Budgets are moving, RFPs are back in circulation, and the analysts have upgraded "declining" to "resurgent." The question worth asking is: why now, and why does the version of IGA coming back look so different from the one that stalled?
The old model had a simple job. Collect evidence that someone had reviewed access. Quarterly campaigns, manager attestations, spreadsheets exported for auditors. It answered "did someone sign off?" It was never designed to answer "does this access make sense right now?"
The Model That Stalled Was Built for Evidence, Not Control
That gap between what the old model could support and the missing control elements was tolerable when the application estate was small. It stopped being tolerable when the average organization crossed 100 applications, when employees moved laterally and started accumulating permissions across every role transition, and when service accounts began outnumbering human identities.
One organization put it plainly: joiners and leavers are handled well enough. Movers are the problem. No visibility, no process, no remediation. Another ran a NIST CSF assessment and came back with detection and response rated solid, identity governance rated low, and a Big Four audit flagging that ERP access wasn't restricted tightly enough. The governance gap became a board-level risk, and then a budget conversation.
Modern IGA and Identity Posture Are Converging
What organizations describe when they say they need IGA today sounds less like a certification campaign and more like continuous access intelligence: which accounts have more access than their peer cohort, which permissions haven't been used in ninety days, which role changes created entitlement combinations nobody intended.
That is identity posture work. The organizations doing it well aren't running governance and posture as separate programs. They're treating it as the same question asked continuously instead of quarterly.
The audit-driven certification still has its place. But the security value, the part that actually reduces the attack surface, comes from the layer underneath: persistent visibility into who has what effective permission, whether it's appropriate, and whether anything has drifted since the last review. The interesting question isn't whether your organization has access reviews. It's whether those reviews are continuous enough, contextual enough, and connected to remediation to actually matter.
See the latest from Abnormal's product and engineering teams.
