IGA
Entitlement Discovery and Classification
This control asks one thing: How does the organization discover, inventory, and classify entitlements across applications and infrastructure?
Low Maturity
What Failure Looks Like
The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:
Invisible risk from accumulated permissions. Over-provisioned access proliferates because no one knows what entitlements exist.
High Maturity
What Good Looks Like
The business value the methodology documents at level 4 (Optimized):
Minimizes standing access risk while reducing manual governance overhead.
Next Step
A Typical Next Move
For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:
Inventory entitlements for critical systems and establish basic classification (admin vs. standard).
What reaching level 2 (Developing) unlocks
Data-driven access reviews with entitlement context.
Evidence
Evidence Assessors Ask For
A sample of the artifacts an assessor expects to see around level 2 (Developing):
- IGA connectors pulling entitlement data from applications
- Classification taxonomy applied (e.g., sensitive, standard, privileged)
- Entitlement data used in access certification campaigns
Compliance
Compliance Frameworks That Cite This Control
The bank's regulatory mapping for IGA-05 resolves to 6 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.
Where Does Your Program Land on IGA-05?
This page is the teaser layer. The full rubric behind IGA-05 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.