IGA readiness checklist

A one-page checklist for pressure-testing your identity governance — the visibility, controls, and evidence an audit will look for.

Use this to pressure-test your access governance before an auditor or a fast-growing headcount does it for you. Work top to bottom, check what already holds, and turn the gaps into a short backlog. Every item here is generic best practice; the closing section notes where Owlie helps.

Know what you have

  • ☐ Keep a current inventory of the systems that hold sensitive access, ranked by risk.
  • ☐ Name an accountable owner for every critical application and high-value entitlement.
  • ☐ Classify each account as human, shared, service, or external — and flag the ones no one owns.
  • ☐ Reconcile the accounts in each system against a single source of truth for identities.

Requests and approvals

  • ☐ Document the approval path for each type of access: who approves, and whether a second stage applies.
  • ☐ Require a business reason on every request and keep it attached to the decision.
  • ☐ Decide standing versus time-bound access up front, and default sensitive grants to an expiry.
  • ☐ Confirm that no one can approve their own request.

Joiners, movers, and leavers

  • ☐ Define the birthright access each role or department receives, and how it is granted.
  • ☐ Trigger an access change on transfers and manager changes — not only on hire and departure.
  • ☐ Remove access promptly when someone leaves, and confirm the change reached the downstream system.
  • ☐ Sweep for access left over from prior roles (“privilege creep”) on a set schedule.

Least privilege and policy

  • ☐ Write down who should — and who must not — hold each sensitive entitlement.
  • ☐ Name the combinations you never allow together (separation of duties) and enforce them.
  • ☐ Grant at the entitlement level rather than blanket admin wherever the system allows it.
  • ☐ Review high-privilege and break-glass accounts more often than everything else.

Access reviews and certification

  • ☐ Set a review cadence by risk — more frequent for sensitive access, at least annually elsewhere.
  • ☐ Route each review to someone who can actually judge it: the manager or the resource owner.
  • ☐ Give reviewers enough context to decide without exposing more than they need to see.
  • ☐ Make a “revoke” decision produce real removal work, and confirm it completed.
  • ☐ Record no-response outcomes honestly instead of letting stale items auto-approve.

Evidence and audit readiness

  • ☐ Capture who decided what, when, and why for every grant, approval, and review.
  • ☐ Snapshot the access and the governing policy as they were at decision time, so evidence survives later changes.
  • ☐ Keep evidence exportable and retained for the full length of your audit window.
  • ☐ Dry-run it: pick a grant at random and try to reconstruct its history end to end.

How Owlie fits

Owlie is built as composable blocks that map onto this checklist, so you can adopt the pieces you need rather than buy a suite whole. Access requests route to the right approvers, including staged approvals and quorum decisions. Provisioning drives each approved or revoked decision to a concrete state on the connected system and journals every attempt. Policies declare the access identities should — and must not — have, separation-of-duties pairs included, and continuously converge reality toward that declaration. Access reviews capture an immutable snapshot of the subject, grant, and governing policy at decision time, block anyone from certifying their own access, and export a verifiable evidence packet.