Why Identity Governance Is Making A Comeback
Identity governance is making a comeback, but in a new form.
Shaun Archer
6/2/20269 min read
Executive summary
Identity governance is back on the agenda, but not in its old form. What is returning is not the weary ritual of quarterly spreadsheet attestations. It is a more operational, security-led discipline: tighter ownership of access, smaller and smarter review scopes, better remediation, and far more automation. The pressure is obvious. Microsoft says its customers now face more than 600 million cybercriminal and nation-state attacks every day, with password-based attacks making up more than 99% of identity attacks and 7,000 password attacks blocked per second. At the same time, Okta reports that the average company now uses 101 applications, and security tools account for 40% of the fastest-growing app category in its 2025 dataset. That is a much larger, noisier estate than the one most access review programmes were originally designed for.
The business case has hardened as well. Omada’s 2025 survey of more than 500 large US enterprises found that 95% of respondents see identity security as a key part of cyber strategy, 86% are concerned about identity-related threats, 73.9% believe people in their organisations have access they do not need, and time-consuming manual processes rank among the strongest drivers of IGA investment. Identity Defined Security Alliance research points in the same direction: 22% of organisations now rank securing digital identities as the number one priority of their security programme, up from 17% in 2023, while 51% place it in their top three.
That shift matters because the old model was built for evidence collection. The new one is being built for control. NIST’s account-management control still requires organisations to review accounts at a defined frequency, and it links account discipline to least privilege and attack-surface reduction. CISA’s Zero Trust maturity model pushes the same function further, from manually updated identity policies to enterprise-wide automation, continuous enforcement and dynamic updates. In other words, access review is moving from an audit event to a living control.
The practical consequence is simple to state and difficult to fake: modern access reviews are becoming narrower, more contextual and more connected to action. They prioritise inactivity, privilege, anomalies, external identities, disconnected apps and service accounts. They route decisions to people who actually understand the access. They offer machine assistance, but not blind machine authority. And when they work, they cut cycle times sharply. Public customer stories describe certification time dropping from a year to a month at St James’s Place, and about 90% at Sallie Mae after automation.
Context and history
Identity governance has older roots than most current marketing copy admits. NIST traces a major turning point to its 1992 work on role-based access control, which became the dominant model for deciding who should be allowed to do what. The underlying problem has not changed since then. NIST still defines identity and access management in blunt, useful terms: making sure the right people and things have the right access to the right resources at the right time.
What did change was the operating model around that principle. In the first big wave of enterprise identity governance, especially in heavily regulated sectors, access reviews were packaged as certifications: periodic, campaign-driven attestations designed to prove that controls existed and that managers had signed off. SailPoint’s documentation is candid about this lineage. It describes certifications as core to compliance activity and notes that periodic certifications provide a snapshot view of identities, roles and account groups. Microsoft’s Entra documentation says much the same in more modern language: each review instance captures a snapshot of access at the beginning of the cycle, and changes made during the review are reflected in the next recurrence.
That older model was not irrational. It matched the shape of enterprise IT at the time: a smaller application estate, clearer employee hierarchies, more stable role design, and a compliance programme that often revolved around financial systems, privileged access and annual or quarterly control testing. NIST’s AC-2 account-management control still reflects that durable baseline by requiring organisations to define accounts, authorisations and memberships, review accounts at a defined frequency, and disable inactive accounts.
The problem is that the baseline stopped being enough. Snapshot reviews work tolerably well when access is relatively static. They work badly when identities and entitlements change every day, third parties move in and out of collaboration spaces, service accounts multiply, and business teams expect access to be fulfilled in minutes rather than weeks. The comeback of identity governance is really a response to that mismatch. The discipline has not been rediscovered. It has been forced to grow up.
Drivers of resurgence
The first driver is scale. Okta’s 2025 data shows the average organisation using 101 apps, finally breaking through the hundred-app threshold. That number matters because every application brings its own groups, entitlements, role schemes, external users, service dependencies and exceptions. More software does not just mean more accounts. It means more decisions, more drift and more blind spots.
