Why Identity Governance Is Now Core to Zero Trust — Not Just Compliance

Identity governance is often misunderstood as a back-office function but it’s a critical component of an organization’s end‑to‑end security posture.

Security

Identity governance has rapidly evolved from a compliance checkbox into a cornerstone of modern Zero Trust security, especially as organizations adopt cloud-first architectures and AI-driven workflows.

🎬 Watch This Week in IT.


I recently sat down with Ramiro Calderon, Principal Product Manager at Microsoft; Jef Kazimer, Principal Product Manager on the Microsoft Security Entra Identity Platform; and Tee Earls, Product Area Lead for Entra ID Governance to talk about how Entra ID Governance is helping organizations achieve Zero Trust.

Governance as the foundation of modern security

Identity governance is often misunderstood as a back-office function, but Calderon explains that it’s a critical component of an organization’s end‑to‑end security posture. As he puts it, “Identity governance is an essential tool to help customers have a broader security posture… to make sure customers have the right access at the right time for the right workloads based on their job function.”

This shift reflects a broader industry trend: ensuring the right identity has the right access at the right moment is now inseparable from Zero Trust. Least privilege isn’t just a security principle but it’s the fabric that ties together identity lifecycle management, provisioning, automation, and auditing.

Kazimer expanded on this connection. Even if a user signs in from a compliant device on a trusted network, Zero Trust fails if that user still holds access they shouldn’t: “If I shouldn’t have access to the application in the first place… how do we automate this so that access does not accumulate?”

Breaking down the siloed identity problem

Many organizations still treat provisioning, governance, and security as separate disciplines. It’s an approach that creates dangerous gaps. Calderon stresses that Microsoft’s strategy is to unify them: sensors, signals, provisioning workflows, and policy enforcement all feed the same control plane.

He noted that customers routinely suffer from “blind spots” because HR systems, app owners, and identity teams operate independently. Governance provides both the connective tissue and the automation needed to eliminate these gaps, enabling organizations to adopt Zero Trust in practical and scalable ways.

Where to begin: Automating the identity lifecycle

When asked where organizations should start with Entra ID Governance, Earls emphasized time‑to‑value:

“Where are you spending a significant amount of manual time today? Let’s look at that as a good candidate to automate first.”

Microsoft provides deployment guides, Zero Trust workshops, and repeatable patterns that customers can adopt without requiring major redesigns. Small organizations can begin with straightforward automation of joiner‑mover‑leaver events, while large enterprises can target high‑risk areas such as offboarding, orphaned accounts, and privileged roles.

Kazimer highlights that this staged approach avoids the “big bang” deployments associated with legacy Identity Governance and Administration (IGA) systems. Customers can adopt Entra capabilities incrementally and still achieve immediate value.

Access packages and access reviews: Governance with context

One of the most powerful yet misunderstood Entra Governance features is access packages, which bundle related resources into a single assignable unit. Rather than manually granting multiple entitlements across SharePoint, Teams, distribution lists, and applications, organizations can automate birthright access based on policies and user attributes.

Access packages

Earls describes access packages as “groups plus plus in steroids” because they provide governance capabilities far beyond traditional group membership: time‑bound access, approver workflows, and automatic expiration.

Access reviews

Access reviews complement packages by ensuring access remains appropriate over time. Reviewers, or automated policies, can routinely evaluate membership and remove stale permissions without manual cleanup operations. Together, these controls close the loop on the full access lifecycle.

Automating hybrid and on-premises scenarios

Many organizations still rely on on‑premises Active Directory. Calderon notes that Microsoft’s goal is to “meet customers where they are,” enabling Entra to govern hybrid environments without requiring an immediate migration.

Entra can:

  • Provision users directly into on‑premises AD from HR systems 
  • Govern on‑premises groups via cloud‑based workflows 
  • Push policy‑driven assignments back into Active Directory 
  • Integrate with on‑premises applications through provisioning agents 

This allows organizations to modernize identity security without abandoning their existing investments. And without rushing to move everything to the cloud.

Scaling to tens or hundreds of thousands of identities

Large enterprises must consider operational scale from day one. Earls advised organizations to rethink legacy patterns instead of trying to replicate them in Entra. Delegated administration, standardized access catalogs, and well‑designed governance structures prevent “cornering yourself” later.

Calderon added that cloud‑based governance eliminates the years‑long deployment cycles typical of legacy IGA systems. Entra’s SaaS architecture enables organizations to implement mature governance controls across their entire estate and not just for a handful of audited systems. And do so in weeks rather than years.

Governance for AI agents

One of the most notable emerging challenges is the rise of AI agents acting on behalf of users. Earls points out that Entra’s governance applies not only to humans, but also to workload identities and AI entities. AI agents can request access, be assigned policies, and be governed through the same lifecycle workflows, a capability that will become increasingly vital as organizations adopt copilots and automated tools.

Where to learn more