The IGA Maturity Curve: Shifting from Reviews to Assurance
Manual user access reviews were built for a different era. Today, access changes constantly, risks emerge in real time, and identity has become central to how organizations operate securely at scale.
In our recent webinar, “The IGA Maturity Curve: From Manual Reviews to Continuous Assurance,” we sat down with Ryan Schoeller, Director of GRC at Treasure Data, to discuss why traditional IGA models are breaking down and how modern teams are evolving.
Why manual UARs no longer scale
Ryan explained that traditional user access reviews are inherently backward-looking. Quarterly or annual snapshots cannot keep up with daily joiner, mover, and leaver events, privilege creep, and shadow applications.
As organizations grow more SaaS-heavy and dynamic, relying on periodic reviews leaves teams structurally behind both attackers and internal risk.
The shift underway is toward event-driven, continuous identity assurance, where access decisions are evaluated as they happen, not months later.
How automation and visibility change the game
A core theme of the conversation was how better data and automation enable this shift.
Ryan shared that one of the biggest changes after implementing ConductorOne was simply gaining access to identity data that had never been practical to collect or analyze before:
“ConductorOne helps us get access to data that we never used to have in the past.”
That visibility, combined with automation, allowed Treasure Data to reduce manual effort, expand the scope of what they could govern, and start moving away from checkbox compliance toward real risk reduction.
Integrations played a major role in making that possible: “ConductorOne has just an extensive library of connectors for SaaS applications,” said Ryan.
By bringing identity data together across hundreds of applications, the team was able to eliminate time-consuming manual report collection and focus instead on oversight and decision-making.
What modern IGA looks like
Rather than broad, static access and retroactive reviews, Ryan described a model built around:
- Thinner, more intentional birthright access
- Just-in-time access as a real-time control
- Automation handling routine work
- Humans focused on governance, exceptions, and risk tradeoffs
AI accelerates this shift by taking over low-value tasks and forcing GRC teams “up the stack,” toward work that requires context and judgment.
Looking ahead
As non-human identities and AI agents become more common, Ryan emphasized that visibility, ownership, and purpose are the next big challenges for GRC teams. Understanding who owns an identity, what it can access, and why it exists is foundational to governing identity in the AI era.
The takeaway from the session was clear: identity governance is no longer about proving a review happened. It is about continuously proving that risk is being reduced.
If you’re ready to move beyond manual UARs and toward continuous identity assurance, ConductorOne is built to help.
Watch the recap of the webinar:
