I have tested and found that anyone can access the Governance portals in the DEV and Production environment with a valid UserID and any text for a password.
How do we correct this?
It is actually the default behavior to allow any valid user login without a password check. You will need to turn on the authentication property settings in Identity Governance:
Administration > Settings > Properties
Search for "auth" properties.
Select your authentication type property (IM, AD, etc.) and change it from true to false.
See also, https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/configuring/authentication.html