See AI-powered security on full display at GSX 2025 | Sept 29 – Oct 1  Learn More >>

EN

Blog

May 7, 2026

What Is Identity Governance? Why Access Reviews, Certification, and Attestation Are the Real Test of Enterprise Identity Management

Identity governance isn’t lifecycle automation. It’s the ongoing discipline of proving access is appropriate. Learn what real governance looks like across digital and physical environments.

A person in a suit holds a tablet displaying digital icons related to cybersecurity, such as a padlock, cloud, shopping cart, and wifi, glowing in an abstract network.

Definition

What Is Identity Governance?

Identity governance is the ongoing discipline of proving that every identity has the access it should have — and only the access it should have — at any given moment in time.

Most organizations confuse identity governance with identity automation: the joiner-mover-leaver workflows that provision and revoke access in response to HR events. Automation is necessary, but it isn’t governance.

Automation answers

“Did the access change correctly?”

Demonstrates that every Workday termination triggered a deprovisioning workflow — that the right technical action occurred at the right lifecycle event.

Governance answers

“Is the access right?”

Demonstrates that every active access right, across thousands of identities and dozens of systems, has been reviewed, validated, justified, and approved by the right person within the required time window.

That second capability is what separates an enterprise identity management program from a collection of identity tools.

The Framework

The Three Disciplines of Identity Governance

Real identity governance is built on three operational disciplines that must function continuously — not just at lifecycle events.

Discipline 01
Access Certification

Certification — also called access review or attestation — is the periodic validation that existing access rights are still aligned with current role, business need, and policy. A manager reviews their team’s access. An application owner validates who should still have entitlements. A compliance officer confirms that high-risk access is justified.

Certification is mandatory under SOX, HIPAA, GDPR, NIS2, DORA, and SOC 2. It is also the most common point of failure: Omada’s State of Identity Governance 2026 research found that more than 40 percent of executives lack visibility into access revocation outcomes — meaning that even when reviews happen, leaders can’t confirm that the right access was actually removed.

Discipline 02
Separation of Duties (SoD)

Separation of duties policies prevent any single identity from holding combinations of access that create fraud, conflict-of-interest, or operational risk. The classic example is the employee who can both approve and execute financial transactions. The same principle applies in physical environments: the contractor who can both authorize their own facility access and enter restricted areas without oversight.

Identity governance and administration solutions detect SoD violations at the moment of request and during certification — catching conflicts before they become audit findings or actual incidents.

Discipline 03

Audit and Attestation

Every access change, approval, denial, exception, and policy decision needs to be captured in an immutable audit trail. When auditors ask, “why does this person have this access?”, the answer must be available immediately — not reconstructed from emails, ticketing systems, and badge logs after the fact.

This is where most enterprise IAM programs struggle. Identity governance tools produce strong audit evidence for digital systems. But when the question becomes “why does this person have access to the data center, the pharmacy, or the executive floor?” — evidence often lives in a separate badge system that was never connected to the governance platform.

40%

of executives lack visibility into access revocation outcomes — even when reviews happen, they can’t confirm the right access was actually removed. Omada, State of Identity Governance 2026

The Problem

Why Most Enterprises Have a Governance Gap on the Physical Side

The three disciplines above — certification, SoD, attestation — are mature practices in the digital domain. Platforms like SailPoint, Saviynt, Omada, Okta and Microsoft Entra have spent two decades refining them.

The same disciplines barely exist on the physical side.

SailPoint

Saviynt

Omada

Okta

Microsoft Entra

?

When was the last time your organization ran a formal access review on who has badge access to the data center?

?

Verified that no contractor holds physical access incompatible with their engagement scope?

?

Produced audit evidence showing that every facility access right held by a current employee has been certified within the last 90 days?
For most enterprises, the honest answer is: never. Physical access is reviewed when something goes wrong — not on a continuous cadence.

Badge revocations are reactive, not policy-driven

Revocations happen in response to manual triggers — someone raises a ticket, a manager notices, an incident occurs. Not because a scheduled certification campaign detected stale access.

Audit evidence is reconstructed, not generated in real time

When regulators ask for physical access history, teams assemble it from badge logs, emails, and spreadsheets — after the fact, not from a continuous governance record.

PACS platforms enforce decisions — they don’t govern them

PACS systems enforce access at the door. They were never built to run certification campaigns, detect SoD violations, or produce attestation evidence. That work requires a layer above them.

That governance layer doesn’t exist for most organizations
The tools governing digital access were never designed to extend to physical environments. The physical side has been ungoverned — not because organizations don’t care, but because the right platform didn’t exist.

The Solution

How PIAM Brings Governance Discipline to Physical Access

Physical Identity and Access Management (PIAM) platforms are what extend the three disciplines of identity governance into the physical environment. A PIAM platform doesn’t replace the IGA tools governing digital access — it complements them, applying the same operational discipline to facilities, secure zones, and operational technology environments.

What that looks like in practice:

Access certification for physical access:

Periodic, policy-driven reviews where managers and area owners certify which of their reports should retain badge access to specific facilities — with results captured and revocations executed automatically.

SoD enforcement across digital and physical:

Policy rules that prevent toxic combinations spanning both domains. A finance employee with payment system access cannot also hold unsupervised access to the records vault. A clinical researcher with patient data access cannot also have unrestricted access to the pharmacy.

Continuous attestation evidence:

A unified audit trail covering every physical access right, every certification decision, every policy exception, and every revocation — available in real time, ready for any audit.

For organizations already running mature IGA programs, PIAM is the layer that closes the governance gap traditional identity governance solutions weren’t built to address.

✓ Digital access — well governed
  • Certification campaigns run on a scheduled cadence across all digital entitlements
  • SoD detection at the moment of request and during periodic reviews
  • Real-time audit trail — every entitlement, approval, and revocation is captured automatically
⚠ Physical access — governance gap
  • No certification cadence — physical access is reviewed only when something goes wrong
  • No SoD visibility across physical domains — toxic combinations go undetected
  • Reconstructed evidence — audit history assembled after the fact from badge logs and emails

How Alert Enterprise Guardian Delivers Physical Identity Governance

Alert Enterprise Guardian is the PIAM platform purpose-built to apply identity governance discipline to physical access. Beyond standard lifecycle automation, Guardian delivers the certification, SoD, and attestation capabilities that turn physical access from an ungoverned domain into one that meets the same standard as digital identity governance.

  • Automated certification campaigns for facility access, scheduled by role, area sensitivity, or compliance framework
  • Cross-domain SoD policy enforcement that detects conflicts spanning both digital and physical access
  • Real-time attestation reporting with unified audit trails across every connected PACS, HR system, and IGA platform
  • Native integration with SailPoint, Okta, Microsoft, ServiceNow, Workday, Oracle and SAP so that physical governance operates from the same identity source of truth as digital governance

The result is a single governance discipline operating consistently across both domains — not two separate programs producing two separate sets of evidence.

Conclusion

Governance Is What Happens After the System Is Connected

Most identity programs measure themselves by what gets automated. The mature ones measure themselves by what gets proven. That discipline is what regulators, auditors, and boards increasingly demand.

For digital access, that discipline is well established. For physical access, it’s still emerging. PIAM platforms like Alert Enterprise Guardian are how organizations close that gap — turning physical access from a domain that’s automated but ungoverned into one that meets the same governance standard as the rest of the enterprise.

Explore further

Extend governance to physical access

See how Guardian applies certification, SoD, and attestation to physical access — closing the governance gap that traditional IGA platforms weren’t built to address.

Explore Guardian
en_USEnglish
en_USEnglish