6 Common Causes of Failure in IGA Projects

Identity Governance and Administration (IGA) implementations are critical for modern businesses, yet they often face significant challenges. A McKinsey study, while not specific to Identity, reveals a disheartening trend in IT projects: they tend to run 45% over budget, 7% over time, and deliver 56% less value than predicted. It's reasonable to assume that IGA projects contribute substantially to these statistics due to the amount of manually intensive work they require. Understanding the common pitfalls is crucial for organizations aiming to successfully implement IGA solutions. Here are the top six reasons why IGA implementations fail:

1. Lack of Clear Business Objectives and Strategy

IGA projects frequently struggle because they lack well-defined business goals, which can result in confusion and misalignment with the organization's needs. Without clear objectives, teams may pursue initiatives that do not effectively address the core requirements of the business. These are some examples of practices that undermine the success of the IGA implementation:

• Organizations implement IGA without clear joiner-mover-leaver processes, resulting in improper access assignments and failed audits.
• Companies rush into IGA implementation for compliance without defining business value, resulting in significant resistance from business units that perceive it as a burden.
• Projects start without clear success criteria for access certification campaigns, resulting in high certification costs with minimal risk reduction
• Organizations fail to define clear ownership between HR, IT, and business units for identity lifecycle management
• Implementations lack of scalable design to support M&A or other major enterprise changes

2. End-User Resistance and Adoption Issues

End-user resistance can significantly impede the success of an IGA project, as users often view new processes as burdensome and disruptive to established workflows. This reluctance may lead to non-compliance or circumvention of protocols. Here are a few examples of why organizations may face resistance and solution adoption issues:

• Access certification campaigns overwhelm managers with thousands of entitlements to review, leading to rubber-stamping
• Complex access request catalogs where users can't understand what access they need, resulting in wrong access requests or calls to IT
• Certification interfaces that don't provide context about the access being reviewed, making it impossible for managers to make informed decisions
• Role management interfaces that business users can't understand, leading to resistance in role governance processes

3. Insufficient Stakeholder Engagement

Insufficient stakeholder engagement is a common issue in IGA projects, as organizations often fail to involve key personnel from various departments beyond IT and security. This oversight can result in misalignment with business objectives, resistance to change, and inadequate buy-in, leading to poor adoption rates. These are a few examples of actions that can lead to this:

• Not involving application owners in onboarding decisions, discovering later that critical applications can't integrate with the chosen IGA solution
• Implementing automated provisioning without understanding business unit approval requirements, breaking existing operational processes
• Rolling out access reviews without proper training for managers, resulting in poor quality reviews
• Excluding HR from identity lifecycle management discussions, leading to gaps in joiner-mover-leaver processes

4. Underestimating Complexity and Scope

Underestimating the complexity and scope of IGA projects is a common issue that can lead to significant challenges. Organizations often fail to recognize that IGA is an ongoing program requiring extensive integration across various systems and departments. There are common shortfalls in the understanding of IGA projects:

• Organizations attempt to implement automated provisioning for all applications at once instead of phasing critical systems first
• Companies underestimate the effort required to clean up historical access rights before starting access reviews
• Projects fail to account for complex approval workflows that vary by department, region, and risk level
• Organizations discover midway that their role mining efforts require much more business input than planned
• More often than not, heavy customization of the IGA product is required to satisfy the business needs. 

5. Data Quality and Integration Challenges

IGA projects frequently face data quality and integration challenges that can impede success. Organizations often underestimate the complexity of consolidating and cleansing data, resulting in inconsistencies that affect access management and compliance. Here are some common practices that lead to these challenges

• Poor HR data quality prevents accurate role-based access control implementation
• Inconsistent application account naming conventions make it impossible to correlate identities
• Incomplete attribute data prevents automated access decisions from working properly
• Multiple authoritative sources with conflicting identity information break automated provisioning
• Obsolete, redundant or unclassified entitlements cause the IGA process to be inefficient. 
• Current IGA product require highly skilled developers and cannot easily integrate with target systems without large effort

6. Costly Maintenance and Support

IGA projects can lead to significant maintenance and support costs that organizations often underestimate. Ongoing updates and customizations are essential for system effectiveness, requiring continuous resources and specialized expertise, which can be expensive. There are a few specific examples that organizations tend to overlook:

• Organizations underestimate the effort needed to maintain role definitions as business processes change
• Regular changes in access policies require constant updates to automated provisioning rules
• Access certification campaigns require dedicated support teams to handle exceptions
• Application onboarding costs exceed budget as each integration requires custom development
• Most current IGA products are not cloud-native. As a result, upgrade, patching, monitoring, and adding more servers require huge effort, cost, risk and down time

In conclusion, Identity Governance and Administration (IGA) projects face several challenges that can lead to failure if not addressed. The six common causes of lack of clear business objectives, end-user resistance, insufficient stakeholder engagement, underestimating complexity, data quality issues, and costly maintenance underscore the need for strategic planning and collaboration. Organizations must recognize that IGA is a complex, ongoing program requiring clear goals, effective stakeholder involvement, and continuous improvement. By proactively addressing these pitfalls, companies can enhance security, improve compliance, and streamline operations, ultimately ensuring a successful IGA implementation that delivers significant value.