The second driver is threat pressure. Microsoft’s 2024 Digital Defence Report says more than 99% of daily identity attacks are password-based, and Verizon’s 2024 DBIR reports that stolen credentials have appeared in almost one-third of breaches over the last decade. Verizon also found that the median time for users to fall for phishing is under 60 seconds. That is not an environment in which stale access or overly-broad standing permissions can be shrugged off as administrative untidiness. It is an environment in which access sprawl becomes attack surface.
The third driver is the sheer obviousness of over-permissioning. Omada’s 2025 research found that 73.9% of respondents agree people in their organisations have access they do not need, and its 2024 report described digital transformation and hybrid work as primary catalysts for modernising identity governance. The same 2025 study found that more than half of respondents rate manual processes as a leading business issue behind IGA investment, while 26.9% still use legacy IGA that does not support modern open standards and another 12% still rely on in-house-built systems. That is the classic signature of a market due for reinvestment: everyone recognises the problem; too many are still solving it with yesterday’s tools.
The fourth driver is regulatory and control pressure. NIST AC-2 remains explicit about account review and inactive-account handling. NIS2’s implementing regulation specifically calls for coherent topic-specific policies on access control. DORA, meanwhile, adds another layer of pressure in financial services by requiring a documented ICT risk-management framework and governance around how digital operational risk is handled. None of these frameworks says “buy an IGA tool”. They do something more consequential: they make weak access governance harder to defend.
The fifth driver is strategic prioritisation. Identity is no longer seen as a plumbing problem. Omada’s 2025 survey found increased security funding at nearly 90% of responding organisations, and IDSA’s 2024 research shows secure digital identity climbing sharply in security priority. Once boards and executive teams start treating identity as a first-order security concern, access reviews stop being a back-office compliance chore and become a visible test of operational discipline.
Modern approaches to access reviews
The modern pattern begins with better scoping. Instead of throwing every entitlement at every manager every quarter, leading programmes define review populations by risk and context: privileged groups, external users, regulated applications, dormant access, high-risk combinations of rights, and exceptional permissions. Microsoft’s Entra platform documents several of these explicitly, including reviews for guest users, inactive-user recommendations, reviews of PIM for Groups covering both active and eligible membership, and catalog access reviews that let managers review multiple resource types, including disconnected resources, in a multi-stage process.
Reviewer logic is changing too. Traditional reviews often defaulted to line managers, whether or not those people understood the access in front of them. Modern systems can delegate to group owners, application owners, resource owners, fallback reviewers or, where appropriate, to the user for self-attestation. Microsoft explicitly recommends delegating reviews to admins, business owners or users who can self-attest. Okta’s governance model similarly supports resource owners, certification reviewers and automated routing through workflows and APIs. The improvement here is not merely convenience. It is decision quality.
Decision support has also become more contextual. Microsoft supports inactive-user recommendations and user-to-group affiliation recommendations. Okta’s security access reviews prioritise resources based on criticality and anomalies, and give reviewers AI-generated summaries and anomaly context. SailPoint surfaces AI-based access recommendations, while Saviynt says it can automate up to 75% of access review decisions and reduce decision times for requests and reviews by up to 70%. Whether one uses all those features is another matter. The important point is that the review itself is no longer expected to be blind.
The trigger model is shifting fastest. In the old world, reviews happened because the calendar said so. In the newer one, they still recur, but they are increasingly supplemented by event-driven controls. Okta documents “security access reviews” launched manually or automatically in response to incidents and specific security events. Microsoft is moving towards user-centric catalog reviews, disconnected-resource coverage and continuous access evaluation in the broader identity-control plane. The conceptual shift is hard to miss: review at the point of risk, not only at the point of audit.
Finally, the population under governance is expanding. Service accounts are now in scope in Okta Privileged Access certifications, and Okta’s 2025 non-human identity material says NHIs can outnumber humans by 50 to 1. If a review programme still covers only employees and a few core apps, it is not modern. It is partial.
