IAM 7 min read

Identity Governance in 2025, or: Why Your Service Accounts Are Still Calling From a Payphone

Chiamaka Simon-Okeke
Chiamaka Simon-Okeke IAM & Identity Governance Analyst | SC-300 | Security+ • December 10, 2025
Identity Governance in 2025, or: Why Your Service Accounts Are Still Calling From a Payphone

Identity Governance and Administration (IGA) is having one of those years where every vendor adds "AI-driven" to their product page and every conference slide includes the words "Zero Trust" in a font slightly larger than is comfortable. This is fine. This is the natural cycle.

Underneath all of that, the work hasn't actually changed. Someone still has to answer the ticket from Marketing that says "I can't access the thing — also is this the right Slack to ask?". The interesting question is what the AI-driven, zero-trust, identity-centric, machine-learning-powered version of that work looks like in practice — once you ignore the slide deck.

Identity is the new perimeter. The old perimeter is still in a rack in the basement. Nobody has the keys.

What "AI-driven provisioning" actually means

Strip away the marketing and AI-driven provisioning is mostly: a script that reads HRIS faster than a human can, paired with usage analytics that flag when someone's role on paper has drifted from their role in practice. That's it. That's the technology. It is genuinely useful — but if you came expecting a robot to take your job, the robot would like you to please file a ticket through the proper channel.

The real shift is operational. Three things that used to be annual rituals are becoming continuous:

analytics The three rituals, now continuous

  • check_circle
    Role review. Used to be quarterly. Now it watches usage patterns and flags drift in near real-time. The marketing intern who somehow has prod-write to the data warehouse: caught in week 2 instead of month 7.
  • check_circle
    Joiner / mover / leaver. Triggers off HRIS events the same hour. The "onboarding lag" is gone — replaced by the slightly newer problem of "the HRIS lied and now the new hire has access to four things they shouldn't".
  • check_circle
    Just-in-time elevation. Standing admin privileges are increasingly considered a kind of negligence. Granting temporary elevation through an approval workflow with auto-expiry is becoming the default — until someone needs prod access at 2 a.m. and discovers nobody on call has approval rights.

The unglamorous truth

All of the above is real progress. None of it solves the actual problem in most organizations, which is: thousands of service accounts created in 2014, owned by someone who left in 2017, with permissions that suggest "shrug emoji". No amount of AI changes the fact that someone has to inventory these, find the owners (or admit they have none), and clean up.

2024's IGA story is less "the robots are governing identity for us" and more "the platform finally makes it possible to govern identity, if anyone has the time". Make the time. Your future incident retrospective will thank you.

Tags: IAM