The IGA implementation gap: why services need to evolve

The consultant dependency: why IGA became a services industry

Identity Governance and Administration promised organizations control over who accesses what. Delivering on that promise requires skilled implementation expertise, but this expertise only creates lasting value when paired with modern technology.

‍

‍

What exactly is the IGA consultant dependency about?

‍

The IGA implementation challenge specifically refers to the significant effort required to deploy, configure, and maintain Identity Governance and Administration platforms...The question facing organizations today is not whether to engage services partners, it is how to ensure those engagements are powered by the right tools and methodologies. Professional services costs in IGA deployments typically run 35× the software license fee, and initial 1 Blog 3: The IGA implementation gap: why services need to evolveimplementations average 1224 months. These figures reflect genuine complexity, but they also reflect an opportunity to do things better.\

‍

• $8.9B market size Global IGA market size by 2027 MarketsandMarkets, 2024
• 35  Services cost vs. license fee in a typical IGA deployment Gartner, 2023
• 18 mo. Average enterprise IGA implementation timeline IDC Identity Survey, 2024
• 90% Access certifications approved without meaningful review Ponemon Institute, 2023

‍

‍

The original promise of IGA

The definition of Identity Governance and Administration (IGA)

‍

IGA is a cybersecurity discipline and software category that provides visibility and control over user access rights across enterprise IT systems. Core IGA capabilities include access request and provisioning, role management, access certification (periodic review of entitlements), segregation of duties SoD) enforcement, and audit reporting. Major IGA vendors include SailPoint Technologies, Saviynt, One Identity, IBM Security Verify, and Oracle Identity Governance.

‍

When IGA emerged as a distinct software category in the late 2000s, the value proposition was clear and compelling. Enterprises were drowning in access sprawl, they had thousands of identities spread across hundreds of applications, with no reliable way to answer the fundamental questions of identity security: Who has access to what? Is that access still appropriate? What changed when someone left the organization?

‍

IGA platforms promised a centralized answer: connect your systems, define your policies, and gain automated access certifications, role lifecycle management, and audit-ready compliance reporting. Compliance officers were convinced. CISOs approved the budget. And then implementation began.

‍

‍

How IGA implementation evolved over time

‍

‍

2007-2010

Legacy IAM vendors bolt governance onto provisioning tools

‍

First-generation IGA platforms were architected for maximum configurability. They were composed of complex Java-based engines and connector frameworks, with schema-driven role models that became the category standard. Skilled specialists (concentrated at large systems integrators) became essential to making these platforms deliver value.

‍

2011-2014

The SI ecosystem matures

Accenture, Deloitte, IBM Global Services, and Wipro built dedicated IGA practices. Vendor certifications proliferated. The depth of expertise these firms accumulated was real and valuable, but it also became concentrated outside most in-house teams, creating a knowledge gap that needed active bridging.

‍

‍

2015-2018

SaaS and cloud multiplied the integration surface

‍

The average enterprise application portfolio grew from dozens to hundreds of SaaS tools. Traditional connector architectures now struggle with REST APIs, OAuth, and ephemeral cloud entitlements. This created new opportunities for services partners who could navigate this expanding landscape.

‍

‍

2019-2024

Remote work accelerated the problem

‍

The shift to distributed work exploded application footprints overnight. IGA backlogs grew faster than teams can clear them, even today. The question became how to make those engagements more efficient and outcome-focused.

‍

‍

2025-present

AI-native challengers emerge

‍

AI-native platforms like Klyro give services partners the technology to deliver implementations faster, at lower cost, and with stronger governance outcomes. Rather than replacing the expertise of experienced SIs, these tools amplify it and enable partners to focus on strategic value rather than manual configuration.

‍

‍

The four structural challenges in IGA implementation

‍

The complexity of IGA implementation is not primarily a market failure. It is an architectural consequence of how the category's leading platforms were designed. Understanding these challenges is the first step toward addressing them, which is exactly what forward-thinking services partners are doing with modern tooling.

