Site icon Spherical Cow Consulting

Governance Means Something. Just Not Always the Same Thing.

An AI robot hand reaching toward a human hand symbolizes the importance of collaboration in achieving compliance and governance in today digital and regulatory environments. Synapse

“I was chatting with a friend last weekend about the concept of governance in tech. She and I both live in the world of digital identity and standards, and in the aspects of AI that impact those areas.”

What we observed, after entirely reasonable amounts of food and wine, is that when people in our field talk about governance, context matters. A lot.

“Governance” in Identity Governance and Administration, or IGA, is not the same thing as “governance” in AI governance. They are related, they overlap, and they both involve risk, control, accountability, process, and evidence. But they are not interchangeable.

Naturally, we use the same word for both. Technology has never met a useful term it could not overload.

This is not just a terminology complaint, though I reserve the right to complain about terminology whenever the industry earns it. The difference matters because organizations are increasingly using AI to help with IGA. AI systems recommend access changes, flag risky entitlements, identify outliers, suggest role models, automate review workflows, and, in some cases, operate as conversational agents that can trigger identity-related actions.

At that point, we are not merely governing access. We are governing the system that helps decide access.

A Digital Identity Digest
Governance Means Something. Just Not Always the Same Thing.

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

Governance in IGA: who gets access to what, and can you prove it?

In enterprise identity, “governance” is often shaped by IGA. That is not the only kind of governance in digital identity. Federation governance, wallet ecosystem governance, trust framework governance, assurance governance, metadata governance, and standards governance all exist, and they are their own delightful boxes of snakes.

But in enterprise IAM, IGA has done a lot to define what “governance” sounds like in practice.

IGA is concerned with questions like:

This is governance as operational control. It is tied to identity lifecycle management, provisioning, deprovisioning, joiner-mover-leaver workflows, role management, entitlement reviews, segregation of duties, policy enforcement, audit trails, and compliance evidence.

Nor is governance abstract. It is not (usually) philosophical. Governance is not asking whether a system is aligned with human flourishing. It is asking whether someone in Finance still has access to a production database they last touched during the Obama administration.

That is a valid and necessary form of governance. It prevents real risk, creates evidence, and gives security, compliance, and business teams a way to make access decisions less ad hoc and more reviewable.

But it is also bounded. IGA governance tends to focus on the access decision and the processes around that decision. It is largely about constraining and evidencing access: the identities, accounts, roles, entitlements, approvals, exceptions, and reviews that make up enterprise access control. That boundedness is part of why IGA is useful. It turns “governance” into workflows, rules, dashboards, certifications, and reports, and gives the organization something to operate.

It also means that people steeped in IGA may hear “governance” and think first of control execution: policy, approval, review, audit, remediation. That is not wrong. It is just not the whole semantic universe.

Governance in AI: what exactly is this system doing, and who is accountable?

AI governance comes from a different problem space. It is not primarily about whether Alice should have access to Application X; it is about how an AI system is designed, trained, evaluated, deployed, monitored, constrained, corrected, and retired. It asks whether the system behaves in ways that are legal, ethical, reliable, explainable, secure, and aligned with the organization’s obligations and values.

That is a wider frame. It includes data provenance, model behavior, testing, risk management, human oversight, transparency, accountability, documentation, bias, privacy, safety, security, and stakeholder impact.

In other words, AI governance is not only about the decision. It is about the sociotechnical system that produces or shapes the decision. This is where the vocabulary starts to creak.

In IGA, “governance” often lands as an implementation discipline. In AI, “governance” often appears as an organizational aspiration, a policy framework, or regulatory anxiety cloaked in PowerPoint. The field is still working out how to turn principles into repeatable controls. Everyone agrees that AI should be fair, accountable, transparent, safe, privacy-preserving, explainable, and human-centered. Excellent. I look forward to the Jira ticket for “make system human-centered.”

The serious point is that AI governance is broader but not necessarily more operationally mature. IGA has a narrow object but relatively concrete machinery. AI governance has a broad objective but often a weaker operational translation.

That difference can make conversations awkward. One person says “governance” and means an access certification workflow. Another says “governance” and means a lifecycle model for ensuring AI systems meet legal, ethical, and organizational requirements. Both are using the word correctly. They are not talking about the same thing.

