All

Manifesto for a New Era: Identity Governance for an AI-First World

Ritish Reddy
Co-Founder, Zluri
April 28, 2025
8 MIn read
Table of Contents
This is also a heading
This is a heading
About the author

Ritish is one of the co-founders of Zluri, the SaaS management tool for IT teams. He leads the Marketing and Partnerships as part of his role. Before Zluri, he was part of the founding team at KNOLSKAPE and Co-Founder at Cranium media. Ritish is an MBA graduate and is passionate about building, and scaling businesses ground up. He is an avid reader and loves exploring book stores and libraries in different parts of the world.  He loves painting with his 4-year-old daughter.

“2025 is the year when machine identities outnumber humans by 20:1. Yet, most organizations still govern access with tools built for on-prem HR directories. It’s time for change.”

The Changing Landscape of Identity and Access

We're frequently asked why there's a need for next-generation Identity Governance and Administration (IGA) when the solution category has existed for over two decades. While the foundational entities—identities and applications—remain central to the problem, they have evolved dramatically in both form and function. This transformation has been driven first by the evolution of cloud computing and more recently by the rapid rise of artificial intelligence.

The Expanding Identity Universe

Today's identity ecosystem extends far beyond human users. Machine identities—comprising certificates, keys, access tokens, and now, AI agents—are proliferating at an unprecedented rate due to AI adoption, cloud technology expansion, and shorter credential lifecycles. In fact, machine identities now vastly outnumber human identities across most enterprise environments, and this gap continues to widen.

The Shifting Application Landscape

On the application front, over 60% of IT resources in a typical organization now exist as either unmanaged or shadow IT. Visibility into organizational technology stacks is diminishing at an accelerated pace with the widespread adoption of AI applications. Many of these new AI investments stem from experimental budgets, resulting in shorter application lifespans within organizations.

The Compounding Security Challenge

This dual expansion—identity sprawl and application proliferation—creates a compounding security problem for IT and security teams. The rapid rise of shadow IT and the shorter lifecycle of AI-powered tools are leaving behind a vast trail of orphaned and unauthorized access entitlements for both human and non-human identities.

Moreover, each application maintains its own distinct set of access profiles, permission structures, and entitlement models. This has led to a dramatic proliferation of roles and entitlements across the organization - from granular feature-level permissions in SaaS platforms to complex role hierarchies in legacy systems.

The result is an entitlement landscape that has grown exponentially more complex. A mid-sized organization may now manage tens of thousands of unique entitlements across hundreds of applications, each with their own permission taxonomy and governance structure. When IT and security teams lack comprehensive visibility into both identities and applications, it becomes fundamentally impossible to answer the critical question: "Who has access to what?"

Key Limitations of Traditional IGA

The Discovery Paradigm Shift

Traditional IGA operates on a fundamental question: "What applications and identities do you have?" This reactive approach creates a critical blind spot—organizations can only manage what they know exists. Next-generation IGA must instead proactively inform: "Let me tell you what applications you have."

This paradigm shift is crucial because organizations typically limit their IGA programs to known identities and applications, leaving a significant portion unmanaged and ungoverned, which compromises their security posture.

The Rigid Framework Problem

Traditional IGA tools operate on a fundamental flaw: they rely on fixed, predefined access profiles into which data must be forced to fit. This approach may have worked in an era of standardized on-premises applications, but today's applications have far more complex, nuanced, and dynamic entitlement structures.

Modern cloud applications often feature:

  • Contextual permissions that vary based on data attributes
  • Nested group memberships that create implicit access rights
  • Dynamic role structures that evolve as applications update
  • Microservice architectures where permissions span multiple interconnected services
  • API-based access that traditional IGA tools weren't designed to monitor

This mismatch between rigid IGA frameworks and fluid application entitlement models creates significant blind spots. Organizations find themselves managing only a small subset of their actual permissions landscape - typically the most visible and standardized applications - while leaving a vast universe of entitlements completely unmonitored and ungoverned.

