IG integrated with IDM "knows" the permissions provisioned by IDM to a connected system like ADS down to the entitltment value. If the connected system is also an application source in IG, it should be possible to compare the permissions granted by IDM with the actual/current state in the application (including manually granted permissions or the ones granted before the IDM system was in place).