Then AI walks into IGA and the fun begins

The overlap is where this gets interesting. AI is increasingly being used inside identity systems and IGA products. Sometimes this is relatively contained: anomaly detection, peer group analysis, role mining, entitlement recommendations, prioritization of access reviews, or suggested remediation steps. Sometimes it is more ambitious: an AI assistant that helps users request access, helps managers approve or deny access, helps admins interpret policy, or helps service desks resolve identity tickets.

On paper, this is appealing. IGA can be painful. Access reviews are often tedious, bloated, and performative. Managers approve things they do not understand. Entitlement names look like they were assembled by a raccoon walking across a keyboard. Role models drift. Exceptions multiply. Review fatigue is real.

AI promises to make this better by identifying patterns, summarizing risk, recommending removals, explaining access, and reducing manual effort. That is not inherently bad. In fact, some of it is plainly useful.

But the governance burden changes.

The AI/IGA boundary

If an AI system recommends removing a user’s access, the organization still needs to know whether the decision is correct. That is the familiar IGA question. But now it also needs to know why the AI made the recommendation, what data it used, whether that data was current and appropriate, whether the model performs differently across groups or business units, whether humans over-rely on its suggestions, whether its confidence scores mean anything, and whether the recommendation can be challenged or reversed.

That is the AI governance question.

If an AI agent can take action in an IGA platform, the organization has an even bigger problem. It must decide what authority the agent has, whose authority it is exercising, what tools it can call, what APIs it can touch, what approvals are required, what data it can see, what it must never reveal, how its actions are logged, and what happens when it is wrong.

That is not just AI governance. That is identity governance applied to an AI-enabled actor.

The organization has to govern the access outcome, the AI-mediated process, and the delegated authority of the AI component itself. One governance stack was apparently not enough. We needed layers.

The key distinction: access decisions versus system behavior

A simple way to separate the two meanings is this:

This distinction helps avoid two bad assumptions.

The first bad assumption is that because an AI feature lives inside an IGA product, ordinary IGA controls are sufficient. They may not be. Access logs and approval records do not necessarily explain whether the AI system was appropriately trained, tested, monitored, secured, or constrained.

The second bad assumption is that because AI governance exists as a broader field, identity-specific controls become secondary. Also no. If an AI system can influence who gets access, then identity governance remains central. The organization still needs least privilege, separation of duties, lifecycle controls, approval boundaries, access evidence, and remediation.

The overlap does not replace either discipline. It makes both more necessary.

A few questions worth asking before the vendor demo gets too shiny

When AI enters IGA, organizations should ask more precise questions than “does it have governance?” That question is practically an invitation to receive a confident but useless answer. I have a raft of questions that you might consider asking:

These are not anti-AI questions. They are pro-Not-Being-Surprised-Later questions.

The word is not the problem. The flattening is.

I do not think the problem is that identity people use “governance” incorrectly. In many cases, IGA has made governance unusually concrete. There is something refreshing about a field where governance can mean, “Here is the policy, here is the workflow, here is the approval, here is the evidence, here is the revocation.”

Nor do I think AI governance is just vague hand-waving. The broader frame is necessary because AI systems do not merely execute deterministic rules. They classify, infer, recommend, generate, summarize, and sometimes act in ways that are probabilistic and context-dependent. They can create new accountability gaps even when they are embedded in familiar enterprise systems.

The problem is flattening both uses into one generic bucket called “governance” and assuming everyone means the same thing. They do not.

In IGA, governance asks whether access is appropriate, controlled, reviewable, and evidenced. In AI, governance asks whether the system shaping the outcome is lawful, reliable, accountable, transparent, secure, and aligned with organizational and societal expectations. When AI is used for IGA, the organization has to ask both sets of questions at once.

That may be inconvenient. It may slow down the slideware. It may reduce the number of times someone can say “AI-powered governance” before lunch. Tragic.

But if we are going to keep reusing the same word across different technical and organizational contexts, we owe ourselves some precision. Governance is not magic dust. It is not a feature label. It is not a synonym for “the product has a dashboard.”

It is a commitment to define what is being controlled, who is accountable, what evidence exists, what risks are being managed, and what happens when the system gets it wrong.

And in the overlap between IGA and AI, that commitment has to cover both the access decision and the machine-shaped path that got us there.

📩 If you’d like to be notified of new posts rather than hoping you catch it on social media, I have an option for you! Subscribe to get a notification when new posts go live. No spam, just announcements of new posts. [Subscribe here]

Transcript

Recently, I was talking with a friend about governance in technology.

