If you’ve worked in IT or security for more than five minutes, you’ve seen the same story repeat: a new employee joins, needs access “urgently,” someone grants it manually, and the access never gets cleaned up. Then the person changes roles, the old access stays. Then they leave, and some accounts still remain active somewhere. The next audit is painful, and the next incident review is worse.
That’s the gap Identity Governance & Administration (IGA) is meant to close. And SailPoint IdentityNow is one of the most common platforms teams use to do it in a cloud-first way—especially when applications are spread across SaaS tools, on-prem systems, and a dozen “small but critical” apps no one wants to admit they rely on.
This blog breaks down how IGA works in the real world, how IdentityNow fits into the picture, and what you should implement first so you don’t create a complicated system nobody trusts. If you’re learning this for career growth, you’ll also see where SailPoint Identity Now Training from Ascents Learning fits in practically—because reading definitions is easy, running a clean rollout is the real job.
IGA in plain terms (and why it’s different from “just IAM”)
IGA is about answering four questions—consistently, at scale:
- Who is the user? (employee, contractor, vendor, service account)
- What access do they have? (across apps and systems)
- Why do they have it? (policy, role, approval, business need)
- Should they still have it today? (reviewed, revoked, reapproved)
This is where IGA differs from the parts of IAM people usually talk about first (SSO, MFA, password policies). SSO and MFA help users authenticate and reduce login risk. IGA focuses on access lifecycle + governance—making sure access is granted for the right reason and removed at the right time.
That’s also why audits care about IGA. Auditors don’t just want “we use MFA.” They want proof that access is reviewed, approvals exist, and leavers don’t keep lingering access.
Why SailPoint IdentityNow is used for modern IGA
SailPoint IdentityNow is a SaaS IGA platform designed to centralize identity data and help teams govern access across multiple sources. It’s commonly used to bring order to:
- HR-driven joiner/mover/leaver changes (JML)
- access requests with approvals and audit trails
- access certifications (periodic reviews)
- provisioning and deprovisioning, where integrations allow it
- visibility and reporting across identities and entitlements
Think of IdentityNow as the place where identity data, policies, and governance workflows meet. It’s the difference between “We think access is okay” and “Here’s the evidence, here’s the approval chain, and here’s what changed.”
If you’re aiming to learn it properly—not just the UI—this is where SailPoint Identity Now Training becomes valuable. In real projects, most issues come from messy identity data, weak process design, or unrealistic expectations about connectors. Training should prepare you for those realities, not just screenshots.
The building blocks you’ll actually use in IdentityNow
1) Identity lifecycle (Joiner–Mover–Leaver) that doesn’t break
The biggest win in IGA usually comes from getting lifecycle basics right.
- Joiner: new user appears with correct attributes, gets baseline access
- Mover: department/role/location changes trigger access updates
- Leaver: access removal is consistent, timely, and provable
In theory, HR is the source of truth. In practice, HR data is often incomplete or late. A strong IdentityNow setup handles that with clear lifecycle states and sensible fallback rules.
What “good” looks like: a leaver event disables accounts automatically in top priority systems (email, VPN, core apps), and generates an audit trail that’s easy to export.
2) Access requests that reduce tickets (without losing control)
The goal isn’t to create a fancy portal. The goal is to stop random access being granted in random ways.
With IdentityNow, you typically configure:
- what users can request (apps, roles, entitlements)
- who approves (manager, app owner, compliance, or multi-step chains)
- how long access lasts (especially for elevated access)
- what happens after approval (provision automatically or create tasks)
Real-life example: A developer needs temporary production access for a week. In a mature setup, the request has an expiry date, approvals are recorded, and access auto-revokes if not extended.
3) Access certifications that reviewers can’t “rubber-stamp”
Certifications (access reviews) are where many IGA programs lose credibility. If the review experience is unclear, reviewers approve everything just to clear their queue.
A useful certification program has:
- meaningful review items (not noise)
- context: why the user has access, last used date (if available), risk indicators
- clear actions: approve, revoke, delegate, comment
- sensible scope: don’t review everything every month
Practical tip: Start with high-risk access and high-impact apps first. A certification that removes 10% of risky access is more valuable than a certification that “reviews” 100% and changes nothing.
4) Provisioning: where “governance” becomes real
Provisioning is the engine behind granting/removing access—when the integration supports it.
In reality, you’ll deal with:
- apps that provision cleanly
- apps that provision partially
- apps that can’t provision at all (manual steps required)
IdentityNow still helps even when provisioning is partial. Why? Because you can track approvals, create tasks, and prove the process. But you want to be honest about automation levels from day one, otherwise stakeholders assume everything is “instant.”
5) Sources and integrations: the part that decides your timeline
Most project delays come from integration complexity, not from governance screens.
Common blockers:
- inconsistent identity attributes across sources
- duplicate identities
- entitlement naming that makes no sense (common in legacy systems)
- app owners who don’t know how access is granted today
- connectors that require careful configuration and testing
This is why SailPoint Identity Now Training should include hands-on labs with sources, entitlement models, and common failure scenarios—because those are the situations you’ll be hired to solve.
