IDENTITY GOVERNANCE & ADMINISTRATION (IGA)

Introduction

The purpose of this document is to detail the return on investment (ROI) associated with implementing an Identity Governance and Administration (IGA) solution. Unlike point access management tools, IGA focuses on governing the entire identity lifecycle (employees, contractors, and service accounts).

The lack of automated governance generates hidden costs, including excessive IT time spent on manual tasks, unused software licenses, delayed employee productivity, and, most importantly, critical security vulnerabilities that can lead to significant fines and reputational damage.

The objective is to provide a standardized methodology to:

  • Identify value-generation sources related to IGA
  • Structure cost and benefit components
  • Demonstrate how gains can be financially quantified
  • Support decision-making and investment approval processes

The proposed model is generic and customizable and can be adapted according to an organization’s size, maturity, and operational context.

Scope of Analysis

This analysis considers the financial and operational impacts resulting from the adoption of IGA, including:

  • Access management automation
  • Identity governance
  • Operational efficiency
  • Risk reduction
  • Regulatory compliance improvement

Identity Governance and Administration Overview

Identity Governance and Administration (IGA) encompasses the processes and technologies responsible for controlling and governing digital identities and their access to corporate systems.

Its primary capabilities include:

  • Automated access provisioning
  • Lifecycle-based deprovisioning
  • Periodic access certifications
  • Segregation of Duties (SoD)
  • Audit trails and continuous governance

IGA business value is primarily generated through operational automation, risk reduction, and increased organizational efficiency.

Strategic Value Pillars

To calculate ROI, we divide the solution’s impact into three areas:

  • Operational Efficiency: Reduction of manual work performed by IT and HR.
  • Risk Reduction: Elimination of excessive access rights and orphan accounts.
  • Compliance: Automated audit evidence for regulations and frameworks such as LGPD, SOX, ISO 27001, and SOC 2.

Cost Calculation Methodology and Cost Breakdown

In this section, we quantify the direct financial impact of current manual operations compared to automation through IGA.

IT Operational Efficiency (Manual Provisioning)

The cost of maintaining analysts to perform repetitive account creation and removal tasks.

CTI_Manual = Total IT cost for performing basic access provisioning and deprovisioning operations.

TJoiner = Average time spent creating all user accounts during onboarding.

TMover = Average time spent removing outdated access and granting new access when an employee changes roles internally.

TLeaver = Average time spent identifying and revoking all user access upon termination.

NMovements = Average annual volume of employee lifecycle events. Example: If a company hires 100 employees, promotes 50, and terminates 80 in a year, the total number of movements is 230.

CHour_IT = Average hourly cost of IT analysts responsible for access management.

Market Benchmark (Without IGA)

According to Gartner IAM Maturity Models and Market Guides, manual processes typically require 30 to 60 minutes per user to configure access across multiple systems.

IGA Benefit:

With IGA, provisioning time is reduced to just a few minutes, requiring only supervision.

Cost of Inactivity (Onboarding / Day One)

One of the largest sources of financial waste. It represents salary costs paid to new employees who cannot be productive due to missing system access.

CInactivity = Total cost of inactivity for newly hired employees.

TWait = Average time, in hours, from the employee’s first day until all required access is available.

CHour_Employee = Average hourly employee cost.

NHires = Annual volume of new hires, including contractors.

Market Benchmark (Without IGA):

Without IGA, employees typically require 2 to 5 days to receive all necessary access. If an employee costs the company BRL 100 per hour, each day of inactivity costs approximately BRL 800.

IGA Benefit:

Employees become productive from the first minute of their first day through automated onboarding processes.

License Management (The Cost of “Ghost Licenses”)

Active software licenses (SaaS) assigned to former employees or users who no longer require the application.

LicenseCosts = Total annual cost of idle licenses that have not been revoked.

NIdleLicenses = Number of paid licenses without active usage for more than 30–60 days or assigned to terminated employees. Market average is approximately 30% of total licenses.

LicenseValue = Average monthly software license cost.

Market Benchmark:

Studies indicate that approximately 30% of SaaS licenses in organizations without IGA are wasted or underutilized (Flexera State of SaaS Management Report).

IGA Benefit:

Automated deprovisioning immediately eliminates unnecessary licensing costs upon employee termination or role changes.

Access Recertification Breakdown

AuditCosts = Total annual cost of access certification processes without IGA.

SpreadsheetHours = Average hours managers spend reviewing access rights once or twice per year.

NManagers = Number of managers involved in access review campaigns.

ManagerHourlyCost = Average hourly cost of managers performing access reviews.

