Ask three vendors to explain identity security and you will get three acronyms that sound almost interchangeable: ISPM, ITDR, and IGA. They are not interchangeable. Each solves a different problem, at a different phase of the identity attack lifecycle, using different inputs. Confusing them leads to real gaps, teams that buy detection and assume it hardens their posture, or buy governance and assume it catches attackers. It does neither.
This guide draws the lines clearly. By the end you will know what each discipline does, where they overlap, and why mature identity security programs run all three on shared data rather than as three disconnected purchases. The stakes are rising fast: Microsoft's 2025 extortion and ransomware research found identity-based attacks surged 32 percent in the first half of 2025, which is exactly why getting these three right matters more than ever.
The short answer
IGA (Identity Governance and Administration) manages the lifecycle of identities and their access: who should have access to what, and how that access is requested, approved, and reviewed. ISPM (Identity Security Posture Management) continuously assesses how risky your identities are right now and reduces that attack surface before it is exploited. ITDR (Identity Threat Detection and Response) detects and stops identity attacks that are happening in real time.
In one line: IGA decides who gets access, ISPM measures and hardens how exposed that access is, and ITDR catches the attacker who abuses it.
What is IGA?
Identity Governance and Administration is the oldest of the three disciplines and the one most organizations already have in some form. IGA governs the identity lifecycle: provisioning access when someone joins or changes roles, running access requests and approvals, enforcing separation of duties, and conducting the periodic access reviews and certifications that auditors expect.
IGA answers the question: who should have access to what, and can we prove it was approved? Its orientation is process and policy. It is the system of record for entitlements and the workflow engine for granting and revoking them. What IGA does not do is tell you, in real time, whether the access it granted has quietly become risky, or whether someone is abusing it right now.
What is ISPM?
Identity Security Posture Management picks up where governance leaves off. Where IGA governs access as a process, ISPM continuously measures the risk that access represents. It discovers every identity across every identity provider, scores each one against security baselines, flags misconfigurations and excessive privileges, and prioritizes what to fix first.
ISPM answers the question: what is our identity attack surface right now? Its orientation is continuous assessment of current state. It catches the service account with unused admin rights, the dormant account that still has active privileges, and the federated identity whose real risk only appears when you account for its access across several systems. For a deeper look at how to operationalize this, see The 8 Pillars of ISPM. ISPM works in the preparation phase of an attack, shrinking the surface so there is less for an attacker to find.
What is ITDR?
Identity Threat Detection and Response is the real-time function. Where ISPM reduces the attack surface, ITDR watches what is actually happening across that surface and steps in when an identity is under attack. It correlates behavioral signals, session data, and login events to surface attacks in progress, then provides the investigation workspace and response actions to contain them.
ITDR answers the question: is an identity attack happening right now? Its orientation is real-time and historical correlation of activity. It catches the credential that was just authenticated from an impossible location, the MFA fatigue attack in progress, and the privilege escalation that no static assessment would ever see because it is behavior, not configuration. When ITDR fires, the job is speed: a full timeline, a causality graph, and the ability to block, kill sessions, revoke tokens, or scramble credentials from one screen.
ISPM vs ITDR vs IGA at a glance
Core question
- IGA: Who should have access to what?
- ISPM: What is our identity attack surface right now?
- ITDR: Is an identity attack happening right now?
Lifecycle phase
- IGA: Administration and governance
- ISPM: Preparation
- ITDR: Detection and response
Primary inputs
- IGA: Roles, entitlements, approval workflows
- ISPM: Configuration, entitlements, inventory state
- ITDR: Behavioral signals, session and login data
Time orientation
- IGA: Scheduled: requests, reviews, certifications
- ISPM: Continuous assessment of current state
- ITDR: Real time plus historical correlation
Typical output
- IGA: Provisioned access, access reviews, audit trails
- ISPM: Risk scores, misconfiguration findings, baseline drift
- ITDR: Alerts, investigations, automated containment
Example finding
- IGA: A user's access request is approved and provisioned
- ISPM: A service account has excessive, unused privileges
- ITDR: That same service account just authenticated from a new country
Primary goal
- IGA: Grant and govern access correctly
- ISPM: Reduce the attack surface before exploitation
- ITDR: Stop the attack in progress

How IGA, ISPM and ITDR compare across the identity security lifecycle
Where they overlap, and where the gaps hide
These three disciplines are complementary, but they share edges, and the edges are where programs succeed or fail.
