What strategies do you use to ensure IAM solutions are sufficiently composable to adapt to changing business needs?

IAM is a complex topic and usually needed and available capabilities vary from case to case and from solution to solution. 
If you look at the major components or high level capabilities like IGA, PAM, AM. One could think of multiple points of composability , e.g.
- Ability to connect to multiple identity sources and consumer systems, 
- Ability to adapt the data models and configurations from different scenarios.
- Ability to use unified identity flows for SSO through standardized interfaces and integrations. 
- Ability to customize policies 
- Ability to  customize workflows for multiple user-group across the user groups.
- Ability to adapt to different risk scenarios.
- Ability to utilize and benefit from near future proof capabilities , e.g. IPA, LLMs, etc.

I focus on this set of measures to secure composability in my reference architecture and roadmaps, however some other scenarios may require different approach according to stakeholder needs and compliance requirements . And this led me to heterogeneous solution of Sail point for IGA + CyberArch for PAM + Ping identity for am.
I hope this helps you see through the confusion Let me know if there is any specific question you wish to address.

We work closely with our enterprise architecture team to establish standards that integrate security into the planning stages of application development. By involving IAM-related tasks early in the project management process, we avoid last-minute surprises and enhance our security posture. While this approach remains challenging, it is gradually helping us achieve better security outcomes.

We are addressing legacy systems by implementing open standards like SAML to ensure interoperability across multiple systems. Our focus is on API-first design principles for authentication, provisioning, and policy enforcement within IAM platforms. We are also leveraging policy as code to implement authorization and access logic, allowing us to adopt new rules without extensive application rewrites. This strategy is helping us gradually improve our IAM infrastructure.

In my experience, particularly during mergers and acquisitions, it's crucial to have an orchestration layer or hybrid ecosystem that can implement RESTful APIs. This allows business applications to integrate seamlessly with IAM tools, such as CyberArk, SailPoint, or Transmit Security, enabling SMFA (silent multi-factor authentication). This orchestration layer can adapt to evolving technology stacks. We are also incorporating AI-based technologies to identify role consolidations and toxic combinations, allowing for fine-grained authentication policies. This strategy enhances efficiency and agility, enabling us to transition smoothly between technologies like CA SiteMinder, Ping Identity, Okta, and newer tools like Transmit Security.