The Most Challenging IAM and IGA Use Cases: What Organizations Are Actually Struggling With

May 27, 2026
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

The gap between what IAM and IGA solutions promise and what organizations actually experience using them is one of the most consistent themes in identity security conversations. The theory — automated lifecycle management, clean access reviews, complete visibility — runs directly into the operational reality of legacy systems, fragmented data, and processes that depend on human memory to function.

Here are the challenges that come up most consistently across organizations and verticals, with enough specificity to be useful for anyone trying to understand where the actual friction lives.

Shadow IT and Shadow AI: The Visibility Problem

This is the most universal challenge, regardless of which tools an organization is running. The core issue: most IAM systems govern what they know about. They don't know about the applications employees are using independently — SaaS tools adopted without IT involvement, AI tools accessed through personal accounts, department subscriptions purchased on corporate cards.

The 60% figure that gets cited in identity security conversations (estimates suggesting more than half of enterprise application usage happens outside formal IT oversight) reflects a real phenomenon that practitioners encounter daily. An IT administrator running an offboarding process deprovisioning access across the formally managed application stack, and then discovering three months later that the departed employee still has an active account in a tool the department had been using that IT never knew about — this is the gap that manifests as "ghost accounts" and audit findings.

The AI tool dimension has made this significantly more acute in the past two years. Employees are using ChatGPT, Claude, Copilot, and dozens of other AI tools with company data, through personal accounts or unapproved organizational accounts, in ways that bypass SSO and any governance process. IT teams are often discovering this reactively — after the fact, during an audit, or when a security incident prompts investigation. The discovery is consistently described as overwhelming when teams first look: the number of AI tools in use typically far exceeds what IT expected.

Joiner-Mover-Leaver: The Lifecycle Management Gap

Manual lifecycle management is consistently cited as the most time-consuming ongoing IAM workflow, and the pain is not evenly distributed across the three phases.

Joiner processes are the most visible and therefore most often addressed first. Organizations generally have a process for onboarding new employees, even if it's slow and error-prone. The 30-minute-per-user manual provisioning timeline — creating accounts one by one across multiple applications — is common in organizations without automation. The day-one experience where a new employee arrives without access to critical tools is a recurring complaint that's easy to escalate and therefore gets resources.

Mover processes are where most organizations are significantly underinvested. A department transfer or role change triggers two governance requirements: provisioning new access appropriate for the new role, and revoking old access no longer appropriate. Organizations typically handle the first (because the new employee asks for what they need) and miss the second (because the old access is already there and nobody is asking to revoke it). The resulting permission creep — users who have accumulated access across every role they've held — is the leading cause of over-privilege findings in access reviews and audits.

Cross-department moves are specifically described as harder than same-department role changes. When the access profile for the new role is defined in a different part of the application estate and the old role's access covers different systems, the configuration work to correctly deprovision/re-provision is substantially more complex than a simple promotion within the same team.

Leaver processes have improved in organizations with mature SSO coverage — deprovisioning through the IdP reaches SSO-connected applications automatically. The persistent gap is the applications outside SSO, which require either manual deprovisioning by someone who knows the application exists, or no deprovisioning at all. The "ghost account" problem (active accounts for former employees) is almost always a shadow IT or non-SSO application problem, not a failure of the SSO-connected offboarding process.

Access Request and Approval Workflows

The access request workflow is where process design failures accumulate most visibly. The complaints are consistent:

Requests sitting in limbo. Email and ticket-based requests go to approvers who are unclear on their authority, who are overwhelmed with other work, or who simply don't see the request. The request sits without movement for days, and the requester has no visibility into whether it's being processed or stuck somewhere.

Approvers lacking context. An approver receiving a request for "Salesforce Sales Cloud Professional license" may not know whether this is the right access level for the requester's role, whether their peers have the same access, or what the cost differential is relative to the standard license. Without this context, approval is a guess — either rubber-stamped approval that bypasses policy, or a rejection that requires the requester to go back and justify further.

Inconsistent information capture. Different departments need different justification information for the same access request — finance needs a cost center code, engineering needs a project name, security needs a business justification. Static email or ticket forms capture one format for everyone, creating back-and-forth to gather information that should have been collected upfront.

