What is the Difference Between IAM and IGA?

What is the difference between Identity and Access Management and Identity Governance and Administration?

IAM and IGA are often grouped together, but they operate at different layers of identity architecture.

Identity and Access Management (IAM) handles execution. It authenticates users, establishes sessions, and enforces access at runtime. It is what allows a user to log in and move across systems. JOSSO is a good example, providing single sign-on and consistent access across applications.

Identity Governance and Administration (IGA) handles control. It defines and maintains access over time. It governs identity lifecycle, ownership, and policy enforcement. midPoint from Evolveum fits here, managing identities, roles, and entitlements across systems.

At a high level, IAM enforces access. IGA defines and validates it.

IAM Characteristics

Authentication and session control
Single sign-on and federation
Runtime access enforcement
Application level integration
Focus on availability and user experience

IGA Characteristics

Identity lifecycle management
Access modeling and role definition
Approval workflows and policy enforcement
Periodic access reviews and certification
Visibility into entitlements and ownership

The Identity Landscape

In practice, these layers show up clearly across the identity landscape.

On the IAM side, platforms like Okta, Microsoft Entra ID, and Keycloak focus on authentication, federation, and access at runtime. They are built to integrate applications and make access seamless.

On the IGA side, solutions like SailPoint, Saviynt, and midPoint focus on lifecycle, governance, and control. They answer questions around who should have access, how it is approved, and whether it is still valid. Read our technical comparison of these tools here.

Both categories solve different problems. Mature identity architectures rely on both, with a clear separation between access enforcement and access governance.