Additional Challenges in the Current IGA Space

  • Static Data powering Traditional IGA: Traditional IGA relies on static identity attributes from HR systems and directories rather than actual usage patterns, creating a fundamental disconnect between assigned access and reality. Consider a financial analyst who retains access to critical financial systems months after moving to a marketing role. Without activity monitoring, traditional IGA sees only that the entitlement exists, not that it hasn't been used for 90 days - leaving a dormant but high-risk access point unaddressed.
  • Ineffective Certification Processes: Access certification campaigns in traditional IGA systems force reviewers to make decisions with limited context. Managers reviewing hundreds of entitlements see only static user-application pairings without crucial insights like last access date, usage frequency, or peer comparison data. This information vacuum leads to "rubber-stamping," – where busy reviewers approve all access rather than risk business disruption by revoking potentially necessary privileges. One Fortune 500 company found that 98% of certifications were approved without meaningful review, rendering the entire compliance exercise meaningless while preserving thousands of unnecessary access privileges that expanded their attack surface.
  • Inefficient Access Modeling: When roles and access policies are built on assumptions without activity data, the resulting models often misalign with actual usage patterns, leading to either excessive privileges or unjustified restrictions.
  • Siloed Data and Fragmented Tools: Organizations frequently manage SaaS applications and identity governance in separate systems, preventing rich activity data from informing IGA decisions and hindering data-driven security management.
  • Prolonged Implementation Cycles: Traditional IGA deployments consistently suffer from extended implementation timelines, with projects stretching from an expected 6 months to 18-24 months or longer. This delay stems from the manual mapping of complex permission structures, custom connector development, and the constant reconfiguration needed as applications evolve during implementation. These protracted timelines not only increase costs but create dangerous governance gaps that organizations cannot afford in today's rapidly evolving threat landscape.

A Framework for Next-Generation IGA

While the problem is complex, Nathan Harris and Brian Guthrie from Gartner have elegantly captured the solution in the VIA framework—Visibility, Intelligence, and Action. This framework provides a structured approach to addressing the limitations of traditional IGA.

Zluri's Next-Generation IGA platform is addressing the critical gaps

Solving for Visibility

The foundation of effective administration and governance is comprehensive visibility. Zluri's patented discovery engine performs thorough identification of identities and applications, establishing a solid foundation for comprehensive telemetry of activity data. This creates a foundational data fabric connecting identities, applications, and interactions (access controls).

Real-Time Intelligence

  • Actionable Insights: Our platform aggregates detailed activity logs across thousands of applications, providing a real-time picture of how entitlements are used and enabling organizations to distinguish between active and dormant access.
  • Intelligence-Driven Decision Making: Instead of relying on static, assumption-based models, Zluri enables IT and security teams to base decisions on actual user behavior, making it possible to:
  1. Automatically identify unused or underutilized entitlements
  2. Validate whether access rights should be maintained or revoked based on actual usage patterns

Intelligence-Powered Automation

  • Enhanced Automation: By integrating activity data, Zluri helps automate processes such as access certifications and reviews. For example, if a particular application's usage falls below a predefined threshold, the system can trigger automated alerts or even auto-revoke access, reducing manual intervention.
  • Bridging Silos: As a platform that originated in SaaS management, Zluri naturally collects and correlates rich usage data. This data, when integrated into the IGA framework, seamlessly bridges the gap between real-world application usage and identity governance, allowing for a more coherent, holistic approach to managing access.

Governance Without the Guesswork

Zluri replaces assumption-based models with usage-driven insights. No more guessing who needs what access. No more overprovisioned roles or compliance reviews done blind.

Access Modeling

  • Refining Role Definitions: Activity data helps map actual user behavior, enabling more accurate role engineering. By understanding which applications are used—and by whom—Zluri's Intelligent groups are auto-created to define roles that reflect true operational needs.
  • Dynamic Policy Adjustments: As usage patterns shift over time (for example, when teams migrate from one tool to another), activity data allows for agile updates to access models through Zluri’s Intelligent Groups. This reduces the risk of legacy access persisting long after it has become obsolete.

