions should provide several basic functions: identity life cycle, entitlement management, access requests, workflow, policy and role management, access certification, fulfillment, auditing, identity analytics, and reporting. At its core, IGA helps support enterprise IT security and regulatory compliance by informing on who has access, what they have access to, and why they have that access.

Gartner’s new assessment of the IGA market, the “2019 Gartner Magic Quadrant for Identity Governance and Administration,” provided an expert update on this mature market and the client trends impacting it. The report examined the increased client demand for cloud-delivered solutions as well as “cleanup” identity analytics. For the fifth consecutive year, IBM was named a Leader in the Gartner Magic Quadrant for IGA.

Saving With Cloud Architected IGA Solutions

Gartner predicted: “Through 2021, customers using a cloud architected IGA solution will save an average of 30 percent in initial integration costs and 40 percent in overall professional services over a three-year period and accelerate time to value by an average of 25 percent.” Enterprises are looking to manage applications from the cloud for identity life cycle and access requests. These functions from the cloud provide scalability, speed and cost savings.

Organizations can simply scale up and scale down their cloud resources based on short-term usage requirements. Cloud provisioning also allows you to pay for only what you consume. In addition, an organization’s developers can quickly spin up an array of workloads on demand, taking away the need for an IT administrator who provisions and manages computing resources.

Prioritizing Identity Analytics to Uncover Access Risks

Identity governance and administration has evolved over the years from simple provisioning use cases to more proactive, risk-aware governance. This is due in large part to the major influx in the number of identities within an organization and what those identities encompass — i.e., going beyond just employees to include partners, vendors, customers, internet of things (IoT) devices and robotic process automation (RPA) bots. With the increase of users, entitlements and applications to manage across the IAM environment, it’s becoming more and more critical to integrate identity analytics into your security posture to provide a holistic view of risk.

Identity analytics provide a way to evaluate risk based on identity information insights; apply techniques to clean up excessive, outlier or wrongful entitlements; and enhance the continuous process of identity governance, including risk reporting. Role mining and engineering was one of the first examples for analytics. Identity analytics has evolved to enable smarter micro-certification campaigns, contextualized access requests and approvals, and enhanced policy violation detection, among other use cases.

According to Gartner, “Through 2022, identity governance and administration implementations that start with cleanup analytics will show twice the ROI as ones that don’t.” Cleanup analytics, such as decision support and “help me decide” functionality, provide quick insights to support informed access and certification decisions and prevent simply approving everything. This can take the form of providing risk scores alongside evaluations that can invoke confidence in a decision to suspend, recertify or revoke. This is especially useful when scaled up, since many organizations grow and are unable to keep up with the number of users and applications. This additional support will prevent the risk that comes with group certifications and can alert you to anomalous activity.

The Importance of Business Activity-Based Policy Modeling for SOD

A key function within IGA solutions is entitlement management, or the ability to administer, revoke or change fine-grained access entitlements to users. Security teams must determine whether each entitlement is in conflict, toxic or nontoxic to another entitlement. This is where separation of duties (SoD) comes into play, a concept of internal security whereby conflicting application permissions are distributed among multiple people so you don’t give a single individual complete control of a process through application permissions. What’s needed for effective SoD is a complete, enterprisewide view of fine-grained access privileges and entitlements to determine what actions a user can perform within a given application.

IGA solutions should use business activities for SoD management to help make access more understandable. This approach also provides visibility for managers in terms of who users are, their assigned access and permissions, and what that access means in terms of business activities. The ability to translate technical IT jargon into business-relevant context is absolutely critical to better, more informed decision-making when it comes to access. This approach makes it easy for business users to understand application permissions and entitlements and quickly and effectively demonstrate compliance for audits.

IBM Named a Leader in Identity Governance and Administration

On the heels of being named a Leader in the “Magic Quadrant for Access Management,” IBM was also named a Leader in the “2019 Gartner Magic Quadrant for Identity Governance and Administration” for its ability to execute and completeness of vision. IBM’s integrated portfolio for identity governance evaluated in this year’s report includes a full featured, on-premises solution, a multitenant software-as-a-service (SaaS)-delivered IAM solution with light IGA capabilities for hybrid deployment, and an identity analytics beta product.

We believe these offerings allow our clients to consume a full breadth of IGA capabilities on their journey to the cloud, including the ability to leverage strong hybrid use cases and integrate risk awareness in ever-growing IGA security environments.


Gartner, Magic Quadrant for Identity Governance and Administration, Felix Gaehtgens, Kevin Kampman, Abhyuday Data, Henrique Teixeira, David Collinson, 9 October 2019.

Gartner, Magic Quadrant for Access Management, Michael Kelley, Abhyuday Data, Henrique Teixeira, 12 August 2019.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…