A realistic IdentityNow flow (what “good” looks like)
Scenario: A sales rep joins and needs Salesforce + Slack + VPN
- Joiner event
- HR creates the user record.
- IdentityNow pulls the identity and applies baseline policy.
- Baseline access
- Slack basic access assigned automatically (example policy).
- Access request
- Manager requests Salesforce “Sales Rep” access profile.
- Approvals
- Manager approves + Salesforce app owner approves (depending on org policy).
- Provisioning
- IdentityNow provisions access automatically if the connector supports it, or generates a task if manual.
- Certification
- Quarterly review includes Salesforce access.
- If the user moved teams, old access gets revoked.
That’s the point: fewer ad-hoc grants, fewer permanent “temporary” accesses, and more proof when someone asks, “Who approved this?”
Policies that matter in 2026 (the ones teams actually enforce)
Least privilege that’s measurable
Not “we believe in it.” Measurable means:
- baseline access is smaller
- elevated access is time-bound
- exceptions are tracked
Time-bound access for risky permissions
Admin access should expire by default unless renewed with approval.
Separation of duties (SoD) awareness
Even if you don’t implement complex SoD from day one, you should at least identify common conflicts early (finance approvals + payment execution, for example).
Non-employee governance
Contractors and vendors are the easiest identities to lose track of. A mature setup enforces:
- start/end dates
- sponsor ownership
- periodic review cycles
A rollout plan that doesn’t turn into a never-ending project
Phase 1: Visibility first (foundation)
- connect HR source and 5–10 key apps
- normalize identity data
- build reporting that shows current state and risk areas
Phase 2: Control access (reduce chaos)
- enable access requests for key apps
- define approval chains
- begin basic provisioning where feasible
Phase 3: Governance and audit readiness
- run certifications for high-risk access
- capture reviewer context and comments
- set consistent leaver handling with evidence
Phase 4: Optimize and automate
- improve role/access models
- reduce approval fatigue with smarter rules
- expand integrations and tighten policies
This is exactly where Ascents Learning positions SailPoint Identity Now Training well: not as “learn the tool,” but as “learn the workflows and implementation decisions you’ll make on a real project.”
Common mistakes (that cause teams to lose trust in IGA)
Mistake 1: Trying to integrate everything at once
Start with systems that matter most: email, VPN, HR, core business apps. Then expand.
Mistake 2: Overengineering roles too early
Roles are useful, but building them before you understand access patterns creates clutter and exceptions.
Mistake 3: Certifications without context
If reviewers don’t understand what they’re approving, they’ll approve everything.
Mistake 4: Accepting provisioning failures as “normal”
Provisioning failures become hidden backlog. Treat them like incidents: root cause, fix, prevent.
Mistake 5: No KPIs, no proof
If you can’t show reduced access time, reduced orphan accounts, or improved audit outcomes, the program looks like a cost center.
KPIs to track (so you can prove IdentityNow is working)
- Time to grant access (by app and request type)
- Leaver deprovisioning time (hours/days, not “eventually”)
- Orphaned accounts trend (should drop)
- Certification outcomes (revocations vs approvals)
- Provisioning success rate (and top failure reasons)
- Audit findings related to access governance (should reduce over cycles)
Who should learn IdentityNow (career angle)
If you’re targeting IAM/IGA roles, IdentityNow skills show up in:
- IAM Engineer / Analyst roles
- Identity Governance Analyst roles
- GRC roles that need access review evidence
- Security operations teams handling access risk
- IT admins moving into identity security
The fastest way to stand out is to learn workflows end-to-end: lifecycle events, access requests, certifications, provisioning outcomes, and reporting. That’s why SailPoint Identity Now Training from Ascents Learning should be hands-on and project-style—not just theory.
FAQ
Is IdentityNow the same as SSO?
No. SSO helps you log in. IdentityNow helps you govern and manage access over time—who gets what, approvals, reviews, removals, and evidence.
What should we implement first in IdentityNow?
Start with identity data and a limited set of critical applications. Visibility and clean identity attributes come before complex roles and large-scale certifications.
Why do access reviews fail in many companies?
Because they’re too broad, lack context, and reviewers are overloaded. Start with high-risk access and provide meaningful context for decisions.
Can IdentityNow work if some apps can’t be provisioned automatically?
Yes. You can still manage approvals, tasks, reviews, and audit trails. But set expectations clearly about what will be automated vs manual.
What’s the biggest factor in a smooth rollout?
Data quality and integration design. Most issues are not “tool issues”—they’re identity source issues.
Closing thought
IGA is not about building a control tower that slows everyone down. Done well, it speeds up access, reduces risk, and makes audits boring—in the best way.
If you’re planning to implement IdentityNow or build a career in IGA, learn the workflows, not just the screens. SailPoint Identity Now Training at Ascents Learning is most valuable when it mirrors real projects: integrations, approvals, certifications, provisioning failures, and reporting that leadership actually cares about.