By Anant Wairagade, Senior Cybersecurity Engineer
For years, most organizations have assumed that IGA was all about compliance. With that in mind, most of them invested heavily to ensure they remain in good books with regulators and auditors. Whether it’s completing access reviews on time, signing off on certificates, generating necessary reports, you name it! Everything seemed to check out. At least on paper. In reality, things played out a bit differently.
Just because you satisfied every compliance check doesn’t necessarily mean your data is safe. It simply means you have a good idea of who has access to what, but as to what that access actually unlocks remains a mystery. As if that’s not enough, only 1% of permissions given are actually being used. This leaves out a staggering 99% as “Zombie Access”. Exactly what traditional IGA fails to address. Hence, there is a need for data governance.
The Rubber-Stamp Problem
This is the risk that comes along with having a compliance-only approach. Managers and IT administrators are often required to approve access that’s unfamiliar to them. And when faced with tight deadlines, fatigue, and overwhelming access approvals, most of them opt for continuity over scrutiny—commonly referred to as rubber-stamping. Granting permissions hastily without proper evaluation. Because of this, 58% of access reviews, according to SailPoint, are ineffective. While 42% lack context to make proper decisions.
The result? Each approval extends the lifespan of an unnecessary permission. With time, access quietly accumulates and inevitably intersects with sensitive information. And in such an environment, the difference between a trusted staff member and malicious attackers is nothing more than compromised credentials.
The Missing Link: Data Context
Data governance is no longer what it used to be a few years back. It has evolved beyond theoretical assumptions to an operational necessity. The good thing is that most organizations are not only taking note but also actively taking part in it. In fact, according to recent reports, 71% now have a data governance program. This is a 60% increment from 2023.
They now have a clear understanding of what data is sensitive, where it should be kept, and most importantly, who can own it. The kind of intelligence that should be integrated with traditional IGA. Ability to tell the difference between low-impact access and access that could potentially harm the organization.
a. Use data classification to drive risk
Not all entitlements are the same. Some require more scrutiny than others. By applying governance data in IGA, organizations can be able to tell which areas require more effort by using sensitivity scores.
b. Data owners become certifiers
Managers and IT administrators should not be forced to approve permissions they barely know about. Instead, the VP of HR who owns the employee PII risk should do it.
c. Lineage Reveals Patterns
This involves understanding how data moves between different sections of the system.
For example, if a customer’s PII flows from Salesforce to your data to analytics, then it’s within normal behaviour for a user to access all three. However, if a user tries to access only the data lake without any business need, then that’s an alert.
d. Move Beyond Role-Based Access Control
RBAC was originally intended for stable environments with predictable job descriptions. Therefore, when it comes up against modern enterprises, which are dynamic in nature, it’s almost guaranteed to fail.
Attribute-Based control (ABAC), on the other hand, is designed to enable policies that factor in data sensitivity, user context, time, and behaviour. With this flexibility, organisations can easily come up with rules such as restricting sensitive data access outside business hours, preventing high-risk access combinations, and more.
The Cost of Inaction
Not all organizations are quick to take action. Most of them, especially if things are running smoothly, prefer to roll the dice. Big mistake! Especially when malicious, 83% of enterprises averaged at least a single attack as of last year.
Financial Toll of the “Inside Job”
According to recent reports by Secureframe, insider threats single-handedly carry the highest average breach costs of any attack vector, reaching $4.92 million in 2025. These numbers will continue rising if ‘rubber-stamping’ culture goes unchecked and the gap between IGA and data governance persists.
Danger of the “Silent Breach”
The consequences are severe, especially when you consider the time it takes to root out this ‘invisible’ threat. On average, any organisation takes up to 81 days to detect and resolve a single insider threat incident. It takes even longer when stolen credentials are involved. To be specific, 88 days and a total lifecycle of nearly 300 days.
In all these occasions, the attackers don’t need to bypass the perimeter defences. They inherit legitimate access. Without data context, it’s difficult to determine what was exposed and to what extent.
The Transformation Path
1. Start small
First things first, identify your most sensitive data sets, then map 3-5 areas where they reside. After that, define clear business ownership. This ensures there’s accountability and decisions made are based on impact, not just process.
2. Integrate
Probably the most critical part. Classify your data sets carefully, then feed them into your IGA platform by using APIs.
3. Prioritize ruthlessly
The notion that all access should be treated equally is a misconception that needs to be done away with completely. That means transforming reviews from “certify everything quarterly” to “certify the riskiest 20% weekly.”
4. Automate
The end goal is to prevent any form of insider threats from ever occurring, not to discover them months later in an audit report.
To do this, proactive policies that block “toxic combinations” from access need to be set. For instance, no user should have permissions to download and share PII externally.
New Metrics for a New Model
Forget about certification completion rates. Track what truly matters:
- Sensitive data exposure index: Use this formula: (Users with Excessive Sensitive Access) / (Total Users). This helps to track “Zombie Access” in real time.
- Mean Time to Detect (MTTD) Inappropriate Access; Currently, it takes nearly 90-180 days for most organizations to track a breach. This is a lot of time given the damage that could be done within the same period. The goal is to do this in under 24 hours.
- Business-Driven Certification Rate: 100% of sensitive access decisions should be made by data owners.
Conclusion
To sum it up, organizations are not going to stop spending on the “who” anytime soon. But investment alone will not guarantee their safety. Your IGA already knows who has access to what. On the other hand, your data governance is aware of what actually matters.
So when working independently, they’ll just help you get past the audit paperwork. Nothing more. However, organizations that unite identity with data don’t just pass audits; they actively reduce risk, protect what matters most, and stay ahead of threats instead of reacting to them.
Anant Wairagade is a senior cybersecurity and identity engineering professional with more than 20 years of experience delivering enterprise
technology solutions across IT services and financial services organizations. He specializes in building Identity and Access Management (IAM) solutions for complex hybrid and multi-cloud environments.
In his current role as a Senior Software Engineer, his work focuses on enterprise identity governance, where he designs and develops integrations that strengthen security controls, improve compliance, and support large-scale modernization initiatives. His background spans the full software development lifecycle (SDLC), enterprise integrations, and product design—capabilities he applies to enhance the resilience and scalability of cybersecurity platforms.
Over the course of his career, Wairagade has delivered software solutions across both legacy and modern technology stacks, supporting modernization and revenue-generating initiatives within banking and financial services environments. He began his career in distributed systems and middleware, building interfaces on legacy platforms such as IBM mainframes to enable seamless connectivity with distributed applications.
Today, his work in the identity governance domain draws on this rare combination of legacy and modern expertise, allowing him to architect integrations across enterprise landscapes that span mainframe systems, SaaS platforms, and cloud-native applications. He is particularly focused on automation-driven security and scalable integration patterns that support secure digital transformation at enterprise scale.