Market Guide for Identity Governance and Administration

2 October 2025 - ID G00836197 - 39 min read
By Steve Wessels, Paul Mezzera,  and 2 more
The identity governance and administration market remains dynamic with a range of organizational business drivers, leading to a variety of offered IAM features. This research helps IAM leaders navigate the IGA market and improve decision making.

Overview

Key Findings

  • There is no single best-practice approach or universal feature set for IGA initiatives. All IGA implementations share common foundations, but the business drivers, practical execution, and emphasis on specific features or controls differ significantly from one organization to another.
  • Innovation and active product development remain strong in the IGA market, highlighted by dynamic startup activity and strategic investments from leading vendors. The primary drivers of this are rising cybersecurity threats, regulatory demands, digital transformation, complex IT environments, the growth of machine identities, user experience expectations, decentralized identity models, and the need for smarter risk management.
  • Key areas of advancement include AI-driven identity governance, low-code orchestration for governance workflows, risk-aware and contextual certification, governance for machine identities, and emerging models such as decentralized identity and identity fabric.
  • Many organizations continue to face significant implementation challenges with IGA solutions, particularly when it comes to integrating business-critical applications at scale. While vendors have made progress, native capabilities often fall short in delivering the speed, depth, and visibility required for complex hybrid and SaaS-heavy environments.

Recommendations

IAM leaders should:
  • Select an IGA solution by aligning IGA investments with prioritized business outcomes. Clearly define and rank these drivers in alignment with IAM strategy to guide both product selection and implementation strategy.
  • Maximize the business value of IGA investments by utilizing the visibility (through data integration and management) and intelligence (via AI or machine-learning-based analytics) features available in your current vendor solutions.
  • When considering new IGA purchases, prioritize offerings that provide AI-powered recommendations, low-code workflow automation, contextual access certifications, machine identity governance, and support for decentralized identity models by giving preference to vendors that meet your specific requirements.
  • When native IGA integration capabilities are insufficient, close integration and visibility gaps with complementary tools by leveraging third-party integration platforms, identity data fabrics, or specialized connectors to accelerate onboarding and improve visibility across hybrid and SaaS environments.

Market Definition

Gartner defines identity governance and administration (IGA) as the solution to manage the identity life cycle and govern access across on-premises and cloud environments. To accomplish this, IGA tools aggregate and correlate disparate identity and access rights data, and provide full capability controls over accounts and associated access.
IGA’s purpose is to enable organizations to effectively manage identities, accounts and associated entitlements across infrastructure and applications, regardless of hosting strategy. This must be done in a way that meets required outcomes for compliance, security risk management, and business process and IT service delivery enablement:
  • Compliance outcomes: Ensuring that access/entitlements that are in scope for different regulations and policy requirements are governed in a way that meets these requirements.
  • Security risk management outcomes: Ensuring that the organization has full visibility into access that exists in their environments, and can identify and effectively control high-risk access, including overpermissioning (least privilege violations).
  • Business process and service delivery enablement outcomes: Enabling the organization to grant and provision justified access as quickly, efficiently, and with as little friction as possible.
IGA solutions may also fulfill the purpose of unifying and correlating identity data for organizations with multiple person and machine identity authoritative sources. This is done to provide a single view of identity (system of record) for their dependent processes and systems.

Mandatory Features

  • Identity life cycle management and identity data integration (including with multiple sources).
  • Access request processing and workflow orchestration.
  • Access certification (also called attestation or review).
  • Provisioning via automated connectors (including some options for apps that don’t use System for Cross-Domain Identity Management [SCIM]) and via integration to IT service management (ITSM)/ticketing systems to trigger manual fulfillment flows.
  • Policy and role management.
  • Auditing, reporting and basic analytics (descriptive and diagnostic analytics), including risk scoring.
  • Entitlement management and data integration (e.g., discovery, entitlement catalog management, and entitlement data enrichment, including descriptions, owners and sensitivity ratings).

Common Features

  • Segregation of duty (SOD) controls.
  • Advanced analytics, including predictive and prescriptive analytics to enable rapid improvements (e.g., policy and rule modeling and recommendations, access approval and certification recommendations, and AI-based assistants).
  • Identity registration and profile management for identities or attributes not managed by another authoritative source (commonly nonemployee workforce or business partner populations).
  • Identity life cycle management and identity data integration for machine identities (devices, workloads, services, robotic process automation [RPA] bots) and associated accounts.
  • Secrets provisioning and reset capability, including self-service password management and key provisioning/update.
  • Data access governance, including for structured and unstructured data.
  • Out-of-the-box capabilities for or integration with systems that provide cloud infrastructure entitlement management (CIEM).
  • Integration with externalized authorization management (EAM) (for shared authorization policy/policy orchestration).
  • Support for shared signals, including (but not limited to) continuous access evaluation protocol (CAEP), including the ability to send shared signals and receive and respond to shared signals.

Market Description

The IGA market worldwide grew 9.2% from 2023 to 2024, with forecast 2024 to 2025 growth of 10.7%, as of 2Q25.1 The IGA market’s growth is increasingly driven by its critical role in business enablement and security risk management, beyond traditional compliance needs.
There are a variety of business drivers for IGA solution adoption, along with the features and capabilities needed to fully deliver these outcomes in most client implementations. This variety is driving more IGA technology vendors to include more out-of-the-box (OOTB) features in their IGA tooling. Light IGA products that offer a subset of IGA features are still available in the market and are still appropriate for clients with simpler long-term requirements. However, this research focuses on full-featured IGA vendors/products, which will provide required capabilities for most clients in this market.
Gartner will continue to cover light IGA through dedicated research separate from this Market Guide, such as Is Light IGA Right for You? and Innovation Insight: Light Identity Governance and Administration.
Vendors also offer specialized tools and capabilities in the IGA space that can be valuable, even for organizations who are satisfied with the core features of their current IGA solution. Of particular note are tools that enhance identity and access visibility, improve data management, and facilitate faster integration of target systems, including but not limited to SCIM gateway products. See additional detail in the Analysis section below.

Market Direction

Given the diversity across industries and regions, the IGA market is evolving under several influential forces. The four significant drivers we see shaping its direction in 2025 are:
  • The shift to cloud and hybrid delivery models, especially SaaS-based IGA platforms.
    Adoption of cloud-native IGA is accelerating, even in historically conservative sectors. However, demand for self-hosted options will continue to be a requirement in certain regions and industries over the next few years, reflecting ongoing hybrid requirements.
  • The rise of security and business enablement as primary adoption drivers, overtaking compliance as the sole motivator. This is pushing the market toward more comprehensive IGA solutions and away from niche offerings. While regulatory compliance remains foundational, more organizations are now implementing IGA solutions to support broader security outcomes and business efficiency goals. This diversification in adoption drivers creates variability in the critical capabilities organizations prioritize. As enterprises mature in their IGA programs, they recognize that realizing multiple outcomes, risk reduction, productivity, and compliance, requires full-spectrum functionality.
  • Accelerating integration of GenAI and AI agent automation to enhance identity intelligence and automation.
    Emerging technologies are driving advancements in visibility and analytics across identities, entitlements, and access behavior. Though AI-enabled IGA is not yet standard, demand is growing rapidly for AI to support identity life cycle management, anomaly detection, and entitlement reviews. This trend also includes automation to reduce the cost and complexity of integrating diverse target systems, a major pain point for many IGA customers today.
  • Expansion of IGA to support machine identities and their access.
    With the proliferation of agentic AI, RPA bots, IoT devices, APIs, and containerized workloads, governance is extending beyond human users. Organizations now require robust capabilities to discover, classify, and manage nonhuman identities under the same policies as human users. This is becoming critical to enforcing least-privilege access and supporting zero-trust architectures. Most IGA vendor solutions only govern service accounts right now, so this is one area where complimentary tooling, focused on machine IAM, is needed by most organizations.
Broader IT trends outside IAM markets will accelerate capability improvements within the IGA market, especially in these three areas:
  • Identity and access visibility, including identity and access data management and data integration capabilities.
  • Identity and access intelligence, including using AI to resolve challenges with IGA processes. While we don’t anticipate that AI-enabled IGA will become a mandatory feature of IGA solutions within the next year, we do see increased demand.
  • API-first and interoperability enable IGA solutions to seamlessly integrate with a wide range of business, cloud, and security systems, allowing for real-time identity updates, automated workflows, and consistent policy enforcement.
Finally, customer implementation challenges continue. It is difficult to rapidly and easily integrate target systems with IGA solutions, and especially target system entitlement management. These ongoing challenges will drive additional innovation for both light IGA vendors, niche vendors and full-featured IGA vendors in support of application and access data integration automation. This includes the use of AI-enabled software engineering methods to accelerate target system integration with IGA solutions.

Market Analysis

Multiple Business Outcomes Driving Full-Featured IGA Adoption

The key business drivers/outcomes impacting the IGA market have shifted over time. The initial vendors in the market were focused on access administration automation challenges (business enablement). Due to the inclusion of access governance requirements in various regulations, compliance took over for many years as the highest impact business driver for the IGA market and associated IGA feature development.
In recent years, there has been an increased focus on and recognition of achieving strong security risk management outcomes as a critical driver in many client organizations. IAM professionals have formed a view that identity is the core foundation of cybersecurity posture. Cybersecurity leaders should adopt identity-first security approaches to their cybersecurity programs and IGA solution selection specifically, positioning their organizations as proactive instead of reactive.
Identity-first security is an approach that makes identity-based controls the foundational element of an organization’s cybersecurity architecture. It marks a fundamental shift from reliance on static perimeter-based controls that have become obsolete due to decentralization of computing resources, channels, entities (human and machines) and devices.
Identity-first security requires centralized policies to be extended to decentralized assets. In order to control access to decentralized, distributed digital assets in a consistent manner, IAM leaders must combine centralized IAM controls, policies, data, and programs with decentralized and context-sensitive enforcement. For more information, see Identity-First Security Maximizes Cybersecurity Effectiveness.
Business process enablement and efficiency, the initial primary driver/outcome for the IGA market, remains a key driver. In fact, many organizations increasingly recognize that business enablement was likely underprioritized due to the perceived more urgent needs to address compliance and security gaps.
The net result is that IGA is, and likely always will be, a multibusiness driver market for nearly all organizations. The relative priority of compliance, security and business enablement varies across regions and industries. Because of this, vendors that wish to maximize their utility across the market cannot just focus on related IGA features for any one, or even two, of these critical outcomes. They must have sufficient capability to support all of the major business drivers for IGA solutions across industries and regions.

Substantial Innovation in Visibility, Intelligence and Machine Identity

Three areas stand out as currently having the highest volume and fastest pace of innovation:
  • Visibility improvements, including capabilities for more rapid target system integration, improved support for data integration/data management, and enhancements to better support access data relationship visualization
  • Intelligence improvements, including advanced analytics and all forms of AI application to IGA processes and data, including generative AI (GenAI) capabilities for IGA
  • Machine identity governance and administration support, including supporting machine-identity-specific datasets, expanding machine IGA support beyond service accounts to other machine actor types moving toward full support for all IGA use cases for all machine actors
The first two of these, visibility and intelligence improvements, were called out as high-value areas for enhancement in related Gartner research. (See 4 Data Management Practices to Improve IAM Capabilities and Generative AI for IAM.) While these are not IGA-specific, they have particularly strong potential for improving all IGA processes and capabilities (see Figure 1) due to the data-heavy and high-complexity nature of IGA processes. These capabilities also strongly support all of the top business drivers and associated outcomes for IGA implementations. Further, improved IGA visibility and intelligence capabilities are also important enablers of organizational efforts toward improving IAM hygiene (see Prioritize IAM Hygiene for Robust Identity-First Security).
Figure 1: The Visibility, Intelligence, Action (VIA) Model
The visibility, intelligence, action model highlights that the quality of action depends on intelligence and the intelligence quality depends on visibility. This simply means that leaders must prioritize visibility in IAM processes as it can eventually boost all IAM action controls.

Strong Visibility

Strong visibility is vital to all intelligence, both human and machine. It is not possible to make up for missing or poor-quality data by applying extra intelligence. Specific areas of visibility innovation and improvement we are seeing in IGA solutions include:
  • Advancements in identity data merging and synchronization from multiple authoritative sources
  • Improvements in schema mapping capabilities, spanning authoritative sources, IGA tooling and target systems
  • Advancements in data integration and management for high-volume, file-based integrations (for entitlement data for disconnected applications with no direct IGA integration)
  • Application of identity-graphing techniques to enable improved visibility into identity, account, role, group and entitlement interrelationships
  • Improvement in various new application integration methods, including AI-augmented software engineering to accelerate application integration to IGA products

Intelligence

For intelligence, there are substantial, ongoing advances in analytics, including AI-based analytics, in support of available IGA processes. These advanced analytics capabilities often include:
  • Identification of and recommendations for remediation of overentitlement (least privilege violations), which provide high value for security risk management
  • Recommendations for additional access that is justified for specific actors and proposed rules (both role-based and attribute-based) to automate this access, which are of high value for business/workforce enablement
See Note 1 for a more complete list of potential top-value access intelligence use cases.
When combined, the capabilities above have substantial value for streamlining and simplifying access review/certification processes, which deliver value for compliance.
While the potential value of these use cases is high, the adoption or implementation of access intelligence enhancements by client organizations remains slower than expected. Contributing factors include:
  • Lack of sufficient data/data quality to enable AI/ML-based approaches
  • Lack of familiarity with the capabilities among potential adopters
  • Concerns related to the risk of using AI/ML for access decisions for high-risk access
  • Concerns related to the acceptability of AI-driven approaches to regulators, compliance associates and control oversight teams
  • Requirement to add large language models (LLMs), for GenAI specifically, to keep sensitive client access configuration data out of public LLMs

Machine Identity Management

The management of machine identities has become a critical priority as their numbers exceed those of human identities. These identities include a wide range of nonhuman actors, such as service accounts, containers, IoT devices, AI agents and AI-driven bots, introducing significant complexity and risk. Many organizations continue to struggle with visibility, ownership, and governance of these identities, leading to operational blind spots and increased exposure to security threats.
The rise of AI has both amplified the threat landscape and introduced new security challenges. Gartner’s 2024 IAM Leadership Survey found that 54% 2 organizations have seen an increase in the number of identity-related breaches, with one in three organizations experiencing increased business interruptions, financial loss or regulatory penalties from such incidents.
Most organizations (62%) have experienced at least one deepfake attack that included some form of social engineering or exploited existing automated processes, according to the 2025 Gartner Cybersecurity Innovations in AI Risk Management and Use Survey.3 At the same time, AI is being deployed to help manage this complexity through identity threat detection and response (ITDR), which uses behavioral analytics to detect anomalies and automate responses.
The industry is shifting toward a unified identity governance model that treats human and machine identities as parts of a single continuum. This approach improves auditability, reduces risk, and streamlines life cycle management. Emerging practices such as zero trust architectures, continuous adaptive access controls, and decentralized identity frameworks are becoming essential components of identity programs.
Vendors are consolidating IAM capabilities, with significant market moves, such as Palo Alto Networks’ acquisition of CyberArk, demonstrating the strategic value of integrating machine identity into broader security platforms. But cybersecurity leaders (including IAM leaders) can’t handle machine identities without a coordinated enterprisewide effort.
As per the 2024 Gartner IAM leadership survey, 44% of IAM leaders indicated that the IAM team is primarily responsible for managing machine identities in their organization.2 Thus, managing all machine identities will require a concerted effort and coordination among multifaceted teams. Tooling designed specifically for AI and GenAI environments is also emerging, helping organizations control access, enforce governance, and respond to AI-native risks.
Ultimately, machine identity management demands strategic evolution and cross-practice coordination. Organizations must adopt AI-driven tools, implement unified governance, and embrace new frameworks to handle the scale, speed, and complexity of today’s identity landscape. Failure to do so not only undermines operational security but leaves enterprises vulnerable in an increasingly automated, interconnected world.
IAM leaders should plan to implement IGA-based machine identity management capabilities as part of an identity fabric approach to machine identity and access management that requires technical capabilities like credential issuance and storage, discovery, life cycle management, access control, posture management and monitoring
For a full description of “identity fabric,” see Gartner’s Definition: Identity Fabric, and for more on machine IAM, see Gartner’s Innovation Insight: Improve Security With Machine Identity and Access Management, Leaders’ Guide to Modern Machine IAM, and Strategic Roadmap for Modern Machine IAM.
IAM leaders should:
  • Clearly identify the high-value use cases and associated capabilities for all of these high innovation areas of IGA.
  • Include strong support of the use cases and capabilities as requirements in their IGA solution-selection processes or their implementation and enhancement plans for existing IGA solutions (including with their existing IGA technology vendors).

Integration and Visibility Specialists Available to Help Solve Integration Challenges

IGA solution implementation has long been known to have a long tail of application integration. This integration effort is necessary to achieve complete visibility into all access. There is some movement by IGA vendors in this area, but there are also a number of vendors specializing in integration (both data and application integration) and visibility. Identity visibility and intelligence platforms can significantly accelerate visibility into and discovery of IAM data, events, configuration and posture, providing a faster, less expensive “single pane of glass” view into all access for all actors in an organization.
In turn, this enables both better IAM risk/posture assessment and recommendations, and more rapid identification of enhancements to improve business enablement and user experience. Some client companies are adopting these integration specialist tools in addition to a primary IGA vendor in order to accelerate target system integration and achieve target visibility coverage. You can read more about identity visibility and intelligence platforms in Gartner’s Hype Cycle for Digital Identity, 2025.
There are different types of specialist vendors that clients with more complex integration challenges may find value in:
  • Identity data integration specialists with capabilities for complex, multiple-source joins, schema translation and protocol translation (example vendors include Aquera and Radiant Logic)
  • Rapid target system integration specialists, including SCIM gateway vendors and app integration specialists (example vendors include Aquera, Cerby and Traxion)
  • Specialists in file-based integration management for disconnected IGA target applications (Aquera, for example)
  • IGA data visibility/visualization specialist vendors that enable modeling of more complex identity, account, role, group and entitlement relationships (example vendors include Elimity, Oleria and Veza)
IAM leaders implementing IGA solutions for more complex and dynamic IT environments should weigh the value of adding an IGA integration and visibility specialist solution to their IGA implementation relative to the acquisition cost. These integration specialist vendors can substantially accelerate integration in highly complex and dynamic IT environments.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Selection

Gartner estimates that there are at least 55 vendors in the IGA market overall (see Table 1). For the 20 vendors listed in this research, Gartner has verified that they offer a SaaS version of their IGA solution, and sell in multiple regions (i.e., they are not a single-region vendor). See also Note 2.

Representative Vendors in Identity Governance and Administration

Vendor
IGA Product
Location of Company Headquarters
Bravura Security
Bravura Identity
Alberta, Canada
CyberArk (Zilla Security)
Zilla Identity Security Platform
Massachusetts, U.S.
EmpowerID
Identity life cycle and administration
Ohio, U.S.
Fischer International Identity
Identity Access Governance
Florida, U.S.
IBM
IBM Verify
New York, U.S.
Lumos
Lumos Lifecycle Management, Lumos Identity Security Posture Management
California, U.S.
ManageEngine
ManageEngine AD360,
ManageEngine Identity360
Texas, U.S.
Netwrix
Usercube
Texas, U.S.
Omada
Omada Identity Cloud
Copenhagen, Denmark
One Identity
Identity Governance and Administration
California, U.S.
OpenIAM
OpenIAM Workforce Identity
New York, U.S.
OpenText
NetIQ
Ontario, Canada
Oracle
Oracle Identity Governance
Texas, U.S.
Pathlock
Application Access Governance
Colorado, U.S.
Ping Identity
Identity Governance, Identity Management
Colorado, U.S.
Radiant Logic
Radiant One
California, U.S.
SailPoint
Identity Security Cloud, IdentityIQ
Texas, U.S.
Saviynt
Saviynt Identity Cloud
California, U.S.
Tuebora
Tuebora Self-Driven IAM
California, U.S.
Veza
Veza Access Security
California, U.S.
Source: Gartner (October 2025)

Vendor Profiles

Bravura Security

Bravura Security was founded in 1992 as M-Tech Information Technology and later acquired by Hitachi, Ltd. in 2008 and Volaris Group in 2022, which then became Bravura Security.
Bravura Security’s Identity and Access Management solution offers a scalable and fault-tolerant SaaS (Software as a Service) solution for IGA. Bravura Security’s IGA solution is part of a full IAM product suite, the Bravura Security Fabric, which includes Bravura Identity, Bravura Privilege, Bravura Pass, and Bravura Safe.
Bravura Security supports common features such as SOD controls, advanced analytics, access approval and certification recommendations, and identity registration and profile management for nonemployee or business partner populations. From a machine account perspective, Bravura Security supports devices, workloads, services and RPA bots in addition to secret provisioning and reset, including self-service password management and key provisioning/update. The following Bravura Security IGA features are only supported via extensions and customizations, which are CIEM integration, integration with EAM, and support for shared signals including (but not limited to) CAEP.

CyberArk

Zilla Security, founded in 2019, was acquired by CyberArk in February 2025.
Post‑acquisition, Zilla’s cloud‑native Identity Governance and Administration (IGA) platform has been integrated into the CyberArk Identity Security Platform, with the capability to govern both human and machine identities across hybrid and multicloud environments. The platform remains a SaaS‑first offering that supports integrations across major cloud services, enterprise SaaS apps, and on‑premises systems.
The platform continues to offer the core components Comply and Provisioning as modules within CyberArk’s platform. CyberArk Comply includes access review automation, segregation‑of‑duties enforcement, and audit package generation, while CyberArk Provisioning automates onboarding, role changes, and offboarding workflows with AI‑assisted entitlement decisions.
In addition to traditional IGA capabilities like role‑based access control, SOD controls, policy‑based provisioning, and certification, the platform now embeds advanced AI and machine learning features. These include AI‑generated entitlement recommendations, role modeling suggestions, and contextual risk mapping.
Zilla’s data access governance features remain intact, supporting both structured and unstructured data, and now operate within CyberArk’s consolidated identity security context. The platform also includes native cloud infrastructure entitlement management (CIEM) capabilities.

EmpowerID

EmpowerID was founded in 2005 and offers a converged platform that includes IGA, access management and PAM features.
EmpowerID’s IGA solution is delivered as SaaS, on-premises, or in a private cloud. EmpowerID offers equal functionality across all deployment options through a containerized, microservices-based architecture. For regulated industries requiring alternate hosting, EmpowerID also supports VM-based installations.
EmpowerID supports common features including SOD controls (including fine-grained and cross-application SOD), advanced analytics including prescriptive analytics for policy and role modeling, and AI-based recommendations for access approval and certifications. It also supports identity registration, profile management and delegated administration for nonemployee or business partner populations. The platform also includes over 1,000 prebuilt orchestrations and a visual designer.
From a machine account perspective, it supports devices, workloads, service accounts and RPA bots. Its solution also implements DAG and CIEM, as well as integrates with externalized authorization management (EAM).

Fischer International Identity

Fischer Identity’s platform is available in both cloud and on-premises deployments (using the same codebase) and is configuration driven.
Core governance functions include identity life cycle automation, access request and approval, certifications, segregation of duties enforcement, role and policy management, and password and credential management. The platform supports both workforce and customer identity scenarios, manages human and nonhuman identities, provides identity registration and profile management for nonauthoritative populations, and uses reconciliation and correlation across multiple sources to prevent duplicate identities.
Fischer Identity also offers self-service password reset, account recovery, synchronization, and key life cycle management along with a configurable account-claim wizard that guides onboarding processes for all populations. Fischer also delivers Managed Identity Services (MIS) for IaaS clients, providing a managed service delivery model for its platform.
The solution provides OOTB capabilities for or integration with systems that provide CIEM and integration with EAM (for shared authorization policy/policy orchestration), as well as delivering a “no-code” platform that is configurable.

IBM

IBM is a large, global IT company that provides both technology and consulting services, as well as its software-delivered hybrid cloud identity governance solution, delivered in both SaaS, as IBM Verify, and self-managed, as IBM Verify Identity Governance (IVIG). This solution has evolved from multiple earlier products known as IBM Security Identity Governance and Intelligence (IGI) and IBM Security Identity Manager (ISIM). The SaaS offering includes a combined set of capabilities that incorporates access management, providing a single interface for managing identities, assets, policies, entitlements and governance processes.
IBM’s solution continues to integrate within its broader ecosystem and with external platforms such as SAP and ServiceNow. The product offers RESTful APIs, a developer portal, and standard integrations for ITSM platforms. IBM has a portfolio of connectors, including support for Azure AD, Microsoft 365, SAP NetWeaver, Oracle EBS, Workday, ServiceNow and SCIM-capable HR systems.
IBM’s Verify’s solutions include a broad set of governance features. These include advanced campaign management for access certifications, a refined role management model supporting low-code configuration, and new import/export utilities for role data. IBM’s embedded Identity Analytics engine has also been enhanced to deliver contextual risk scores, dynamic entitlements analysis, and SOD (segregation of duties) evaluation. A new Operational Visibility Dashboard offers performance and entitlement visibility with faster response times due to caching improvements.

Lumos

Lumos, founded in 2020, is designed to unify identity governance, just-in-time access management, and life cycle orchestration into a single solution. It combines visibility, AI‑driven automation, and entitlement optimization across SaaS, hybrid, cloud-first and on-premises enterprise environments.
Lumos builds on an access graph that ingests data from HRIS systems, identity providers, app permission sets, role groups, and usage signals. This data foundation supports visibility into identities, apps and entitlements at the user, role, and resource level. Lumos supports full identity life cycle management, just‑in‑time (JIT) access and time‑based access and self‑service requests with automated provisioning and deprovisioning. Lumos also has AI‑augmented access reviews, delta‑based change detection, and automated certification workflows.
Albus, a multiagent AI system introduced in 2025, enables self‑improving and autonomous governance. Albus can generate RBAC/ABAC policy recommendations and can trigger automated provisioning and deprovisioning workflows. Its platform includes built-in SaaS discovery, entitlement tracking, cost optimization, SOD, and license reclamation workflows. From a machine‑identity standpoint, Lumos supports life cycle orchestration and policy enforcement across human and nonhuman entities but its native capabilities do not extend to certificate or API‑key governance.
All use cases from Lumos can be deployed with a modular approach, allowing organizations to scale according to their needs.

ManageEngine

ManageEngine is a division of Zoho Corp., a privately held company focusing on software tools for IT services, operations and security. ManageEngine offers IT management products across domains such as IAM, enterprise service management, unified endpoint management and security, IT operations management, security information and event management, advanced IT analytics, and low-code app development.
ManageEngine offers AD360 as a suite of IAM solutions, which includes IGA and AM capabilities, delivered as software. ManageEngine has a cloud-delivered offering that provides the same features as AD360, called Identity360. ManageEngine also offers an unified PAM platform called PAM360 that integrates with ManageEngine’s IAM offerings.
ManageEngine supports common features, including SOD controls, and supports identity registration and profile management for nonemployee or business partner populations. The solution also implements DAG, including structured and unstructured data. From a machine identity perspective, PAM360 supports devices, workloads, services and RPA bots, in addition to secrets provisioning and reset capability for Kubernetes, including self-service password management and key provisioning/update.

Netwrix

Netwrix Identity Manager (formerly Usercube) is a cloud-native IGA solution which is primarily offered as a SaaS platform and can also be deployed on-premises delivering equal functionality. Netwrix also continues to offer Directory Manager (formerly GroupID), a Microsoft-centric identity and group management tool that is not SaaS-delivered.
Netwrix Identity Manager delivers identity life cycle management, access certification, and workflow-based provisioning for both internal users and external populations such as contractors and business partners. The platform supports role-based access control, delegated administration, and self-service capabilities. The broader Netwrix portfolio, includes solutions for privileged account management (Privilege Secure), identity threat detection and response (Threat Manager),data classification (1Secure DSPM Edition), entitlement management, and governance of both structured and unstructured data (Access Analyzer).
From a machine identity standpoint, the platform supports management of devices, service accounts, workloads, and robotic process automation (RPA), with features for secret provisioning and automated resets. Netwrix’s emphasis on unified visibility and governance is reinforced by the integration of its AI-powered engine, which enhances the platform’s ability to analyze policies, optimize role models, and improve search and audit functions. This AI-driven capability enables organizations to detect anomalies, streamline access decisions, and maintain continuous compliance with evolving security requirements.

Omada

Omada is a privately held company founded in 2000 that today offers two full-featured IGA products, Omada Identity Cloud (cloud native SaaS solution) and Omada Identity (software).
Omada’s cloud platform is architected with policy-based configuration, eliminating the need for custom code. Omada has a best-practice framework called IdentityPROCESS+ that is available to decrease its Identity Cloud deployment time.
Omada Identity Cloud supports common features such as SOD controls, advanced analytics (including prescriptive analytics to enable rapid improvements for policy and role modeling), intelligent access approval, and certification recommendations. “Javi,” Omada’s AI assistance, helps users streamline tasks, answer questions, and provide support by leveraging artificial intelligence to enhance productivity and decision making. Omada extends identity life cycle management to nonemployee and business partner populations, supporting identity registration and profile management.
For machine identities, Omada provides identity life cycle management and identity data integration for devices, workloads, services and RPA bots, in addition to secrets provisioning and reset capability (including self-service password management and key provisioning/update).

One Identity

One Identity Identity Manager offers complete IGA capabilities, and can integrate with PAM and access management (AM) solutions such as One Identity Safeguard and OneLogin. One Identity also offers an equivalent SaaS solution called One Identity Manager On Demand. One Identity also offers Active Roles, a product that simplifies the management and operation of a customer’s Microsoft AD and Entra ID environments.
One Identity Manager supports all of the common features, such as SOD controls, advanced analytics (including prescriptive analytics to enable rapid improvements for policy and role modeling), access approval and certification recommendations, and AI-based assistants. It also supports identity registration and profile management for nonemployee or business partner populations.
From a machine identity perspective, it supports devices, workloads, services and RPA bots, in addition to secrets provisioning and reset capability (including self-service password management and key provisioning/update). This solution also implements DAG for unstructured data and supports integration with CIEM as well as integration with EAM and support for CAEP.

OpenIAM

OpenIAM, which has expanded across the U.S., Europe and Asia since its founding in 2008, focuses on a developer-centric solution. OpenIAM provides an open-source IGA platform, allowing businesses and developers to incorporate any customizations needed.
OpenIAM offers an on-premises deployment and a software as a service (SaaS). Additionally, OpenIAM is free to download.
OpenIAM supports common features such as SOD controls, identity registration and profile management for identities or attributes not managed by another authoritative source (commonly nonemployee workforce or business partner populations). Also, OpenIAM supports identity life cycle management and identity data integration for machine identities (devices, workloads, services, RPA bots) and associated accounts. OpenIAM also supports secrets provisioning and reset capability, including self-service password management and key provisioning/update, and OOTB capabilities for or integration with systems that provide cloud infrastructure entitlement management (CIEM).

OpenText

OpenText is a publicly traded company that announced its acquisition of British software firm Micro Focus in 2022, with which it entered the IGA market.
OpenText IGA is offered via a SaaS solution, either as a single tenant or a multitenant, and is available as an on-premises solution.
OpenText supports some common features such as SOD controls, advanced analytics including support for generative AI, access approval and certification recommendations, and identity registration and profile management for nonemployee or business partner populations. From a machine account perspective, it supports devices, workloads, services and RPA bots in addition to secrets provisioning and reset, including self-service password management and key provisioning/update.
The following OpenText IGA features are only supported via extensions and customizations, which are CIEM integration, integration with EAM, and support for shared signals including (but not limited to) CAEP. OpenText also has risk-based scoring of authentication and authorization as well as integration with regulatory frameworks including GDPR, CCA, etc. Real-time modeling, adaptive authorization models and risk-based decision making were also introduced.

Oracle

Oracle provides identity governance and administration (IGA) solutions that support both on-premises and cloud deployment models. The main products in Oracle’s IGA portfolio are Oracle Identity Governance (OIG) and Oracle Access Governance (OAG).
OIG is designed to be deployed on-premises and offers features such as user provisioning and deprovisioning, role management, access requests, approval workflows, access certification, and policy enforcement. It also supports integration with enterprise applications and infrastructure, including both Oracle and non-Oracle systems.
OAG is a cloud-native service intended for use in cloud and hybrid IT environments. Its capabilities include access reviews, risk analysis, policy violation remediation, and integration with cloud platforms and SaaS applications.
Both OIG and OAG provide identity management functions such as delegated administration, identity analytics, reporting, and support for compliance requirements through audit trails and policy enforcement. The solutions are compatible with third-party applications and directories and support features like segregation of duties and automated compliance checks.
Oracle’s IGA products are used to manage user identities, control access to resources, and meet security and regulatory requirements in various IT environments.

Pathlock

Pathlock is an identity security and application access governance platform that supports common features such as SOD analysis and controls, advanced analytics (including prescriptive analytics to enable rapid improvements for policy and role modeling), access approval and certification recommendations via their User Access Review and Certification module, and AI-based assistants. Their Compliant Provisioning module addresses identity life cycle management with built-in controls that prevent risk and eliminate SOD violations at the time of provisioning. Their Dynamic Access Controls (DAC) layer offers runtime authorization at a data field level, assessing contextual factors such as user location, role, device type, and time of access.
Pathlock leverages advanced analytics to provide actionable insights into user behavior, access trends, and risk indicators and for organizations that operate across multiple business units or geographies, Pathlock offers federated governance capabilities, along with integration using its Pathlock Connector Studio.
Pathlock also offers governance capabilities for third-party or nonemployee identities. From a machine identity perspective, it supports application service accounts, devices, workloads, services and RPA bots, in addition to secrets provisioning and reset, including self-service password management and key provisioning/update.

Ping Identity

Ping Identity entered the IGA market in August 2023 through its acquisition of ForgeRock, integrating ForgeRock’s mature identity governance capabilities into the Ping Identity Platform.
Ping Identity Governance delivers core IGA functions, including access request management, access certifications, segregation of duties controls, analytics for policy and role modeling, just-in-time life cycle management, and workflow integration with ITSM systems.
As a core capability of the Ping Identity Platform, Ping Identity Governance enables organizations to extend their identity governance deployments with native identity verification-based onboarding, help desk and self-service flows, contextual risk and fraud prevention, and comprehensive access management. The platform provides automated identity life cycle management for identity data ingestion and governance decision fulfillment, supporting governed management of employees, non-employees, customers, and B2B/business partner populations.
For machine identities, Ping Identity Governance supports devices, workloads, services, RPA bots, and application service accounts. It includes secrets provisioning, password management, and key updates. The solution also integrates with enterprise authorization management (EAM) for policy orchestration and supports shared signals such as CAEP, with the ability to send, receive, and respond to these signals.

Radiant Logic

Radiant Logic, founded in 1995, started by unifying fragmented identity data from different systems into a centralized virtual directory. In 2023, it acquired Brainwave GRC, a company specializing in analytics and governance reporting. Radiant Logic serves as an identity and access data system of record for identity and access intelligence, IGA and runtime authorization. Radiant Logic was previously considered a light IGA (identity governance and administration) solution, but has expanded its capabilities to provide identity visibility and intelligence, and AI access for administration.
RadiantOne offers deployment options as a fully managed SaaS, on-premises, or hybrid cloud solution. It supports standard protocols such as LDAP, SCIM, and RESTful APIs.
Radiant Logic offers features such as hygiene controls, automated risk-based access reviews, role mining, compliance, audit readiness, policy orchestration, segregation of duties, and SCIM support for integrations. The RadiantOne platform delivers actionable insights and risk scoring through built-in identity analytics, continuously monitors identity events across systems using a graph-based model, and flags anomalies on dashboards. Its AI Data Assistant (AIDA) automates identity analytics and recommends corrective actions in real time.
RadiantOne supports nonemployee resource management and machine identity, including service accounts, API keys, bots, workloads and IoT devices.

SailPoint

SailPoint offers IdentityIQ (on-premises) and Identity Security Cloud (multitenant SaaS-based). Identity Security Cloud is built on top of SailPoint’s multitenant Atlas SaaS platform. Identity Security Cloud is licensed in three options: Standard, Business and Business Plus.
SailPoint offers SOD controls and predictive and prescriptive analytics (for example, policy and rule modeling and access approval and certification recommendations, AI-based assistants). It supports identity registration and profile management for identities not managed by another authoritative source (commonly nonemployee workforce or business partner populations).
SailPoint also offers identity life cycle management and identity data integration for machine identities (devices, workloads, services, RPA bots) and associated accounts. For machine accounts, SailPoint supports secrets management for the accounts customers use to connect Identity Security Cloud to their applications. Also, SailPoint supports data access governance for structured and unstructured data, and OOTB capabilities for integration with systems that provide CIEM and integration with EAM (for shared authorization policy/policy orchestration).
In addition, SailPoint supports shared signals, such as CAEP, including the ability to send shared signals and receive and respond to shared signals. SailPoint also has dynamic access for roles, the ability to add context to access model metadata, and a new data segmentation feature addressing delegated administration.

Saviynt

Saviynt was founded in 2011 with company headquarters in El Segundo, California and launched its cloud-based product in 2015.
Saviynt’s IGA product is part of a platform, Saviynt Identity Cloud, comprising multiple products, including IGA, privileged access management (PAM) and application access governance (AAG), external identity and risk management, machine ID management, and identity security posture management. Saviynt Identity Cloud is delivered as a SaaS solution. The same solution can be delivered as a virtual appliance for hosting in clients’ data centers, third-party managed service provider (MSP) data centers or customer cloud infrastructure.
Saviynt supports all common features, including SOD, advanced analytics using AI (as part of the “Saviynt Intelligence” suite used to make peer group recommendations) and ML that supports risk scoring at both user and application levels. Its solution includes policy and role modeling, access approval recommendations and certifications.
In addition, Saviynt supports identity registration and profile management for nonemployee or business partner populations, as well as machine identities including devices, workloads, services, RPA bots, and AI agents. Secrets provisioning, along with self-service password management, structured and unstructured data support, CIEM, integration with EAM, and CAEP are also supported.

Tuebora

Tuebora offers an IGA solution that applies machine learning to streamline access administration automation in access requests, policy generation and role management.
Tuebora’s IGA solutions include Prescriptive Analytics and Access Control, which provides access management capabilities. Tuebora’s solution set is delivered as both software and as SaaS.
Tuebora also offers an AskTuebora Service, an agentic solution that supports various IGA processes like application onboarding, workflow orchestration, identity schema design and reporting
Tuebora supports common features such as SOD controls, advanced analytics (including prescriptive analytics to enable rapid improvements for policy and role modeling), access approval and certification recommendations, and AI-based assistants. It also supports identity registration and profile management for nonemployee and business partner populations. From a machine identity perspective, Tuebora supports life cycle management for devices, workloads, services and RPA bots in addition to secrets provisioning and reset (including self-service password management). Its solution implements DAG, CIEM and integration with EAM systems.

Veza

Veza was founded in 2020 and is headquartered in Los Gatos, California. Veza Technologies, Inc. is a company providing identity and access security solutions across cloud infrastructure, data systems, SaaS, and on-premises applications. Powered by the Veza Access Graph, Veza’s platform aims to improve visibility, control permissions, enforce least privileged and remediate identity and access management issues.
Veza is delivered as a cloud-based SaaS solution. Its Access Governance package provides core IGA capabilities, while the broader Access Platform extends into identity security. Veza delivers functionality across governance, life cycle management, and machine identity security. Governance and analytics features include segregation of duties (SOD), AI/ML-driven advanced analytics, and risk scoring at both user and application levels. Policy and life cycle management capabilities span role and policy modeling, access approval recommendations, certification workflows, and support for identity registration and profile management of nonemployees.
Machine identity security is enabled through governance for devices, workloads, services, and RPA bots and other machine identities. Extended capabilities also include structured and unstructured data access controls, cloud infrastructure entitlement management (CIEM), and integrations with enterprise authorization management (EAM).

Market Recommendations

IAM leaders should:
  • Clearly outline and prioritize their organization’s required outcomes (business drivers) for IGA implementation, including the relative priority of security, compliance, business enablement and efficiency/cost-effectiveness:
    • Select IGA solutions based on support for required outcomes, relative to both short-term requirements and strategic long-term requirements. Full IGA solution implementations, including target system integrations, take years, so they need to select an IGA solution that will meet strategic/long-term needs as well.
  • Accelerate the realization of business value from IGA investments:
    • Fully leverage the visibility (data integration and management) and intelligence (AI/ML-based analytics) capabilities provided by existing vendor products and prioritize visibility and intelligence features in any IGA technology purchase decision.
    • Carefully evaluate their needs for IGA capabilities for machine actors/identities, and include these use cases in their IGA solution selection process as well.
    • Plan the IGA components of their machine identity management strategy as part of an identity fabric approach that includes integration with required secrets management and PAM capabilities. (Do not assume all machine IAM needs can be met with just one IGA solution.)
  • Evaluate supplemental IGA visibility and integration specialist vendors where requirements for speed of integration and/or acceleration of more comprehensive access visibility can’t be met with existing IGA technology. This can include SCIM gateway solutions, for example.

Evidence

1 Forecast: Information Security, Worldwide, 2023-2029, 3Q25 Update
2 2024 Gartner IAM Leadership Survey. This survey sought to understand identity and access management (IAM) leaders’ approach to building IAM strategy, aligning with business and cybersecurity goals, and collaborating with cybersecurity functions. The combined data represents responses from 335 IAM leaders globally across industries, geographies and revenue bands, and was collected from August 2024 through October 2024. This research was further substantiated and informed by in-depth practitioner interviews with over 50 IAM leaders to understand their goals and challenges while managing their organization’s IAM program. Gartner created measures to determine an IAM leader’s ability to deliver against key outcomes. Gartner then used regression analysis to measure and identify the most impactful approaches for improving their ability to deliver key outcomes. Disclaimer: The results of this study do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
3 2025 Gartner Cybersecurity Innovations in AI Risk Management and Use Survey. This survey was conducted to understand how organizations are managing the cybersecurity risks of generative AI (GenAI) and AI techniques that support it. The research was conducted online from 21 March through 9 May 2025 among 302 cybersecurity leaders in the North America (n = 181), EMEA (n = 71) and Asia/Pacific (n = 50) regions. Qualifying organizations reported enterprisewide revenue of at least $250 million or equivalent for fiscal 2024 and were senior cybersecurity management involved in activities related to AI cybersecurity risk management within their organization. Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.

Note 1: Potential Top-Value Access Intelligence Use Cases

  • Identifying orphan and rogue accounts and those with assigned entitlements that haven’t been or aren’t being used.
  • Identifying/assigning risk ratings for entitlements, accounts and identities.
  • Identifying privileged access and accounts (discovery).
  • Rapidly identifying instances of overpermissioning (least privilege violations) for remediation.
  • Providing approve/deny recommendations for access reviewers and approvers.
  • Providing suggestions for access requesters/recipients (“it looks like you need/will need this access”).
  • Role modeling/role engineering for organizations using role-based access control (RBAC) to reduce role structure maintenance costs.
  • Rapidly identifying role-based and attribute-based rules for automation (birthright access) to enable organizations to accelerate access administration automation and manual administration reduction (both labor and costs).

Note 2: Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.