Introduction
Zilla Security recently held a webinar to discuss the recently unveiled 2025 State of IGA Survey results. This is a survey of 300 identity leaders from organizations in a variety of industries. Zilla’s Chief Strategy Officer, Mark Jaffe, facilitated a discussion with two experts in the world of IGA – Brian Cap, IGA Practice Director at GuidePoint Security, and Zilla’s own Co-Founder and CEO, Deepak Taneja.
Brian, Deepak, and Mark discussed the results of the survey, putting them into context with historical changes in IGA, issues of automation and integration, and the use of roles and AI in identity governance. They also had time to take a few questions from webinar attendees.
We encourage you to see the recording from the webinar, Identity Governance Agony, for yourself, but if you’re looking for a recap, read on.
A historical shift in IGA
Deepak got the ball rolling by describing his involvement in IGA going back to the founding of Aveksa in 2004. At that point IGA was primarily focused on the problems of compliance, and the IT world was dominated by on premise applications. In contrast, today’s world includes SaaS and cloud applications, and the business drivers for IGA have expanded to include lifecycle management and cyber security. Identity leaders face increases in regulations, desires for efficiency gains, and a new world in which cyber attackers increasingly leverage identities as an attack vector.
Brian added that IGA tools themselves have transitioned from running on premise to running primarily in the cloud. He talked about the trade-offs involved between conforming to best practices as defined by the IGA tool vs. trying to configure the tools to match your own existing practices.
Automation and integration—key challenges and solutions
Mark described some of the survey findings around automation and integration, including the surprising result that 84% of organizations rely heavily or completely on manual processes to perform identity tasks. He also talked about how 83% of respondents point to the difficulty of integration as the primary cause for sticking with manual processes.
Brian, with his extensive experience helping organizations implement IGA solutions, had a perceptive view of this situation. He talked about the connector catalog problem, which comes from the wide array of applications that an IGA needs to integrate with. Some applications have well developed APIs while others he described as “horrific”. Furthermore, there’s a question of integration depth, because the organization itself often doesn’t understand management, user grouping, and entitlements for all its applications. Or, rather than being concentrated with IT, the knowledge is scattered throughout the organization. This can make automation challenging.
Deepak saw the situation the same way and reflected on how these very issues drove Zilla in its current direction. He said that in the cloud era, decentralization of ownership and administration is pervasive and must be considered. The focus must be on involving applications owners and data owners, wherever they sit within the organization. And the IGA solution accordingly has to be simple, with a self-service automation model—coordinated and driven by a centralized team, but not executed by them.
The challenges of Roles, and AI as an opportunity
The discussion moved on to roles, as Mark talked about survey results indicating that only 10% of respondents said they had defined identity roles that they could maintain with minimal difficulty, the other 90% essentially struggling or not bothering at all. Mark posed a common question in the world of IGA—“Why is it so hard?”
Brian took the first stab at addressing this and alluded to the earlier issue of the knowledge problem around the applications themselves. He also pointed out that understanding the users in an issue, with most of what identity solutions need to know about users coming from HR. However, HR categories, such as job titles, often don’t provide everything an identity administrator needs. He talked about how he thinks about entitlements as falling into one of two categories: ones that can be automatically assigned and ones that are requestable. Thus, a certain minimum of entitlements that have a high degree of confidence can be handled automatically, with manual effort only needed for the more rare assignments. Organizations that have very well-defined job titles will be able to automate more than organizations with ambiguous titles.
Deepak agreed that most organizations struggle with RBAC because they expect too much, and the role management tools they’re using require too much manual effort. The key issue is the distributed nature of the information you need—much of it outside IT. So, the Zilla approach has been to leverage AI, to “get AI to go through this massive data set about employees and consultants and the access they have. And to the extent that the data is clean…AI can figure out the right model.”
Provisioning delays vs. the burden of access reviews
Mark pivoted the discussion over to the survey results regarding provisioning and access reviews. Survey results indicated 29% of organizations take 11 or more days to provision a new user, with only 9% being able to provision in less than two days. On the access review side, 39% say they are struggling to keep up, and only 18% handle reviews with no issues.
Brian’s perspective on the provisioning issue was that, while important, it’s not a top concern. For one thing, it’s a one-time issue for each user. Also, a user can be less than 100% provisioned while still having most of the access they need to start work.
Deepak talked about the access review problem and cited an example:
We started working a little over a year ago with a healthcare organization with about 30,000 employees, hundreds of applications, many in the cloud, a few on prem. And every quarter application owners, hundreds of application owners, were running around doing a ton of work to feed their entitlement data into some sort of centralized warehouse using CSV and Excel spreadsheets. The business impact of collecting all that data was huge.
Deepak talked about the benefits of applying automation to the problem, using API integration, robotic automation, and AI-generated user profiles.
Public cloud infrastructure
In the final minutes of the webinar, Mark, Brian, and Deepak spent time on a question from the audience regarding the use of IGA to administer identities in public cloud infrastructure. Brian talked about the “ephemeral” nature of cloud entitlements and the use of cloud identity entitlement management (CIEM) solutions. Deepak described cloud platforms as “sort of mini environments of their own” and offered thoughts on how to handle them.
We invite you to join us on February 13th for our next webinar, which will explore how to use AI to provision job-appropriate access. Contact our team today if you would like to schedule a personalized demo of Zilla’s solution.