Policies show external auditors that you have structures in place to ensure compliance in your environment. Separation of duties policies work to keep any single user from having too much access. Business roles automate applying appropriate access based on job function. Risk factors and weighting allow Identity Governance to calculate the level of risk based on your criteria. Request automates granting access on user requests by letting you define criteria to automatically grant requested access or route approval requests to the appropriate entity. Certification policies provide compliance status of all access review processes included in a policy definition.