Access Certifications

  • Targeted Certification Campaigns: Certification processes are enhanced by incorporating activity metrics. Instead of blanket reviews, administrators can focus on entitlements that show little or no usage, streamlining the certification process.
  • Risk-Based Decisions: With visibility into usage trends (e.g., how many days within the last 90 days an application was accessed), Zluri's IGA capabilities can differentiate between high-risk dormant entitlements and those that are actively in use, allowing for more nuanced risk management.

Access Request Management

  • Automated Approvals and Reviews: If a request is made for access to a resource that is widely and actively used, the system can automatically approve the request or fast-track it for review, leveraging data such as peer usage or historical activity levels.
  • Contextual Decision-Making: When evaluating access requests, historical activity data transforms decision-making from binary approval processes to risk-based intelligence. For example, when a marketing associate requests access to a financial reporting system rarely used by their department, next-generation IGA doesn't simply check role alignment—it analyzes actual usage patterns across the organization. The system can identify that while 95% of marketing personnel don't access this application, those who do typically have specific cross-functional responsibilities. This contextual intelligence allows the system to automatically flag unusual requests for additional verification while fast-tracking those that match established usage patterns, balancing security with operational efficiency.

Security Gains in 30 Days, Not 30 Months

Next-generation IGA solutions dramatically reduce time-to-value compared to traditional approaches. While legacy IGA platforms often require 18+ months before delivering tangible security benefits, modern activity-based solutions can begin providing actionable insights within weeks. This rapid deployment advantage stems from automated discovery capabilities and pre-built integrations with common applications that eliminate lengthy manual mapping processes. Organizations can achieve their first risk reduction milestones—such as identifying and remediating dormant privileged accounts—in the first 30 days. From there, they can progressively enhance governance capabilities by following a clear value roadmap. This shift from multi-year projects to incremental value delivery helps security teams demonstrate immediate ROI while continuously strengthening their governance posture.

Conclusion

Traditional IGA systems have long suffered from a lack of real time actionable data, leading to inefficiencies and security gaps. Zluri's approach—leveraging deep activity insights from an advanced discovery engine—addresses these challenges by providing real-time, evidence-based data that transforms access modeling, certification, and request management.

This integration not only streamlines processes but also enhances security by ensuring that access rights truly reflect the current needs and behaviors of the organization in an increasingly complex world of human and machine identities, cloud applications, and AI-driven tools.

Take the Next Step in Securing Your Enterprise Identity Landscape

  • Schedule a Personalized Demo: See Zluri's next-generation IGA platform in action with a tailored demonstration for your organization's specific needs.
  • Visit Us at RSA 2025: Join us at Booth #5381 to meet our experts and experience hands-on how Zluri is securing the AI-first enterprise.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

Ritish Reddy
April 28, 2025
April 28, 2025

Manifesto for a New Era: Identity Governance for an AI-First World

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
Recognition
Platform
SaaS Management
Access Management
Access Reviews
Access Requests
Integrations
Compliance Readiness
SOC2
ISO 27001
HIPAA
SOX ITGC
PCI DSS
Why Zluri
Customer Stories
Product Tours
ROI Calculator
Solutions
Identity & Application Visibility
Uncover Shadow IT
Monitor AI Apps
Access Requests
Identity Lifecycle Management
Access Reviews
Resources
Blogs
Whitepapers
Webinars
Help Docs
Support
Trust Center
Sitemap
Company
Our Story
Careers
Events
Partners
Security
Contact Us
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms
Webinar

Product Spotlight ft. Gen AI Discovery, Proactive Access Governance, and more

Watch Now!
Button Quote
Featured
All

Manifesto for a New Era: Identity Governance for an AI-First World

Ritish Reddy
April 28, 2025
SHARE ON :

“2025 is the year when machine identities outnumber humans by 20:1. Yet, most organizations still govern access with tools built for on-prem HR directories. It’s time for change.”