The 8-hour average turnaround for manual access request handling — largely composed of wait time rather than actual work — is consistently cited as the baseline for organizations without automated approval workflows. The bottleneck isn't complexity; it's the queue and the context-switching overhead.

Non-Human Identity Governance

This is the fastest-growing pain point in identity conversations and the area where the gap between problem scale and solution maturity is widest.

Organizations have service accounts, API tokens, bot accounts, and machine identities that were created by developers or system administrators, often without formal governance processes, and that have accumulated over years of system development. The specific problems:

Ownership ambiguity. A service account created by a developer who has since left the organization is technically ownerless. Nobody knows why it was created, what systems it connects to, or what would break if it were deprovisioned. Security teams wanting to audit privileged service accounts routinely discover this: the account exists, it has significant permissions, and no one currently at the organization can explain it.

Secret expiry. API keys and service account credentials that were never given expiration dates persist indefinitely. Those that do have expiration dates often expire without warning, causing system failures that are only diagnosed after an outage. The operational challenge of tracking expiry across many service accounts in different systems without centralized visibility is significant.

AI agent access. Organizations are beginning to provision AI agents — automated systems that take actions on behalf of users or the organization — with access to internal systems. These agents are non-human identities that need governance (what can they access, for how long, who can authorize their access) but fall outside the scope of human-focused IGA processes.

Most legacy IGA tools were designed for human identities and are adapting to NHI governance — adding it as a module or capability rather than designing for it natively. The governance gap is real and growing as AI agent adoption accelerates.

How These Challenges Manifest by Industry Vertical

The same underlying challenges appear across industries, but the specific pain points that get most acute vary by vertical:

Financial services and banking experience the most acute pain around access reviews and SoD. The regulatory requirement to demonstrate that no single user can both initiate and approve a financial transaction — and to do so across potentially disconnected systems (a payment initiation system and a separate approval system) — is a recurring audit finding. The evidence standard is high: auditors want non-editable, timestamped proof of who reviewed what access and when. Organizations in this space often have SOX or equivalent regulatory drivers that make access review quality a compliance-critical function.

Hospitality and travel technology organizations that have scaled rapidly tend to hit the shadow IT wall hard. Fast growth means application adoption outpaces governance: the tools that worked at 50 people don't scale to 500, and the governance processes that should have grown alongside headcount often didn't. The manual tracking in spreadsheets becomes untenable at scale faster than in slower-growing industries.

Gaming and media companies deal with massive shadow IT exposure alongside relatively high employee turnover and contractor usage. The combination produces persistent ghost account problems and frequent access certification failures.

Healthcare faces the HIPAA compliance overlay on top of standard IAM challenges — access to systems containing protected health information has specific minimum necessary standards, and access reviews need to demonstrate that only authorized personnel with a legitimate need can access patient data. The compliance consequences of failure are higher than in most other verticals.

Ad tech and marketing technology companies dealing with fragmented request workflows often have the clearest articulation of the approver context problem — different stakeholders need different information for the same decision, and the gap between what the request system captures and what approvers need to know creates constant back-and-forth.

What's Common Across All of These

Looking across these challenges, the pattern is consistent: the frustration isn't usually that the technology can't solve the problem. It's that the technology is only solving the part of the problem that's easy to see, while the harder parts — the shadow applications, the orphaned accounts, the cross-department movers, the service accounts without owners — stay in the gap because governance processes weren't designed to reach them.

The organizations that have made the most progress have typically started with one of these challenges specifically, built a process that addresses it completely (including the edge cases and the non-SSO applications), and then expanded from there. The attempt to solve all of it at once almost always produces a system that governs the easy parts and leaves the hard parts for the next audit cycle to find.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

May 27, 2026
May 27, 2026

How to Evaluate Identity Security Platforms When Every Vendor Claims to Solve Everything

May 27, 2026
May 27, 2026

Migrating from Keycloak to Okta: The Good, Bad, and Ugly From Practitioners

May 27, 2026
May 27, 2026

Transitioning from Okta to Microsoft Entra ID: A Guide for Okta-Certified Administrators

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
© 2026 Zluri, All Rights Reserved
MSA T&C
  -  
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms