.png)
What is Identity Governance?
Identity governance manages user access throughout the employment lifecycle to prevent privilege creep and unauthorized access. Learn how IGA works, why access reviews matter, and what PE due diligence should evaluate.
What Identity Governance Does
Identity governance platforms provide the operational infrastructure for joiner-mover-leaver lifecycle management: automating account provisioning when employees join, adjusting access when roles change, and revoking access when employees leave. They provide access request and approval workflows that create auditable records of access grants. They enable access reviews — periodic certification campaigns where managers confirm that each employee's access is appropriate for their current role. And they provide the reporting and dashboards that show compliance with access management policies.
Role-Based Access Control
RBAC organizes access grants by role rather than by individual: a financial analyst role has access to specific financial systems; a sales role has access to CRM and sales tools. When an employee moves from finance to sales, their access changes by changing their role assignment, rather than requiring individual access grants to be manually added and removed. RBAC makes access management scalable but requires ongoing maintenance to keep role definitions current with organizational structure.
Access Reviews: The Most Skipped Security Process
Access reviews — periodic campaigns where managers certify that each employee's access is still appropriate — are required by most compliance frameworks including SOC 2, ISO 27001, HIPAA, and PCI DSS. They are also among the most frequently skipped security processes in mid-market organizations, because they require manager time and operational coordination that is difficult to sustain consistently. Organizations that do not conduct access reviews accumulate privilege creep: employees who have changed roles retain previous access indefinitely, creating the over-privileged accounts that attackers target for lateral movement.
IGA for PE Portfolio Companies
Identity governance assessment should evaluate: Is there a defined joiner-mover-leaver process, and is it actually followed? How quickly are accounts terminated when employees leave? When was the last access review conducted, and what was its coverage? Are privileged accounts included in access review cycles? Is there an automated system for managing access requests and approvals, or are access changes managed through informal requests to IT? These questions reveal whether identity governance is a functioning security process or a compliance documentation exercise.
Real-World Example: Former Employee Access Enables Insider Incident
A Cloudskope client's identity governance assessment discovered 23 active user accounts belonging to employees who had left the organization over the prior 18 months. Three of these accounts still had access to production systems. One had been used for authentication 11 days after the employee's departure date — indicating either continued unauthorized access or credential sharing. The finding revealed a systematic offboarding process failure: accounts were being terminated from HR systems but not from IT systems, because the offboarding process relied on manual notification from HR to IT that was inconsistently executed.
Of enterprise user accounts have access privileges beyond what their current role requires, accumulated through privilege creep during role changes and organizational restructuring. These over-privileged accounts are the primary targets for post-compromise lateral movement.