Table of contents
There’s a strange tendency for companies to treat HR and IT as if they existed on different planets, keeping their interactions to a minimum. And yet, there’s one area where this "separate worlds" mentality backfires every time, and that’s identity governance.
When there’s friction between business needs and system requirements, the advice is usually “just sync your HRIS to your IGA platform, automate the triggers, and the problem will vanish.” The talk about business and tech departments’ alignment lasts for about five minutes and then the rest of the conversation is about tooling.
Tools are important, but the access problems I’ve seen across companies all stemmed from something broader, i.e., a lack of end-to-end ownership. When a payroll status keeps a terminated employee’s account live for weeks, or an informal "verbal" promotion leaves someone with excessive permissions for months, we are looking at an organizational gap.
To make identity governance work, we have to look past the dashboard and address the silos between the HR and IT teams.
To understand why there are so many misunderstandings or misconceptions around different IGA responsibilities, we have to first realize just how much has changed in the last ten years.
For starters, IGA is no longer solely about provisioning accounts, because the real work now circles around supervision. When we launch an attestation, we don’t stop at “does this person still need an AD account?” Instead, we check every permission the person holds and whether it still belongs there.
This means pulling in as many systems as possible so access requests, monitoring, and revocations happen in one place. This is also where most organizations falter.
It’s rarely possible to draw a clear line between HR and IT access management responsibility, because the org chart diffuses accountability. No one owns the outcome. Paradoxically, a “perfect” technical integration between HRIS and IGA can end up masking the underlying mess even further.
The issue grows worse with non-human identities. Service accounts, API keys, bots, and autonomous AI agents often outnumber humans 45:1 or more due to cloud and automation. They don’t follow HR lifecycles, because they appear in code, adapt, escalate rights, and might interact unpredictably.
So, at its core, IGA is about who answers for the access that exists inside systems, and whether anyone can be held accountable when it goes wrong.
HR owns the employee lifecycle, so hiring, promotions, and terminations. They’re the single source of truth for employee data, and they’ve got guidelines on what different roles should be allowed to do. But digging into what entitlements actually look like across twenty different applications? That’s usually not on their radar. They assume access management belongs to IT.
What IGA challenges can this lead to? There are at least a few:
IT teams run the show on the technical side, so infrastructure, security tools, identity platforms, audits, MFA enforcement, log monitoring, patching, or incident responses.
They’re experts at making systems work and keeping threats at bay. But they usually can’t answer questions like:
The reason is because they’re detached from the business context. IT usually leans on HR joiner-mover-leaver processes they receive from the business. But without speaking to these departments regularly, they often follow policies that are incomplete or outdated.
That turns governance into reactive firefighting.
In all honesty, I don’t believe that many IT departments have the conditions to run proactive campaigns, because they handle:
IT brings serious technical chops, that’s not in question. But they won’t be able to put their technical excellence into work if they don’t know what the real-world business nuance is.
I’d like to make it crystal-clear that the real issue isn’t HR or IT being incompetent. It’s that neither can genuinely be responsible for identity governance alone.
No one has shown HR and IT how to talk to one another about IGA, which builds silos.
We see a lot of mutual blind assumptions, because HR thinks “IT handles all the access stuff,” while IT thinks “HR tells us exactly what roles they need.” There’s a lot of live information that gets lost, and there has to be a clear bridge between those two departments.
I believe it’s largely because, at many organizations, IGA is “sort of” functional. One area might run smoothly while another drags. It’s never truly perfect because the landscape keeps shifting, with new tech like AI agents, evolving attack patterns, and fresh regulations. This isn’t a one-and-done project, but nothing will change unless the organization grasps why attestations and reviews matter.
All departments must understand what IGA does and realize that the process respects their workflow instead of adding pointless hassle.
The even deeper blindspot in my opinion? It’s that IGA tools automate faithfully off the HRIS, but the HRIS only reflects the formal, official org chart, which is updated on HR’s rigid timelines. It completely misses the informal reality that drives work, like:
I’ve seen a client case like this, where a leaver stayed “active” in HR for payroll wrap-up, so IGA got no deprovision signal – the account lingered and duplicates grew because HR hid the record.
What could have been done here instead would have been mapping out HR’s real needs, and then building IT-side controls (e.g., disabling logins while preserving the HR status).
As you can see, it’s attainable to find common ground, but it demands actual conversation across silos.
The perfect scenario solution would be simple – having a single owner, who lives above the HR/IT divide (like a COO or Governance Lead). When permissions would creep or accounts linger, that one person would have the authority to force a resolution. For others in the business, they’d also be a clear escalation point for any issues with IGA.
But, since we’re not living in a perfect world, and having such a senior "unicorn" with deep cross-domain fluency isn't usually feasible, you need a different bridge.
If you can’t find one person, pair two. You need a duo that combines business process nuances (HR and payroll) with technical IAM reality (integrations and threat models). These team members don't need to be experts in both, just literate enough to spread the other departments’ perspective further in the business.
When internal bridge-builders are scarce, you can also consider bringing a team of consultants on board. The absolute benefit here is that they can act as a neutral circuit breaker.
They bring pre-built patterns and, more importantly, the ability to facilitate conversations that internal politics usually block. A fresh, analytical set of eyes can often provide ideas or ask questions that catch even seasoned internal teams by surprise.
As you consider the options above, I also recommend the following quick steps.
In my experience, when identity governance stays broken at a company it’s usually because HR and IT have effectively built a wall where they toss data over the top. When they do that, everyone hopes for the best, but nobody is minding the foundation.
If IGA conflicts or gaps were just a technical hurdle, IT would have solved it years ago. So, the real friction is a lack of collective intent on both ends. The good news though is that this is a deadlock we can actually break.
Fixing it just requires starting a conversation. When IT and HR turn cross-team synchronization into a shared habit, transforming the entire system becomes possible. HR begins to see that accurate data entry is a powerful security control, and IT starts building access models that support the business instead of slowing it down.
So, real maturity is within reach the moment we stop waiting for one department to play the hero and start building a bridge of mutual accountability. It’s an ongoing effort, but it’s a rewarding one.
