Mid-Market — Post M2 (IGA)
Focus: Turning governance from a once-a-year scramble into an automated, continuous process—reviews, SoD, and evidence collection made practical.
Previous: Post M1 covered Joiner-Mover-Leaver automation and lifecycle control.
TL;DR
Your lifecycle is automated. People get accounts when they should, lose them when they leave.
Now it’s time to prove it.
This stage is about:
- Automating access reviews and SoD (Segregation of Duties) checks
- Logging every access change and certification
- Generating audit-ready evidence without extra headcount
- Mapping governance to NIST, SOC 2, and ISO 27001 controls
1. Mid-market governance: the sweet spot
You’ve grown too large for manual spreadsheets but too nimble for enterprise IGA projects that take a year to deploy.
The answer: operational governance — workflows and evidence loops that run in the background, tied to real identity events.
You’re aiming for:
- Continuous visibility: know who has access to what, any day of the year
- Explainable governance: anyone can understand the review process
- Proactive compliance: reports ready before auditors ask
2. The three layers of practical IGA
| Layer | Goal | Example |
|---|---|---|
| Visibility | Know who has access | Centralized access register + exports |
| Governance | Review access regularly | Manager attestations, SoD logic |
| Evidence | Prove decisions & actions | Audit logs, certifications, and reports |
You don’t need a new platform for each—just integrations that pull data together and record actions.
3. Automate access reviews (your quarterly loop)
Step 1: Centralize who has access
- Pull exports from your IdP (Okta, Entra, JumpCloud, Workspace)
- Pull user roles from key apps (e.g., Salesforce, Slack, GitHub, ERP)
- Combine in a master Access Register (stored in SharePoint, Google Drive, or Power BI Dataset)
Step 2: Launch quarterly review
Use whatever workflow tool you already have:
- Power Automate: Send CSV or adaptive card to each manager → “Confirm or Remove”
- n8n / Linx: API-driven review task → auto-disable accounts on “Remove”
- Adaxes: Approvals and group removals for AD/Entra
- Linx IGA: Prebuilt campaigns with dashboards and audit evidence
Step 3: Close the loop
- Store the final sheet or campaign results in
/Governance/Reviews/Q#_YYYY/ - Generate an evidence summary report (PDF or CSV)
- Auto-email to Security or Compliance teams for archive
Goal: Reviews finish in two weeks, not two months.
4. Implement lightweight SoD (Segregation of Duties)
Full SoD engines are overkill. Instead, start small:
| Function | Incompatible Roles | Enforcer |
|---|---|---|
| Finance | “Invoice Approver” + “Vendor Creator” | Excel formula or Linx SoD policy |
| DevOps | “GitHub Admin” + “Prod Deploy” | Adaxes/Okta groups check |
| HR | “HR Manager” + “Payroll Admin” | Power Automate query |
Automate a weekly report that flags dual memberships in conflicting groups.
One sheet, one query, big impact.
5. Continuous evidence collection
Your auditors (and your future self) will thank you.
What to collect:
| Evidence Type | Example |
|---|---|
| Access Review Results | CSV or campaign export |
| SoD Report | Weekly conflict list |
| Offboarding Log | Adaxes or Power Automate logs |
| MFA Report | IdP export |
| Privileged Role Logs | Entra PIM activity, Okta admin actions |
Where to store:
/Governance/Evidence/YYYY/Quarter_X/
→ Structured, versioned, searchable.
Optional: Automate archival
- n8n or Power Automate: zip files quarterly and upload to SharePoint or S3
- Linx IGA: automatically packages campaigns and evidence as PDF + CSV bundles
6. Tools that fit mid-market budgets
| Tool | Role | Why it fits |
|---|---|---|
| Linx IGA | Full-featured governance with dashboards | Cloud-native, faster to deploy than legacy IGA |
| Adaxes | Execute group changes & track approvals | Tight Microsoft integration |
| Power Automate / n8n | Workflow glue | Automates notifications, reviews, and archiving |
| Excel / Power BI / Google Sheets | Evidence visualization | Simple, cheap, effective |
| JumpCloud / Okta / Entra | Source of truth + logs | Integrates with everything above |
My take: Start with Power Automate or n8n for review cycles; add Linx when you need campaign dashboards or SoD automation. Keep Adaxes to enforce what governance decides.
7. Example 90-Day Plan
| Week | Milestone | Deliverable |
|---|---|---|
| 1–2 | Map all sources (HR → IdP → Apps) | Unified Access Register |
| 3–4 | Launch pilot review (Finance & IT) | Manager approval logs |
| 5–6 | Add SoD checks | Excel or Linx rule set |
| 7–8 | Automate notifications | Power Automate / n8n workflow |
| 9–10 | Archive + evidence automation | Logs zipped quarterly |
| 11–12 | Dashboard summary | Power BI / Linx IGA report |
By the end of 90 days, you’ll have governance that runs itself.
8. KPIs for operational IGA
- Access review completion: ≥ 95% within 14 days
- SoD conflicts remediated: ≥ 90% within one week
- Audit evidence available: within 24 hours of request
- Dormant privileged accounts: < 1% of total admins
- Evidence retention: ≥ 12 months, version-controlled
When you can show these metrics in your next SOC 2 audit, you’ll look like an enterprise without acting like one.
9. Compliance mapping
| Framework | Requirement | Coverage |
|---|---|---|
| NIST CSF 2.0 PR.AC-1 | Maintain access authorization | Automated lifecycle + reviews |
| SOC 2 CC6.3 / CC6.6 | Review user access periodically | Quarterly review workflow |
| ISO 27001 A.9.2.5 | Review of access rights | Campaign results & logs |
| SOX / GDPR (where applicable) | Evidence of controls | Audit package exports |
10. Common pitfalls
- Delegating reviews to no one. Always assign clear owners per app.
- Missing the “why.” Each access should have a reason or role.
- Ignoring service accounts. They need owners and rotation logs too.
- Evidence in email. Centralize evidence in structured storage.
- Over-engineering. Governance ≠ new software; it’s rhythm + records.
11. What “good” looks like
✅ Managers complete reviews on time
✅ Conflicts auto-flagged, resolved quickly
✅ Evidence ready for auditors without scramble
✅ Offboardings auto-logged
✅ Everyone knows who owns what
That’s operational IGA. Quiet, predictable, defensible.
Disclaimer
Disclaimer:
This article is a guideline, not an implementation plan. Adapt it to your environment and regulatory needs. Consult professionals for compliance or risk assessments.
Software mentioned (official links)
- Linx Identity Security Platform — https://www.linx.security/
- Softerra Adaxes — https://www.adaxes.com/
- Microsoft Entra ID — https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id
- Okta Workforce Identity — https://www.okta.com/products/workforce-identity/
- JumpCloud — https://jumpcloud.com/
- Microsoft Power Automate — https://powerautomate.microsoft.com/
- n8n — https://n8n.io/
- Power BI — https://powerbi.microsoft.com/
✅ Accuracy Badge
All governance recommendations validated against NIST CSF 2.0, SOC 2 CC6.x, and ISO 27001 A.9.2 controls (as of Q4-2025).