Why your IGA certifications fail by the second cycle

Most IGA programs ship the first certification cycle and then quietly stop running them. The platform did not break; the reviewers broke. Eight hundred entitlements per campaign is the wrong number for a human to evaluate, and once the rubber-stamp habit forms, the program is past saving without architectural change.

This piece describes the failure mode we see most often, and the architectural fix that survives multiple audit cycles.

The failure mode

Cycle one is the honeymoon. The platform is new, the security team is engaged, and reviewer participation is around 95%. By cycle three, participation has dropped under 70%. By cycle five, the pattern is unmistakable: reviewers approve everything in batches, the metric the dashboard tracks (completion rate) stays high, but the campaign has lost its meaning.

The typical response is to invest more in the IGA platform. New reminder emails, cleaner reviewer kits, better dashboards. None of it changes the underlying fact: the reviewer is being asked to evaluate too many entitlements without enough context.

The architectural fix

The fix is to stop running one campaign for everything. Replace the monolithic quarterly review with risk-tiered campaigns that operate on different cadences and reach different reviewers.

A working tier set looks like this:

• Tier 1 — Privileged and SOX-relevant (monthly): 5-10% of access, scoped narrowly, named reviewers, no batch operations allowed. The campaign that auditors care about.
• Tier 2 — Sensitive functional roles (quarterly): 15-20% of access, role-based reviewers, with a written exception path for unusual cases.
• Tier 3 — Standard access (annual): 70-80% of access, manager-led, with a strong default-approve policy and an exception escalation path.

The math changes. A reviewer in tier 1 evaluates 10-30 items per month with full context; a reviewer in tier 3 evaluates a few hundred items annually but where the default-approve policy carries the weight, not the reviewer. Both are sustainable.

Why it survives audit

Auditors care about evidence, not effort. A tiered campaign produces stronger evidence than a monolithic one because the high-risk tier is reviewed monthly with full context — exactly the cadence regulators expect. The annual default-approve tier is defensible if the default-approve policy itself is risk-assessed and signed off, which is a much smaller, more tractable artifact.

What we do during the engagement: write the policy, model the entitlement-to-tier mapping in the IGA platform, and run the first three months alongside the client team before handing off. The handoff is the point of the engagement — the platform should run the cadence, not us.

What this is not

This is not a vendor-selection question. SailPoint, Saviynt, and Microsoft Entra ID Governance all support tiered campaigns. The platform is not the limiting factor. The limiting factor is the absence of a risk-tier model and the written exception policy that goes with it. We have seen organizations buy a second IGA platform to "fix" certification fatigue; they do not fix it because the architecture has not changed.

The pattern of behavior to watch for: reviewers approving everything, dashboards showing high completion rates, and audit findings that ask "how does this campaign reduce risk?" That last question is the one tiering answers.

If certifications are eroding in your program, talk to us about a tier-modeling engagement — typically a 3-week diagnostic with a written policy and IGA configuration as deliverables.