‍

1. Connector-first architecture. Every application integration requires a custom connector developed, tested, and maintained as APIs evolve. For an enterprise with 200+ applications, this is a permanent engineering workload that only specialized consultants can sustain. AI-native approaches can automate connector generation, dramatically reducing the manual effort involved.
2. Open-ended role modeling. Defining business roles that reflect how access is actually used (not just what the org chart implies) requires deep institutional knowledge and iterative refinement. Consultants bill hundreds of hours on role model design alone. This is an area where experienced services partners genuinely add value and where behavioral data can make their recommendations far more accurate.
3. Context-free access certifications. Periodic access reviews generate thousands of decisions for managers who have no usage data, no risk signals, and no peer benchmarking. The cognitive overload guarantees rubber-stamping, making the process audit theater rather than security practice. The solution is not fewer reviews, but a richer context embedding risk signals, usage data, and peer benchmarking directly into the workflow.
4. Cumulative customization debt. Every workflow exception, edge-case policy, and org-specific report is a custom build. Platform upgrades break customizations. Consultants return. Each engagement adds new technical debt that makes the next engagement inevitable. Modern platforms designed to minimize customization debt allow services partners to invest time in higher-value work.

‍

‍

The path forward for services partners

‍

The IGA implementation landscape is changing. The most forward-thinking services partners are already recognizing that AI-native tooling does not threaten their value, but elevates it. Firms that adopt modern platforms can compress implementation timelines, reduce manual configuration, and focus their expertise where it matters most: understanding business context, designing governance frameworks, and driving adoption.

‍

The market data makes the opportunity clear. With a global IGA market approaching $9B and persistent demand for skilled governance expertise, there is no shortage of work to be done. The question is whether that work is delivered with yesterday's tools or tomorrow's.

‍

Services partners who embrace AI-native platforms are positioned to offer something genuinely new: implementations that are faster, governance that is more accurate, and ongoing engagements that create compounding value rather than compounding technical debt.

‍

‍

The compliance theater problem: certifications without insight

‍

There is a deeper challenge beneath the implementation complexity: traditional IGA, as implemented across most enterprise environments, often improves audit posture more than actual security posture. This is not a problem created by services partners, it is a problem they are well-placed to solve.

‍

Access certifications are the clearest example. In theory, periodic reviews ensure entitlements remain appropriate as roles and responsibilities shift. In practice, the typical access review presents managers with hundreds or thousands of access decisions, without usage data showing whether the access is actively used, 5 Blog 3: The IGA implementation gap: why services need to evolvewithout risk signals indicating whether a given entitlement is anomalous, and without peer benchmarking showing whether similar roles hold similar access.

‍

The outcome is predictable. Research from the Ponemon Institute consistently shows that more than 90% of access certifications are approved without substantive review. The certification occurred. The risk was not meaningfully assessed. The compliance checkbox was filled. The security gap persisted.

‍

‍

Why do access certifications fail?

Access certifications fail primarily because reviewers lack the context needed to make meaningful decisions. When a manager is asked to review 400 line items with no data on whether each access right is used, whether it is anomalous compared to peers, or whether it presents elevated risk, the rational response is to approve everything. The problem is not negligent managers, but a system that generates review volume without generating decision-relevant information. Until usage data and risk intelligence are embedded in the certification workflow, high approval rates will persist regardless of process improvements.

‍

‍

The identity data gap nobody discusses

‍

Effective identity governance requires more than knowing who has access to what. It requires knowing how that access is actually used, how it compares to peers in similar roles, how it correlates with risk indicators elsewhere in the environment, and how it has changed over time.

‍

Traditional IGA platforms were provisioning and workflow tools first. They captured access state well. They captured access behavior rarely. Role mining was performed on structural data (job titles, department assignments, historical provisioning records) rather than on behavioral signals. The result was role models that looked logical on paper but diverged significantly from actual access patterns.

‍

This identity data gap is why governance decisions made inside traditional IGA platforms remain, in large part, educated guesswork. A right that looks appropriate from an entitlement perspective may be completely unused. An entitlement that appears benign in isolation may be highly anomalous in context. Without behavioral and risk intelligence layered onto access data, the governance value IGA promises is structurally harder to reach.

‍

That is the gap Klyro was built to close, and why services partners who work with Klyro are able to deliver governance outcomes that were previously out of reach.

‍