The Changing Landscape of Identity and Access

We're frequently asked why there's a need for next-generation Identity Governance and Administration (IGA) when the solution category has existed for over two decades. While the foundational entities—identities and applications—remain central to the problem, they have evolved dramatically in both form and function. This transformation has been driven first by the evolution of cloud computing and more recently by the rapid rise of artificial intelligence.

The Expanding Identity Universe

Today's identity ecosystem extends far beyond human users. Machine identities—comprising certificates, keys, access tokens, and now, AI agents—are proliferating at an unprecedented rate due to AI adoption, cloud technology expansion, and shorter credential lifecycles. In fact, machine identities now vastly outnumber human identities across most enterprise environments, and this gap continues to widen.

The Shifting Application Landscape

On the application front, over 60% of IT resources in a typical organization now exist as either unmanaged or shadow IT. Visibility into organizational technology stacks is diminishing at an accelerated pace with the widespread adoption of AI applications. Many of these new AI investments stem from experimental budgets, resulting in shorter application lifespans within organizations.

The Compounding Security Challenge

This dual expansion—identity sprawl and application proliferation—creates a compounding security problem for IT and security teams. The rapid rise of shadow IT and the shorter lifecycle of AI-powered tools are leaving behind a vast trail of orphaned and unauthorized access entitlements for both human and non-human identities.

Moreover, each application maintains its own distinct set of access profiles, permission structures, and entitlement models. This has led to a dramatic proliferation of roles and entitlements across the organization - from granular feature-level permissions in SaaS platforms to complex role hierarchies in legacy systems.

The result is an entitlement landscape that has grown exponentially more complex. A mid-sized organization may now manage tens of thousands of unique entitlements across hundreds of applications, each with their own permission taxonomy and governance structure. When IT and security teams lack comprehensive visibility into both identities and applications, it becomes fundamentally impossible to answer the critical question: "Who has access to what?"

Key Limitations of Traditional IGA

The Discovery Paradigm Shift

Traditional IGA operates on a fundamental question: "What applications and identities do you have?" This reactive approach creates a critical blind spot—organizations can only manage what they know exists. Next-generation IGA must instead proactively inform: "Let me tell you what applications you have."

This paradigm shift is crucial because organizations typically limit their IGA programs to known identities and applications, leaving a significant portion unmanaged and ungoverned, which compromises their security posture.

The Rigid Framework Problem

Traditional IGA tools operate on a fundamental flaw: they rely on fixed, predefined access profiles into which data must be forced to fit. This approach may have worked in an era of standardized on-premises applications, but today's applications have far more complex, nuanced, and dynamic entitlement structures.

Modern cloud applications often feature:

  • Contextual permissions that vary based on data attributes
  • Nested group memberships that create implicit access rights
  • Dynamic role structures that evolve as applications update
  • Microservice architectures where permissions span multiple interconnected services
  • API-based access that traditional IGA tools weren't designed to monitor

This mismatch between rigid IGA frameworks and fluid application entitlement models creates significant blind spots. Organizations find themselves managing only a small subset of their actual permissions landscape - typically the most visible and standardized applications - while leaving a vast universe of entitlements completely unmonitored and ungoverned.