Because we both work in digital identity, standards, and the areas of artificial intelligence that intersect with them, the conversation naturally turned toward a familiar problem.

We both kept using the word governance.

Yet we weren’t always talking about the same thing.

That observation led to an important realization.

Governance means very different things depending on the context.

And as AI becomes more deeply embedded in identity systems, understanding those differences is becoming increasingly important.


One Word, Multiple Meanings

Technology has a habit of reusing useful words until they become overloaded.

Governance is one of those words.

Today, the term appears across many disciplines, including:

These areas all involve:

However, they are not interchangeable.

That distinction matters.


Governance in Identity Governance and Administration

Within enterprise identity, governance is often defined through Identity Governance and Administration.

IGA focuses on practical operational questions such as:

This is governance as operational control.

It supports activities like:

The goal is straightforward.

Make access decisions consistent, reviewable, and defensible.


A Practical and Operational Discipline

One reason IGA has been successful is that it turns governance into something organizations can operate.

It provides:

Rather than asking broad philosophical questions, IGA focuses on practical operational concerns.

For example:

Does someone still have access they no longer need?

That narrow focus is one of its strengths.


AI Governance Starts Somewhere Else

AI governance approaches governance from a completely different direction.

Instead of asking whether someone should retain access to an application, AI governance asks questions like:

The focus shifts from individual access decisions to the behavior of an entire socio-technical system.

That is a much broader scope.


Broader Does Not Mean More Mature

AI governance covers a wide range of topics, including:

These are all important.

However, many organizations are still figuring out how to translate these principles into repeatable operational controls.

Compared with IGA, AI governance often has:

That difference explains why conversations can sometimes become confusing.


When Governance Means Different Things

Imagine two people discussing governance.

One is thinking about:

The other is thinking about:

Both are using the word correctly.

Yet they are describing completely different responsibilities.

That vocabulary gap becomes especially important when AI begins operating inside identity systems.


AI Is Already Part of Identity Governance

Artificial intelligence is increasingly being used inside IGA platforms.

Examples include:

Many of these capabilities promise real improvements.

After all, identity governance can be tedious.

Organizations routinely struggle with:

AI has the potential to reduce some of that operational burden.


New Capabilities Create New Questions

However, introducing AI also changes the governance challenge.

Suppose an AI system recommends removing someone’s access.

Traditional IGA still asks:

Now additional questions emerge.

For example:

Those are AI governance questions.


When AI Begins Taking Action

The complexity increases further when AI moves beyond recommendations.

If an AI agent can actually perform actions, organizations must determine:

At this point, organizations are governing:

One governance framework is no longer enough.


Two Different Governance Questions

A useful way to distinguish the two disciplines is this:

IGA governance primarily asks:

AI governance asks:

When AI participates in access decisions, both sets of questions become essential.


Common Assumptions That Cause Problems

Several assumptions can create unnecessary risk.

One is believing that because AI exists inside an IGA platform, traditional identity controls are sufficient.

They are not.

Another is assuming that AI governance replaces identity governance.

It does not.

Organizations still require:

The two disciplines complement each other.

Neither replaces the other.


Better Questions to Ask

Instead of asking whether an AI system has governance, organizations should ask more specific questions.

For example:

These questions produce far more useful conversations.


Governance Is Not a Product Feature

Sometimes governance is presented as though it were simply another feature.

It is not.

Governance is not:

Instead, governance represents a commitment to define:

That commitment extends far beyond technology.


Why Precision Matters

The problem is not that people use the word governance incorrectly.

The problem is assuming everyone means the same thing.

Identity governance and AI governance overlap.

However, they solve different problems.

Recognizing that difference leads to better architecture, better discussions, and better organizational decisions.


Final Thoughts

As AI becomes increasingly integrated into identity systems, organizations will need both governance disciplines working together.

Identity Governance and Administration provides operational control over access.

AI governance provides oversight of the systems influencing those access decisions.

Neither is sufficient on its own.

Together, they create stronger accountability, better transparency, and more trustworthy decision-making.


Conclusion

Governance has never been a single concept.

It represents different responsibilities across different technical domains.

As digital identity and AI continue to converge, organizations will need greater precision—not less—when discussing governance.

Because once AI begins influencing identity decisions, governing access is no longer enough.

Organizations must also govern the systems shaping those decisions.


Exit mobile version