The true cost of IGA: why identity governance projects spiral (and how to fix it)

The true cost of IGA: why identity governance projects spiral (and how to fix it)

We’re seeing an IGA shopping spree in the enterprise world right now, and for good reason: Many of the biggest pain points and risks organizations face right now center on identity governance and most enterprises do not have an IGA tool deployed. They’re still relying on security, GRC, and IT teams to piece together identity and access data — and they know they need better tools if they’re going to keep pace.

But there’s a big mistake many organizations are making with IGA: They’re focusing on what an IGA solution says it can deliver but not looking closely at the how.

For most IGA solutions, that “how” comes down to manual work. Patching together fragmented identity and access data. Access reviews based on guesswork rather than real context. And manual governance workflows that slow productivity and force the business to choose between speed and security. Even claimed “automation” ends up bottlenecked by key parts of the process that still rely on manual human work.

This “how” is slow, costly, and inevitably leads to gaps that let risk sneak by. And it’s why we’re seeing so many IGA deployments stall — and why some organizations are hesitant to even take that leap (despite feeling growing pain and risk).

Why most IGA pitches look good on paper, but hide the real costs

Line all the leading IGA solutions up and they look remarkably similar from a “what does it do?” perspective. They all have the basic functionalities and capabilities to check all the boxes — from identity and access inventories to access review workflows. They all tell the story of how those tools deliver meaningful security, compliance, and productivity outcomes. And they all really do represent a big step up from home-grown governance tools and processes.

But the real costs, the real pain, and the real problems are all buried in the “how.” Everything has to be manually configured and managed, starting with deployment:

• Manual data discovery and aggregation: Organizations have to manually identify all the different sources of identity and access data spread across the enterprise landscape and then do the data modeling and aggregation work to bring it all into one place. This is a huge lift that can take months, and too often ends up riddled with gaps that turn into identity security blind spots. Moreover, it’s not a one-time exercise; this manual discovery and aggregation is constantly happening as your digital estate evolves to include new apps and systems.
• Manual data harmonization: Security, GRC, and IT teams need to unravel the unique schemas and role definitions from each application and system, performing entitlement rationalization on all those entitlements so they’re all speaking the same language. This typically takes weeks or months and all has to happen before you can start using any of the tools that would bring you to the security and productivity outcomes you want.
• Manual access review management: Once live, you’re still manually mapping managers to their teams, reconciling HR data mismatches, and babysitting approvers. This often turns access reviews into quarterly compliance exercises, when the realities of identity and access today far outpace this traditional cadence.
• Manual access approvals: Most of the top IGA tools offer no built-in automation of access reviews or governance workflows. So at the end of the day, access still needs to be reviewed and approved through the same old-fashioned manual process that’s too slow for humans, definitely too slow for machine and AI identities, and slows everyone down. More often than not, reviewers don’t have the relevant context to really understand if access is necessary (or still necessary), so they default to rubber-stamped approvals.
• Manual ongoing maintenance: Since the IGA solution was deployed through a patchwork of manual connections, organizations are constantly fixing integrations, APIs, schemas, etc. as their digital estate evolves. This slows down governance processes and leaves governance gaps. But the impact everyone clearly sees is the huge price tag for the ongoing service fees required to do all this ongoing, highly manual work.

All these pain points are why enterprises report IGA experiences that sound much different than what they thought they were signing up for: a one-year implementation that spirals into two or three, with $400k tacked on to Day 1 just to get the claimed "out-of-the-box" connectors production-ready. And it’s why analysts report that professional services account for the majority of total IGA market revenue: Market Research Future reported 69.9% in 2022¹, while Mordor Intelligence reported 57% in 2024².

This all leads to the uncomfortable question: If the software vendor you’re buying from makes most of its money providing services that allow customers to actually use the software, what does that say about the software?

What a smarter “how” looks like: adaptive, autonomous identity governance

The costs, pains, and flaws of legacy IGA are deeply problematic for organizations trying to improve identity governance today. But those shortcomings become business-critical risks as organizations integrate more automation and agentic AI into their operations.

Modern identity governance needs to become smarter and faster, moving toward adaptive and autonomous systems. What does that look like in practice?

Adaptive: the system automatically adjusts to changes in your environment (like new applications, new roles, and evolving policies) without constant manual reconfiguration.

• Pre-built integrations that automatically pull all identity and access data into one platform for identity governance. No manual work and no gaps or blind spots.
• A unified, harmonized identity and access schema that provides a single visibility and control plane for all identity and access — on Day 1 of deployment.
• Usage-aware context that powers fast, confident access decisions.

Autonomous: the system uses AI that can reason over identity and access data to recommend actions and execute governance workflows — with humans in the loop where required by policy. 

• Governance workflows that can detect and remediate access issues (like dormant permissions or over-provisioned access) with humans in the loop where needed.
• Direct integrations with operational and ticketing systems, so governance decisions flow into action without manual handoffs.

5 questions to understand the “how” of an IGA solution — before you buy

When any IGA vendor puts a proposal in front of you, these five questions will help you dig into the “how” and understand what you’re committing to:

1. What is the complete three-year total cost of ownership (TCO)? Ask for total = licensing + professional services + integrators + expected internal FTEs + maintenance. Get it in writing. If the vendor hesitates to model this, that hesitation is revealing.
2. How does integration (on-prem, custom apps, SaaS) complexity affect the TCO model that you provided? Ask for a breakdown of connector licensing, custom integration fees, and what it costs to connect on-prem or non-standard applications.
3. How long does implementation actually take — including data modeling, entitlement rationalization, connector configuration, and UAT? Collect references from customers who went live in the last 12 months. Ask them directly how long it took and how many FTEs they required.
4. How does this platform handle non-human identities today? If the honest answer requires a scoping engagement before they can answer, that is an answer. Governing NHI at scale should not be a consulting project.
5. Does this vendor make more money from software or from services? Service revenue concentration tells you where the incentives lie. A vendor financially dependent on service revenue has a structural incentive to build products that require ongoing professional services.

Identity governance shouldn’t be this painful

Identity governance is becoming more important every year. Organizations are dealing with an explosion of identities, permissions, and access decisions across SaaS applications, cloud infrastructure, automation systems, and now agentic AI. But if implementing identity governance still requires years of manual work, endless consulting, and constant maintenance, something is fundamentally wrong with the model — not the goal.

If you're evaluating IGA today, don't start with feature checklists. Start with the 'how.' Ask for the three-year TCO. Ask how long implementation actually takes. Ask where the vendor makes its money. The answers will tell you whether you're buying a platform — or buying a dependency.