Open Framework · v0.1 Public Draft
The Open IGA Operating Framework
The instruction manual for running an identity governance program. Six layers in build order, forty-seven numbered decisions, and four metrics that read whether the program responds. Open, tool-agnostic, and free to adapt under CC BY 4.0.
The DOI above covers every version, so citations keep resolving as the framework matures. To cite a single decision, use its identifier: Open IGA Operating Framework, M2.
What This Is
The layer under the tools.
The tools handle the mechanics of granting and removing access. This framework covers everything around them: why the program exists, who owns the access decisions, what the program covers, what gets attention first, how the day-to-day processes run, and how often everything gets checked.
The identity field has controls catalogues, bodies of knowledge, and maturity models. What it has not had is a published account of that operating layer. The material exists, but it is held inside organizations or delivered through consulting engagements, so every program that stands up ends up rebuilding the same operating model alone, without a baseline to measure against. This framework publishes an open, adaptable version so the work stops being repeated in isolation.
Every normative statement in the core carries an identifier, M1 through C8, and every failure mode a number, so a program can gap-assess against the framework chapter by chapter, and review feedback can cite the exact statement it disputes.
The Operating Core
Six layers. Each answers one question.
An organization starting from nothing builds in this order. An organization already running a program holds each layer up as a checklist, and the failure modes show what is broken.
Instrumentation
Four metrics read whether it responds.
The Operational Metrics Specification gives each one a formal definition and calculation method. No benchmark thresholds; the values are the program’s own.
The formal definitions derive from the published research: Measuring What Moves →
Reading Paths
Three ways in.
And one organization does all of it in the worked example: Fernway Software, fictional, every layer decided and every worksheet filled in. Read the Fernway example →
Companions
Ten companions. Eight you fill in.
Non-normative templates and worksheets, in Markdown and Word. Once filled in, they stop being templates and become the program’s operating documents. The other two companions: the explorer, hosted here, and a presentation kit in the repository.
- MandateProgram charter templatemddocx
- OwnershipDecision-rights and RACI startermddocx
- ScopeScope register templatemddocx
- PrioritizationTier criteria and on-ramp worksheetmddocx
- ProcessLifecycle checklistmddocx
- ProcessCertification checklistmddocx
- CadenceCadence table templatemddocx
- Cross-cuttingPlatform capability checklistmddocx
Review
Published to be argued with.
Nothing in the draft is ratified, and the stances most worth contesting are flagged in the text. Each pill below opens a pre-titled GitHub issue; cite the identifier and make the case.
Read one chapter, file one issue. Every decision has an identifier, so cite it: GitHub issues →
Run an internal IGA operating model? A profile documents how the core adapts to your organizational shape, and it lets others reuse the adaptation: the profile template →
Prefer email? vidyaa@identara.ca works too. Name the decision identifier if you can.
On the roadmap, in intended order and not as commitments to a date: a pilot reference dataset to ground the metrics, a standards crosswalk annex, practitioner review through IDPro and the conference circuit, standards-community review at IIW XLIII in November 2026, and ratification of the core after review.
Sits Alongside
Where it fits.
ISO and NIST specify controls. The IDPro Body of Knowledge explains concepts. Maturity models score programs. This framework addresses the layer beneath them, and it connects to the rest of the work here.
One email when v0.2 ships and one when the core is ratified. Nothing else.