Additional Challenges in the Current IGA Space

  • Static Data powering Traditional IGA: Traditional IGA relies on static identity attributes from HR systems and directories rather than actual usage patterns, creating a fundamental disconnect between assigned access and reality. Consider a financial analyst who retains access to critical financial systems months after moving to a marketing role. Without activity monitoring, traditional IGA sees only that the entitlement exists, not that it hasn't been used for 90 days - leaving a dormant but high-risk access point unaddressed.
  • Ineffective Certification Processes: Access certification campaigns in traditional IGA systems force reviewers to make decisions with limited context. Managers reviewing hundreds of entitlements see only static user-application pairings without crucial insights like last access date, usage frequency, or peer comparison data. This information vacuum leads to "rubber-stamping," – where busy reviewers approve all access rather than risk business disruption by revoking potentially necessary privileges. One Fortune 500 company found that 98% of certifications were approved without meaningful review, rendering the entire compliance exercise meaningless while preserving thousands of unnecessary access privileges that expanded their attack surface.
  • Inefficient Access Modeling: When roles and access policies are built on assumptions without activity data, the resulting models often misalign with actual usage patterns, leading to either excessive privileges or unjustified restrictions.
  • Siloed Data and Fragmented Tools: Organizations frequently manage SaaS applications and identity governance in separate systems, preventing rich activity data from informing IGA decisions and hindering data-driven security management.
  • Prolonged Implementation Cycles: Traditional IGA deployments consistently suffer from extended implementation timelines, with projects stretching from an expected 6 months to 18-24 months or longer. This delay stems from the manual mapping of complex permission structures, custom connector development, and the constant reconfiguration needed as applications evolve during implementation. These protracted timelines not only increase costs but create dangerous governance gaps that organizations cannot afford in today's rapidly evolving threat landscape.

A Framework for Next-Generation IGA

While the problem is complex, Nathan Harris and Brian Guthrie from Gartner have elegantly captured the solution in the VIA framework—Visibility, Intelligence, and Action. This framework provides a structured approach to addressing the limitations of traditional IGA.

Zluri's Next-Generation IGA platform is addressing the critical gaps

Solving for Visibility

The foundation of effective administration and governance is comprehensive visibility. Zluri's patented discovery engine performs thorough identification of identities and applications, establishing a solid foundation for comprehensive telemetry of activity data. This creates a foundational data fabric connecting identities, applications, and interactions (access controls).

Real-Time Intelligence

  • Actionable Insights: Our platform aggregates detailed activity logs across thousands of applications, providing a real-time picture of how entitlements are used and enabling organizations to distinguish between active and dormant access.
  • Intelligence-Driven Decision Making: Instead of relying on static, assumption-based models, Zluri enables IT and security teams to base decisions on actual user behavior, making it possible to:
  1. Automatically identify unused or underutilized entitlements
  2. Validate whether access rights should be maintained or revoked based on actual usage patterns

Intelligence-Powered Automation

  • Enhanced Automation: By integrating activity data, Zluri helps automate processes such as access certifications and reviews. For example, if a particular application's usage falls below a predefined threshold, the system can trigger automated alerts or even auto-revoke access, reducing manual intervention.
  • Bridging Silos: As a platform that originated in SaaS management, Zluri naturally collects and correlates rich usage data. This data, when integrated into the IGA framework, seamlessly bridges the gap between real-world application usage and identity governance, allowing for a more coherent, holistic approach to managing access.

Governance Without the Guesswork

Zluri replaces assumption-based models with usage-driven insights. No more guessing who needs what access. No more overprovisioned roles or compliance reviews done blind.

Access Modeling

  • Refining Role Definitions: Activity data helps map actual user behavior, enabling more accurate role engineering. By understanding which applications are used—and by whom—Zluri's Intelligent groups are auto-created to define roles that reflect true operational needs.
  • Dynamic Policy Adjustments: As usage patterns shift over time (for example, when teams migrate from one tool to another), activity data allows for agile updates to access models through Zluri’s Intelligent Groups. This reduces the risk of legacy access persisting long after it has become obsolete.

Access Certifications

  • Targeted Certification Campaigns: Certification processes are enhanced by incorporating activity metrics. Instead of blanket reviews, administrators can focus on entitlements that show little or no usage, streamlining the certification process.
  • Risk-Based Decisions: With visibility into usage trends (e.g., how many days within the last 90 days an application was accessed), Zluri's IGA capabilities can differentiate between high-risk dormant entitlements and those that are actively in use, allowing for more nuanced risk management.