IGA and ISPM overlap on entitlements. IGA holds the record of what access was granted and approved. ISPM evaluates whether that access is now risky. The gap appears when governance approves access that later drifts into danger and nothing re-evaluates it. IGA said yes once; ISPM asks whether yes is still safe today.
ISPM and ITDR overlap on identity risk. ISPM finds the exposed identity before anything happens. ITDR catches the attack if that identity is abused anyway. The gap appears when posture data never informs detection logic, so the tool watching for attacks does not know which identities were already flagged as high risk. An ITDR alert on an identity that ISPM already scored as critical should be treated very differently from an alert on a clean one, but only if the two of them share data.
There is a related gap that predates all three tools: the SIEM. For years, authentication logs were shipped off to a SIEM for analytics, but a SIEM was never designed to hold posture context. It can tell you a login happened; it cannot tell you that the account was over-privileged, unowned, and reachable through a risky federation path before that login ever occurred. Pouring identity data into a SIEM and calling it identity security is how organizations end up with volumes of logs and almost no posture visibility. ISPM exists precisely to turn that raw log exhaust into an organized, risk-scored picture the other can act on.
The most expensive gap, though, is treating all three as separate, disconnected products. Posture findings that never reach detection. Detections that never feed back into hardening. Governance that grants access no one re-checks. Each tool works in isolation and the identity attack surface stays wide open in the seams between them.
Why they belong on one data layer
The reason these disciplines are converging onto single platforms is that their value compounds when they share context. When ISPM scores an identity as high risk, ITDR should weigh that when the same identity behaves strangely. When ITDR detects an attack, ISPM should know to re-harden the posture that let it through. When either finds a problem, compliance should already know which regulatory controls it touches.
That feedback loop is exactly what disconnected tools cannot produce. Posture that informs detection, detection that tightens posture, and both feeding continuous compliance evidence, all running on one shared identity data layer.
This is how the 8Layers platform is built. Octagon delivers ISPM, Thor delivers ITDR, and Compass delivers continuous compliance, all on a shared identity data layer so a finding in one arrives with context from the others. Posture, detection, and proof stop being three tools a team switches between and become one continuous view of the identity attack surface.
If you want to see how the disciplines work together against your own environment, request a demo.
Frequently asked questions
What is the difference between ISPM and ITDR?
ISPM reduces the identity attack surface before an attack by continuously assessing configuration and entitlements. ITDR detects and responds to identity attacks in progress using behavioral and session signals. ISPM is preparation; ITDR is detection and response. They are complementary, not alternatives.
Is IGA the same as ISPM?
No. IGA governs the identity lifecycle, provisioning, access requests, approvals, and periodic reviews. ISPM continuously measures the security risk of the access that IGA grants. IGA decides who should have access; ISPM measures how exposed that access makes you.
Do I need all three?
For a complete identity security program, yes. IGA governs access, ISPM hardens it, and ITDR defends it. Gaps open when one is missing: governance without posture management grants access no one re-evaluates, and posture without detection leaves you blind to attacks in progress.
What does ITDR stand for?
ITDR stands for Identity Threat Detection and Response. It is the discipline and tooling used to detect identity-based attacks in real time and respond to them, covering the detection, investigation, and containment phases of the identity attack lifecycle.
How do ISPM, ITDR, and IGA work together?
They cover the full identity attack lifecycle in sequence. IGA grants and governs access, ISPM continuously reduces the risk that access creates, and ITDR catches any attack that still gets through. On a shared data layer, each informs the others: posture guides detection, detection tightens posture, and both produce compliance evidence.
