IT Glossary

Identity Governance and Administration (IGA)

Identity Governance and Administration (IGA) ensures access is appropriate and auditable. Learn how IGA works, IGA vs PAM, and how Corma automates it.

July 3, 2026

What is Identity Governance and Administration (IGA)?

Identity Governance and Administration (IGA) is the area of IAM focused on governing access: making sure it is appropriate, compliant, and auditable. It combines identity administration (provisioning, role management) with governance functions such as access reviews, access certification, policy enforcement, and separation of duties. IGA answers not just "can this user log in" but "should this user have this access, and can we prove it."

How IGA works

  • Centralizes a view of who has access to what across all systems.
  • Enforces access policies, including role definitions and separation of duties.
  • Runs periodic access reviews and certifications with accountable owners.
  • Detects and remediates excessive, orphaned, or conflicting access.
  • Produces audit trails that satisfy ISO 27001, SOC 2, and NIS2 requirements.

IGA vs PAM

Both reduce access risk, but they target different problems.

IGA focuses on governing all user access across every employee and identity, using reviews, certification, SoD, and policy, with the goal of appropriate and provable access. PAM focuses on securing privileged accounts (administrators, root, and service accounts), using vaulting, session control, and just-in-time elevation, with the goal of contained, monitored elevation.

Examples and use cases

Ahead of an ISO 27001 audit, a finance scale-up needs to prove every employee's access is justified. With IGA, app owners certify access quarterly, conflicting permissions are flagged, and orphaned accounts are removed, all with an exportable audit trail. Done manually in spreadsheets this takes weeks. Automated, it becomes a repeatable control.

Related concepts

FAQ

What is the difference between IAM and IGA?

IAM manages identities and access broadly. IGA is the governance layer that reviews, certifies, and proves that access is correct and compliant.

Why is IGA important for compliance?

Frameworks like ISO 27001 and SOC 2 require evidence that access is appropriate and regularly reviewed. IGA produces that evidence through certifications and audit trails.

Is IGA the same as PAM?

No. IGA governs all user access, while PAM specifically secures and monitors high-privilege accounts.

Corma automates access reviews, certification, and SoD checks with audit-ready evidence. See automated access reviews or request a demo.