IGA

IGA-02

Access Requests & Approvals

This control asks one thing: How do users request, approve, and receive access beyond birthright entitlements, and how is that access governed over time?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

No audit trail. Access decisions cannot be justified after the fact, creating systemic compliance exposure.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Reduces long-term access debt and minimizes review fatigue.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Introduce a centralized access request channel with explicit approval capture.

What reaching level 2 (Developing) unlocks

Reduced operational friction.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Defined access catalog items
  • Automated routing to managers or application owners
  • Partial automation of provisioning

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for IGA-02 resolves to 6 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on IGA-02?

This page is the teaser layer. The full rubric behind IGA-02 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.