Tooling, automation and practice comparison
The common denominator across current platforms is not a brand or an interface. It is an operating idea: reviews should be easier to launch, easier to route, easier to complete, and easier to prove. Microsoft emphasises delegated reviews and automated outcomes. SailPoint emphasises automated certifications, AI recommendations, reminders, remediation verification and reporting. Okta adds security-triggered reviews, Governance Analyser insights, workflows and automatic remediation. Omada focuses on recertification workflows and compliance dashboards, while Saviynt leans into continuous reporting, risk-aware certifications and decision assistance.
Case studies and examples
Public outcome data on access review modernisation is still patchy. Much of the concrete evidence comes from vendor-published or vendor-syndicated customer stories rather than independent benchmarking. Even so, a few examples are useful because they attach numbers to what “better” actually looks like.
Sallie Mae is one of the clearer public examples. According to a syndicated SailPoint customer case study, the company automated quarterly certifications for 52 applications within six months, eliminated spreadsheet-based reviews and cut access-certification review time by about 90%. That matters because it shows three things happening at once: broader coverage, faster completion and lower operational drag. It is not just a story about audit readiness; it is a story about scale.
Trane Technologies offers a broader, equally instructive example from an official SailPoint customer story. The company reports 70,000 identities managed, 12,000 workflows automatically managed, a 40% reduction in manually provisioned support tickets, and average fulfilment of access or account-creation requests in 30 seconds after approvals. This is not a pure access-review case, but it shows why identity governance is resurging at all: review, fulfilment, removal and proof are increasingly part of one operating fabric rather than separate teams and tools.
Coca-Cola Hellenic Bottling Company provides a third angle from an official Omada case study. After moving away from a legacy SAP-based approach, it reduced provisioning times by 80% and, in one week, automated the assignment of more than one million tasks. Again, that is broader than certification alone. But it illustrates the real point of modern governance programmes: once access data, ownership and workflow are cleaned up, reviews stop being isolated campaigns and start becoming one control in a much more efficient lifecycle.
One public benchmark is especially striking because it discloses a like-for-like before-and-after cycle time for certifications. St James’s Place reported reducing certification time from one year to one month after automating identity governance with SailPoint.
Future outlook
The direction of travel is clear. Identity governance is converging with privileged access, identity posture, workflow automation and incident response. Microsoft is moving towards user-centric catalog reviews and broader identity-governance integration. Okta is explicitly tying security events to access review. Saviynt is pairing IGA with continuous reporting and identity posture management. In the next few years, the interesting question will not be whether an organisation “has access reviews”. It will be whether its review decisions are continuous enough, contextual enough and provable enough to matter.
That shift will also broaden the scope of what counts as reviewable access. Privileged eligibility, guest collaboration, disconnected applications, service accounts and non-human identities are all moving into standard governance patterns. This is one reason the comeback feels different from the last cycle. The centre of gravity has moved beyond employee access to finance systems. It now includes the ugly edges of the estate: temporary projects, cross-tenant collaboration, machine credentials, automation accounts and AI-adjacent identities.
AI will help, but it will not rescue a bad control model. Recommendations, summaries and prioritisation are now common across major tools. Yet those features all depend on the same old disciplines: accurate identity data, clear ownership, narrow review populations, and verified remediation. Human judgement is not going away. It is being pushed towards the places where it is actually useful. That is the best way to understand the resurgence of identity governance. Not as nostalgia. As adaptation.
Open questions and limitations remain. Public case-study metrics are mostly vendor-published or vendor-syndicated rather than independently audited. The recommended roadmap and KPI thresholds above are therefore best treated as strong starting points, not universal baselines. The exact target state for your organisation depends on several unspecified details: number of authoritative sources, quality of manager and entitlement metadata, connector availability, privileged-access architecture, and the relevant regulatory perimeter.