Access Request Management

  • Automated Approvals and Reviews: If a request is made for access to a resource that is widely and actively used, the system can automatically approve the request or fast-track it for review, leveraging data such as peer usage or historical activity levels.
  • Contextual Decision-Making: When evaluating access requests, historical activity data transforms decision-making from binary approval processes to risk-based intelligence. For example, when a marketing associate requests access to a financial reporting system rarely used by their department, next-generation IGA doesn't simply check role alignment—it analyzes actual usage patterns across the organization. The system can identify that while 95% of marketing personnel don't access this application, those who do typically have specific cross-functional responsibilities. This contextual intelligence allows the system to automatically flag unusual requests for additional verification while fast-tracking those that match established usage patterns, balancing security with operational efficiency.

Security Gains in 30 Days, Not 30 Months

Next-generation IGA solutions dramatically reduce time-to-value compared to traditional approaches. While legacy IGA platforms often require 18+ months before delivering tangible security benefits, modern activity-based solutions can begin providing actionable insights within weeks. This rapid deployment advantage stems from automated discovery capabilities and pre-built integrations with common applications that eliminate lengthy manual mapping processes. Organizations can achieve their first risk reduction milestones—such as identifying and remediating dormant privileged accounts—in the first 30 days. From there, they can progressively enhance governance capabilities by following a clear value roadmap. This shift from multi-year projects to incremental value delivery helps security teams demonstrate immediate ROI while continuously strengthening their governance posture.

Conclusion

Traditional IGA systems have long suffered from a lack of real time actionable data, leading to inefficiencies and security gaps. Zluri's approach—leveraging deep activity insights from an advanced discovery engine—addresses these challenges by providing real-time, evidence-based data that transforms access modeling, certification, and request management.

This integration not only streamlines processes but also enhances security by ensuring that access rights truly reflect the current needs and behaviors of the organization in an increasingly complex world of human and machine identities, cloud applications, and AI-driven tools.

Take the Next Step in Securing Your Enterprise Identity Landscape

  • Schedule a Personalized Demo: See Zluri's next-generation IGA platform in action with a tailored demonstration for your organization's specific needs.
  • Visit Us at RSA 2025: Join us at Booth #5381 to meet our experts and experience hands-on how Zluri is securing the AI-first enterprise.

About the author

Ritish Reddy

Ritish is one of the co-founders of Zluri, the SaaS management tool for IT teams. He leads the Marketing and Partnerships as part of his role. Before Zluri, he was part of the founding team at KNOLSKAPE and Co-Founder at Cranium media. Ritish is an MBA graduate and is passionate about building, and scaling businesses ground up. He is an avid reader and loves exploring book stores and libraries in different parts of the world.  He loves painting with his 4-year-old daughter.

Table of Contents:

This is some text inside of a div block.
This is some text inside of a div block.
Webinar

Product Spotlight ft. Gen AI Discovery, Proactive Access Governance, and more

Watch Now!
Button Quote

Related Blogs

Read More
No items found.

Go from SaaS chaos to SaaS governance with Zluri

Tackle all the problems caused by decentralized, ad hoc SaaS adoption and usage on just one platform.

Get in Touch

691, S Milipitas Blvd, St 217 Milpitas 95035

Security

Recognition

Products

SaaS Management
Access Management
Access Reviews

Platform

Open APIs
Integrations
Desktop Agents
Browser Extensions

Industries

Gaming
Biotech

Company

Our Story
Careers
We're Hiring
Events
Pricing
Contact Us
Press kit
Partner with Zluri
Security & Compliance
Trust Center

Resources

Blog
Case Studies
White Papers
SaaS Whispers
Integrations Catalog
Self-Guided Demos
Community
Webinars
Resource Hub for CIOs
Sitemap

Compare

SaaS Management
Zluri vs Torii
Zluri vs Zylo
Zluri vs Productiv
Access Management
Zluri vs Lumos
Access Reviews
Zluri vs Okta
Zluri vs Sailpoint

Compliance Readiness

SOC 2
HIPAA
ISO 27001
PCI DSS
SOX ITGC
RBI Cyber Resilience
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms