How to choose an IGA platform

CISOs, IAM and GRC leaders, internal audit, and compliance teams in regulated industries (financial services, healthcare, public sector, utilities) and any organization preparing for or operating under SOX, SOC 2, ISO 27001, HIPAA, or HITRUST.

IGA matters most when you face SOX or equivalent control environments, when you have grown to thousands of users across many apps, after an acquisition that doubled your access surface, or when auditors call out access management as a finding. The cost of getting it wrong shows up at audit time.

Right-size the platform to your real control environment. Inventory the connectors and SOD rules you actually need. Bring internal audit in early. Run a POC against your hardest apps (SAP, Workday, mainframe) — slideware is meaningless here. Budget honestly for SI work on enterprise deployments.

• Connector depth

  Does it have production-quality connectors for your business-critical apps (SAP, Workday, Oracle, Salesforce, ServiceNow, mainframes)? Connector depth is the single biggest IGA differentiator.

• Access reviews

  Scheduled and event-driven reviews, manager + resource-owner reviews, delta reviews, escalation, and reviewer fatigue mitigation.

• Lifecycle automation

  HR-driven joiner/mover/leaver with policy-based access changes, fully closed-loop on deprovisioning.

• Roles and policies

  RBAC, ABAC, role mining/engineering, separation of duties (SOD), and toxic combinations detection.

• Risk and analytics

  Outlier access detection, peer-group analysis, and risk scoring to focus reviews on the highest-risk entitlements.

• Audit and evidence

  Immutable audit trail, exportable evidence packages for SOX/SOC 2/ISO/HITRUST, and clear control mapping.

• Deployment model

  SaaS vs on-prem vs hybrid. Regulated, high-data-residency, and large enterprise customers still often need hybrid.

• Time-to-value

  Modern SaaS IGA can deliver value in months. Traditional enterprise IGA programs can take 12-24 months and a systems integrator.

• Listed in-scope regulated apps and entitlements
• Mapped which controls IGA must support (SOX, SOC 2, etc.)
• Documented HR source of truth and quality of data
• Counted certifiable identities (employees, contractors, service accounts)
• Listed required connectors and ranked by criticality
• Defined SOD policies you must enforce
• Decided SaaS vs hybrid based on residency / compliance
• Estimated implementation duration and SI budget
• Validated audit evidence export with internal audit
• Modeled licensing across identities and entitlements

• Plan in phases: HR feed → joiner/mover/leaver → certifications → SOD → role engineering.
• Get internal audit involved before vendor selection so evidence requirements are explicit.
• Invest in HR data quality — most IGA failures trace back to bad HR feeds.
• Budget for a systems integrator on enterprise deployments.
• Start with high-risk, low-volume apps; expand connector coverage steadily.

• Usually priced per identity, sometimes per entitlement or per app connector.
• SI fees can equal or exceed license costs on enterprise platforms.
• Some vendors charge separately for SOD, role mining, and analytics modules.
• SaaS-native IGA tends to be more predictable, less professional services.

• Show me your top 10 connectors live, not in slides.
• Walk through a real customer's quarterly certification.
• How do you handle reviewer fatigue and rubber-stamping?
• Show your SOD library and how a violation is remediated.
• How do you export evidence for SOX 404 and SOC 2?
• What is realistic time-to-value for an organization our size?
• Which features require a systems integrator?
• How do you handle service accounts, RPA bots, and non-human identities?
• Show me your incident history for the past 24 months.
• What does an exit look like if we replace you in 5 years?

• Buying enterprise IGA when you have 1,500 employees and 30 SaaS apps.
• Ignoring HR data quality and blaming the IGA platform.
• Underestimating systems integrator costs.
• Skipping role engineering and ending up with thousands of one-off roles.
• Treating certifications as a checkbox and getting rubber-stamp reviews.
• Forgetting non-human identities (service accounts, bots, machine identities).