I have tested and found that anyone can access the Governance portals in the DEV and Production environment with a valid UserID and any text for a password.

How do we correct this?

It is actually the default behavior to allow any valid user login without a password check. You will need to turn on the authentication property settings in Identity Governance:

Administration > Settings > Properties

Search for "auth" properties.

Select your authentication type property (IM, AD, etc.) and change it from true to false.

See also, https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/configuring/authentication.html