Market Benchmark (Without IGA):

Forrester Research studies indicate that, in spreadsheet-based processes, managers spend between 3 and 5 hours per review cycle simply interpreting technical permissions and validating team access.

In an organization with 50 managers conducting semiannual reviews, this represents approximately 500 leadership hours diverted from strategic responsibilities each year.

IGA Benefit:

According to Forrester Consulting’s The Total Economic Impact™ of Modern IGA Solutions, IGA reduces manager and auditor effort by up to 80%.

The solution automatically consolidates data and enables real-time revocation of inappropriate access.

Cost of Risk (Risk-Adjusted ROI)

Unlike operational ROI, risk ROI focuses on loss prevention. IGA directly reduces both the likelihood of incidents and their financial impact when they occur.

Data Breach Mitigation

IGA addresses the two primary attack vectors:

  • Orphan accounts (former employees)
  • Excessive privileges

Expected Loss Calculation (ALE):

ALE = SLE × ARO

SLE (Single Loss Expectancy) = Financial loss resulting from a single incident.

ARO (Annualized Rate of Occurrence) = Probability of the event occurring within one year.

Market Benchmark (Without IGA):

According to IBM/Ponemon Institute’s Cost of a Data Breach Report, the average cost of a global data breach reaches millions of dollars.

Compromised credentials remain the most common root cause and typically require more than 200 days to identify in manual environments.

IGA Benefit:

According to IBM, organizations with highly automated security and identity governance reduce breach costs by up to USD 1.5 million.

IGA lowers both the likelihood of incidents by eliminating orphan accounts and the impact by limiting what attackers can access.

Regulatory Compliance and Fines (LGPD/ANPD)

Compliance shifts from a chaotic variable cost to a predictable financial safeguard.

Market Benchmark (Without IGA):

Under LGPD, fines can reach up to 2% of annual gross revenue, capped at BRL 50 million.

Additionally, Gartner reports that organizations without IGA spend hundreds of labor hours conducting emergency audit evidence collection (“audit fire drills”), delaying strategic IT initiatives for weeks.

IGA Benefit:

IGA reduces audit preparation time by up to 80% (Forrester).

It transforms compliance into a low, predictable operational cost through automated reporting, ensuring evidence of “who has access to what” is always available and reducing the risk of penalties due to negligence.

Insider Threat Risk

IGA prevents privilege creep by ensuring employees and compromised accounts cannot access data beyond their responsibilities.

Market Benchmark (Without IGA):

Ponemon Institute’s Insider Threat Report indicates that the average cost of insider-related incidents has increased significantly, while the average containment time is approximately 77 days.

Lack of Segregation of Duties (SoD) remains a leading cause of internal financial fraud.

IGA Benefit:

Through the Principle of Least Privilege and automated Segregation of Duties controls, IGA enforces systemic compliance.

Forrester highlights that IGA reduces the probability of internal fraud by automatically preventing conflicts of interest in access assignments (for example, the user who creates a supplier cannot be the same user who approves payment).

Conclusion

Based on market benchmarks from Gartner, Forrester, and IBM, implementing an IGA solution generates significant savings across multiple areas.

Average Savings by Category

  • License Management: 20%–30% reduction in idle or forgotten software license costs.
  • IT Operational Efficiency: 70%–90% reduction in time spent on manual provisioning and deprovisioning tasks.
  • Service Desk: 40%–50% reduction in basic support tickets.
  • Audit Preparation: Up to 80% reduction in evidence collection and auditor response efforts.
  • Data Breach Costs: Organizations with identity automation save an average of USD 1.5 million in containment and remediation costs compared to organizations relying on manual processes.

Final Executive Summary

The adoption of IGA goes beyond cybersecurity; it is a strategic decision for financial optimization and business scalability.

  • Return on Investment (ROI): According to Forrester studies, a mature IGA solution can deliver an ROI of 250%–300% over a three-year period, with an average payback period of six months.
  • Operational Efficiency: The productivity impact is substantial, reducing provisioning effort by 70%–90% and compliance and audit-related manual work by up to 80% (Gartner/Forrester).
  • Direct Cost Recovery (OPEX): Eliminating ghost licenses generates immediate savings of up to 33% in annual SaaS spending, converting waste into available budget (Flexera).
  • Asset and Brand Protection: Automation reduces the cost of a potential data breach by more than USD 1.5 million by addressing the root cause of approximately 80% of security gaps: identity management (IBM).
  • Scalability: IGA enables organizations to support rapid growth in employees and systems without increasing the number of IT staff dedicated to access administration.

Verdict

Investment in IGA pays for itself not only through automation but also through the systematic elimination of license waste and the financial protection it provides against security incidents and regulatory fines.