When I think of governance, I think of governments and the law. Governments don’t simply create laws and assume everything will work smoothly. They rely on enforcement, continuous monitoring, and corrective actions to ensure rules are followed, adapting them when necessary. Without oversight, laws would be ineffective, and society would soon face chaos.
The digital world isn’t so different. Identity Governance and Administration (IGA) systems are designed to govern access to digital resources by setting rules for who can access what, and under which conditions. Many of today’s IGA systems, however, follow a static model—evaluating access policies only at specific lifecycle events, such as when someone joins an organisation, changes roles, or leaves. These events trigger entitlement updates that are provisioned to systems like Active Directory or cloud-based services.
This static model has served organisations reasonably well in the past, but as operating environments become more dynamic and security demands increase, its limitations are increasingly visible. A shift towards dynamic policy evaluation and continuous monitoring is not only preferable—it is becoming essential.

The Challenges of Static Policy Evaluation
In the static model, access entitlements are assigned at fixed points in time. For instance, when a new employee joins the company, their role or personal attributes—such as job title or department—are used to assign the necessary access rights. These rights remain in effect until another lifecycle event triggers an update, such as a promotion or departure.
This approach assumes that nothing significant will change between these lifecycle events. But today’s environments are fluid. What if someone tries to access sensitive data from an untrusted device, or outside their approved working hours? A static system has no way to account for these variables in real time, leaving organisations vulnerable to security risks and policy breaches.
This isn’t governance—it’s static enforcement. It’s like passing a law and then assuming everyone will follow it without any enforcement or monitoring. A more effective approach involves real-time policy evaluation, where access decisions take into account the most current context. For example, a request to access patient records could be evaluated based on the user’s location, device posture, and time of access. Continuous monitoring ensures that access patterns are reviewed and anomalies are addressed before they escalate into major problems.
Why the Industry Hasn’t Fully Transitioned
Despite the obvious advantages of real-time evaluation, the transition is far from straightforward. The primary barrier is the legacy nature of many existing applications, which were built for static entitlement models. Many of these systems:
- Handle policy evaluation internally: They have hardcoded access control logic that evaluates policies using local configurations or databases.
- Use proprietary logging mechanisms: Each application logs access events in its own format, making it difficult to centralise monitoring or detect violations across the organisation.
To move towards real-time evaluation, these legacy applications would need significant refactoring. In many cases, the cost and complexity make this impractical in the short term. As a result, organisations are naturally cautious about large-scale architectural changes.
A Practical Path Forward
The key to overcoming these challenges is to adopt a measured, incremental approach, rather than attempting a complete overhaul. With careful planning, organisations can begin to integrate dynamic policy evaluation and continuous monitoring without disrupting critical systems.
Dependency Injection and Policy Evaluation as an Interface
One of the main issues with legacy applications is their tightly coupled access control logic. Policy evaluation is often hardcoded, making it difficult to change without extensive modifications. A more flexible approach involves introducing an interface for policy evaluation, which decouples the access control mechanism from the application logic.
This interface provides an abstraction that allows the implementation to be swapped easily, without changing the core application. In the short term, the interface can point to the application’s existing local policy evaluator. Over time, organisations can replace this with a centralised policy engine or a local policy enforcement point (PEP) with minimal disruption. This technique leverages Inversion of Control (IoC), a principle from the SOLID architecture framework that promotes maintainability and adaptability.
Centralised Monitoring with Event Streaming
While dependency injection addresses policy evaluation, centralised monitoring is essential for real-time governance. Many legacy applications log access events locally, making it difficult to gain a unified view of access activities.
A practical solution involves modern event-streaming platforms such as Kafka, which can collect and transform logs from disparate systems into a standard format. This format can then be ingested by a Security Information and Event Management (SIEM) system, providing a centralised view of access activities and enabling real-time anomaly detection. Importantly, this approach doesn’t require immediate changes to every application—it allows organisations to integrate systems incrementally while building towards a fully centralised monitoring solution.
By combining dependency injection for policy evaluation with centralised monitoring through event streaming, organisations can make significant progress towards dynamic governance without requiring a complete architectural overhaul.
Balancing Short-Term Wins with Long-Term Strategy
A phased approach allows organisations to balance immediate benefits with long-term strategic gains:
- Introduce dependency injection gradually: Start by incorporating it into new applications or during maintenance cycles for existing ones. This small change can future-proof applications and prepare them for dynamic policy evaluation.
- Implement centralised logging incrementally: Begin by integrating high-priority applications with an event-streaming platform. As confidence grows, extend coverage to all critical systems.
- Transition to dynamic policy evaluation gradually: Once dependency injection is in place, replacing the local policy evaluator with a dynamic, centralised policy engine can be done with minimal impact. Start by targeting high-risk or sensitive systems, and then expand further.
Conclusion
Governance is about more than setting policies—it’s about ensuring those policies are followed and adapting them as circumstances change. Static IGA models, with their reliance on fixed entitlements and periodic checks, are no longer sufficient. A more effective approach involves real-time policy evaluation and continuous monitoring to ensure policies remain effective in dynamic environments.
While legacy systems present challenges, they are not insurmountable. By adopting architectural patterns like dependency injection and leveraging event-streaming technologies, organisations can modernise their approach in a gradual, manageable way. The benefits—enhanced security, improved compliance, and greater agility—are well worth the effort.
In a dynamic world, governance must be dynamic too.
Be First to Comment