Navigating Identity

Behind Every Login, There's a Story

🧟‍♂️ The IGA Pitfalls That Just Won’t Die(Even After You Threw Budget at Them)

You got the funding. You picked the platform. You sat through the endless vendor demos and nodded thoughtfully at the implementation roadmap.

So why is your identity governance program still… a mess?

Because some problems in IGA just don’t stay dead. They keep coming back—quietly, persistently, and usually right before your next audit.

Here are the top IGA pitfalls. They continue to haunt even the best-intentioned security programs. There are also some real-world moments that should hit a little too close to home.

1. Treating IGA Like a Tech Project

“Just install the thing and automate all the things!”

Reality check: Identity governance without business buy-in is like a security policy no one reads. It exists. It does nothing.

Real-world moment: A bank deployed an IGA tool and declared victory. Six months later, no one can answer who approved access to sensitive financial data. Turned out the notifications were going to an unmonitored inbox. Audit season was… eventful.

CISO takeaway: IGA is a business control, not just an IT tool. Treat it like one.

2. The Never-Ending Role Engineering Project

“We’re building a future-proof role model!”

And future-proof it was—because it never actually launched.

Seen it: A healthcare org spent over a year crafting 500+ roles. The model looked great on paper. In practice, it was unable to provide the right access for basic job functions. End users revolted. Project shelved.

CISO takeaway: Don’t chase perfection. Start small, solve for risk, and iterate.

3. Access Reviews That Induce Existential Dread

“Here’s a 1,200-line spreadsheet. Please approve or deny everything by Friday.”

Spoiler: They won’t. Or worse—they’ll approve everything without reading a word.

True story: A tech company reviewed reviewer behavior (yes, really) and found 89% didn’t even open the attachments. One manager said, “If the system asks for it, it’s probably fine.” That manager is now VP.

CISO takeaway: If people can’t make informed decisions, you’re not reducing risk—you’re just generating PDF evidence.

4. Skipping Joiner-Mover-Leaver Basics

What happens: People leave, but their access doesn’t. Sometimes for months. Occasionally for years.

Classic blunder: A former employee at a media company accessed their still-active Box account six months after departure and shared confidential pitch decks. No breach notification—just a quiet legal settlement and some “process updates.”

CISO takeaway: Start with provisioning and deprovisioning. If you don’t get that right, nothing else matters.

5. Garbage Data, Magical Thinking

“Our IGA tool will make smarter decisions over time!”

Sure—assuming the data feeding it isn’t a flaming trash pile.

Actually happened: An energy company was routing approvals based on a manager hierarchy last updated during the pandemic. One employee had been approving their own access for over a year. Efficient, if nothing else.

CISO takeaway: Clean your source systems. No tool can make good decisions with bad data.

6. Nobody Owns Anything

“Who owns this app?”
“Not sure—maybe Steve?”
“Steve retired in 2022.”

The result: Access requests hang in limbo, or worse—get approved by the wrong people. Meanwhile, auditors are circling.

Real case: A global retailer had 500+ apps and documented owners for fewer than 100. The rest? “Business TBD.”

CISO takeaway: No ownership = no governance. Start assigning accountability early, or you’ll be cleaning up access messes forever.

7. Tool First, Strategy Later

“Let’s roll out the platform and figure out the policies after go-live.”

What could go wrong? (Everything.)

Seen it: A global insurer bought a top-tier IGA solution. Two years later, they were still doing certifications in Excel because no one defined any actual policies. But the dashboard looked great.

CISO takeaway: Process before platform. Otherwise, you’re just buying a very expensive reporting tool.

8. Compliance-Only Mindset

“We passed the audit. Isn’t that enough?”

Temporarily. Until someone notices that nothing actually changed.

Real-world example: A biotech firm passed audits with flying colors—while dozens of former contractors still had cloud admin rights. The access review was technically “completed.” No one looked too closely.

CISO takeaway: If your IGA program is only designed to survive audit season, it won’t survive an incident.

9. Leaving Privileged Access Out of Scope

“PAM handles that, right?”

Not if no one connected the dots.

Been there: A dev team shared an AWS root account that was never brought under IGA or PAM. It was compromised during a phishing test, and no one knew who had last used it—or why it still existed.

CISO takeaway: High-privilege access should be the first thing governed—not the last.

10. Underestimating Change Management

“We locked things down to improve security!”

And then you got a calendar invite titled “Access Emergency – CEO Blocked.”

True story: A telco rolled out a new access policy with zero communication. Within hours, exec dashboards were inaccessible. By lunch, access escalations were going straight to the CISO’s inbox.

CISO takeaway: Governance needs communication, or it turns into chaos. Nobody likes surprise restrictions—especially not the CFO.

Final Thought

IGA isn’t hard because of the technology. It’s hard because of the people, processes, and politics.

  • You can’t automate what no one owns.
  • You can’t govern what you can’t see.
  • And you definitely can’t bluff your way through bad access decisions forever.

Budget helps—but good identity governance? That takes a lot more than funding. It takes follow-through.

Published by

anandchinnachamy

Leave a comment