The economics of IGA onboarding are broken

‍The economics of IGA onboarding are broken. Organizations spend millions trying to govern access, yet coverage often advances far more slowly than the investment suggests it should. The issue is not the value of governance itself. The issue is that onboarding applications into IGA platforms remains too slow, too expensive, and too operationally heavy to scale. What looks like a strategic security investment on paper often turns into a long, costly effort that barely moves the coverage needle.

That breakdown shows up most clearly in application onboarding. IGA often looks comprehensive on slides and partial in practice. And the reason is not hard to find: the model breaks down where it matters most, onboarding applications at scale.

Most organizations do not start from a place of bad intent. They start with real constraints. Budgets are limited. Teams are stretched. Regulatory, audit, and compliance pressure pushes organizations to prioritize the applications with the clearest control requirements, because those systems are easier to justify, fund, and defend. That prioritization is understandable.

The problem is not the prioritization itself. The problem is what gets left behind. What gets left behind is everything that does not fit the ideal onboarding path: custom applications, legacy systems, apps with no API support, and anything that requires heavy code changes. It also includes the long tail of internal tools, lower-visibility systems, and applications with unclear ownership or incomplete documentation. In other words, the harder an application is to onboard, the easier it is to ignore.

That is where traditional IGA starts to lose ground. The easiest applications get onboarded first. The hardest ones get deferred. Over time, the backlog becomes a collection of everything the operating model is least equipped to handle. And the cycle keeps reinforcing itself.

Security incidents lead to new regulations and control expectations, which keep pulling organizations back toward the same compliance-focused onboarding pattern. As a result, the same narrow set of applications keeps getting attention while the broader backlog continues to grow. Instead of expanding coverage, the model keeps doubling down on the same constrained slice of it.

This creates a dangerous illusion of control. No organization can predict with confidence which application will become the starting point for the next breach. That is precisely why an IGA model built around narrow, compliance-driven coverage leaves so much risk behind.

A dashboard may look healthy. Certification campaigns may run on schedule. A subset of critical systems may be tightly governed. But that does not change the larger issue: a meaningful portion of the application portfolio may still sit outside consistent visibility, access modeling, and lifecycle governance. That is the gap many organizations are living with today. Inside the governed perimeter, the program can look mature. Outside it, the environment is often fragmented, manually managed, or untouched altogether.

And then the economics start to break down. What usually happens next is predictable. Organizations start with the compliance-driven applications. After that, they create a second list for everything else. But by then, the budget is tighter, the IAM team is exhausted, and the program has already lost momentum. Coverage barely moves despite significant investment. The roadmap shrinks. The backlog grows. And the value becomes harder to defend.

Meanwhile, the application estate does not stand still. Apps are retired. New apps are introduced. Others may only live for another 12 to 18 months. Acquisitions add more systems. Business units adopt niche tools. Engineering teams build internal applications faster than governance teams can assess them. So even when the backlog is being worked, the target keeps moving.

That creates an obvious question: why spend heavily to onboard an application that may be gone before the effort pays off? The longer onboarding takes, the weaker the cost-benefit becomes. Eventually, organizations get stuck in a loop where the next application never feels worth the effort.

That is when the conversation changes. Organizations get tired of paying consultants millions to onboard applications that barely move the coverage needle. Eventually, executives ask the obvious question: why are we spending this much for so little real progress?

At that point, the governance conversation starts to become an acceptable-risk conversation. Instead of asking how to govern the full application estate, organizations start asking how much unmanaged exposure they are willing to tolerate. When the math stops working, full coverage quietly becomes acceptable exposure. That is not a scalable security model. It is a compromise.

And that is why this issue keeps surfacing across IGA and IAM programs. The challenge is not that the goals are wrong. The challenge is that the operating model is too expensive, too slow, and too dependent on human effort to produce meaningful coverage across a real enterprise environment.

This is the real bottleneck: onboarding. If onboarding an application still takes 6 to 8 weeks, a team of consultants, repeated back-and-forth with the application team, and heavy involvement from IAM, coverage will never catch up. It does not matter how strong the strategy sounds or how mature the governance framework looks on paper. If the operating model is too slow and too expensive, the outcome will always be partial.

That is why so many IGA and IAM programs feel stuck. Not because teams do not care. Not because organizations do not understand the risk. But because the onboarding model was never built for the volume, diversity, and rate of change that define the modern application portfolio.

The real fix is not another prioritization exercise. It is changing the onboarding model itself. If onboarding still takes weeks, consulting hours, and heavy coordination, coverage will never catch up. AI has to collapse that timeline from months to days.

The goal should be simple: take what is currently a 6 to 8 week, consultant-heavy onboarding process and reduce it to days with AI and minimal interaction from the application team, IAM team, and the broader organization. Until that happens, most organizations will keep repeating the same cycle: govern the easy-to-justify apps, defer the hard ones, and call the resulting gap acceptable risk.

If IGA is going to deliver real security value, onboarding has to become fast enough, cheap enough, and light enough to scale across the full application portfolio, not just the portion that is easiest to justify.

‍

‍

‍

‍

‍

‍

‍