How Identity & Access Management (IAM) Differs from Identity Governance & Administration (IGA)


by Rebeka Wellmon & Glenn Schwartz

December 4, 2020

Whether you’re new to Identity and Access Management or need a refresh on Identity Governance and Administration, this article will compare and contrast the two and also explain why they are both critical to Information Technology. Already familiar with IAM or IGA and want to know if and where you’re overspending on your IAM projects right now? Read our latest article to find out: How to Know if You’re Overspending on IAM Solutions.

Identity and Access Management, also known as IAM, is defined by Gartner as “the discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM is simple management of access to systems and in it’s early days was best represented by Microsoft’s Active Directory (AD) service. AD was one of the earliest tools to keep track of access to PCs and applications, expanding eventually into access of mail systems and other types of IT resources. 


“IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. IAM is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise,” (Gartner).


More recently, IAM has been transformed into a cloud service. The limitation of AD was that it was only available within local or protected networks, but this all changed as IT resources became moved out of office domains into the mainstream, and internet and cloud services became more prevalent. To take advantage of this shift, a new type of cloud-based IAM service appeared, and immediately became popular from a number of new cloud-based providers like Ping and Okta.


Ping and Okta are cloud IAM providers that provide this level of access control to applications and assets “on premises” in office environments but also through the internet. This tech is selling like hotcakes because it is easy to use and setup and is delivered as Software as a Service or SaaS application with the advantage of not having to install or run it. These cloud providers have given Microsoft a run for the money by providing the same access controls as Active Directory (AD) did but available in an easier to consume version available everywhere the internet was found. To meet the challenge, Microsoft now offers their own cloud based version of AD within their cloud environment which is known as Azure. Amazon web services (AWS) also offers its own access controls as well, adding to the mix of choices, as well as complexity.


Where IAM falls short is in the context of its ability to understand what users can actually do once they gain access to the applications. For highly regulated industries such as healthcare and financial services, it becomes even more important to track what users have been given access to within the application that might have personally identifiable information, or PII. Government agencies requires firms to protect this information and keep records of granting access to users to PII, but more importantly removing access if these users should leave the firm that granted them access. For managing and reporting on this access, firms need to employ Identity Governance and Administration capabilities.


So, what is Identity Governance and Administration or IGA? IGA is defined by Gartner as an “activity within the identity and access management function that concerns the governance and administration of a unique digital representation of a user, including all associated attributes and entitlements.” To recap, IAM grants access to applications to users, and IGA tracks what users are allowed to do once they gain access to the application. 

IGA is actually more formally defined as a superset of Identity and Access Management, and SailPoint is the #1 provider of IGA by far. Additionally, Gartner defines IGA further as the “tools designed to manage digital identity and entitlements (access rights) across multiple systems and applications,” (Solutions Review).


IGA is a higher level of IAM because it provides a much more granular access to applications. Once you are in the application, IGA controls what you can do within the application, or which rooms in the house you can enter. As an example, a simple user role can only access basic things, but an administrator role can manage the application itself. What the user can do based on their role is referred to as their “entitlements.” 


Once IGA is implemented, an organization can use one IGA application to control entitlements to ALL their applications. In the olden days this was all done manually. Granting entitlement access to applications with IGA is called “provisioning.” Similarly the IGA product can control moves and removal of employees. The above is watched closely by compliance professionals, who are mandated by law to track which employees are allowed into what systems, and to make sure if they leave permissions are removed. 

As previously stated, SailPoint leads the pack as the best provider of IGA in the world, dominating this superset of Identity and Access Management, and Regatta provides a variety of identity solutions and services to suit your organization’s needs. Read more about our FastTrack framework or customer successes here. To begin the process of setting up IAM or IGA for your IT department OR to get your stalled IAM or IGA projects up and running again, reach out to Regatta Solutions Group or email with any specific questions.

Navigate a Winning Identity Strategy

Securing the enterprise goes beyond selecting the software. Talk to the SailPoint experts at Regatta to discuss your personalized roadmap for a successful identity program.