Buyer’s Guide for Identity Governance and Administration

24 June 2025 - ID G00828641 - 16 min read

By Steve Wessels, Paul Mezzera, and 4 more

Buying an identity governance and administration system is expensive and can be confusing. Often, identity and access management leaders are overwhelmed with features and functionality, leading to frustration and impulse buying. Following these steps will help IAM leaders to select the best IGA solution.

Overview

Key Findings

Buying decisions for identity governance and administration (IGA) solutions are typically driven by a production issue, like an audit finding or breach, and often don’t include strategic planning alignment with other teams outside of identity and access management (IAM).
IAM Leaders often find it challenging to fully communicate an organization’s needs and business context to IGA vendors through an RFP alone. Additionally, IGA RFPs frequently contain an extensive list of superfluous questions, riddled with information bias, that offer minimal value in differentiating tools. This lack of objectivity can render the selection process overly vague and, at times, too exclusive.
New IGA trends have changed buying behaviors, which include AI, machine learning, visibility vendors, augmentation vendors and machine IAM and IT service management (ITSM) tools that provide some IGA capabilities.
Many organizations prioritize individual features or components when selecting IGA vendors. This approach often results in unforeseen implementation complexity and maintenance costs, catching IGA leaders off guard and undermining long-term value realization.

Recommendations

As an identity and access management leader responsible for choosing an IGA solution to enhance identity and access management, you should:

Align the RFP with the overarching IGA program strategy by documenting the intended business outcomes for the IGA initiative, ensuring alignment with teams beyond the IAM department.
Clearly convey your business requirements, use cases and expectations to vendors by including a current inventory of regulatory and financial applications, all documented use cases and initial expectations at the start of the RFP document. Additionally, ensure the IGA RFP is concise by limiting the number of requirements to those that will significantly impact your planned business outcomes.
Broaden your search by taking into consideration the latest IGA trends, such as AI, identity and access intelligence (IAI) and improved application onboarding.
Draw up a viable shortlist of vendors by requesting an implementation proposal to be evaluated together with the product licenses.

Introduction

Identity governance and administration is a foundational IAM program component.

Organizations today operate in increasingly complex digital ecosystems where users — human and machine — need timely, appropriate and secure access to data and systems. Identity governance and administration is the backbone of identity and access management, ensuring access rights are aligned with business roles, compliance mandates and security policies.

Legacy IGA systems are struggling to keep up. The shift to hybrid IT, widespread SaaS adoption and a surge in machine identities has exposed the limitations of traditional role-based models and manual certification processes. Meanwhile, regulatory requirements are growing more stringent and stakeholders demand better auditability, automation and user experience. This misalignment between existing capabilities and emerging demands creates risk, inefficiency and operational drag.

Without a modern IGA strategy, organizations risk overprovisioning access and failing audits, delaying user productivity, and unable to scale governance across cloud environments. The cost of inaction is no longer theoretical, it manifests in real breaches, compliance violations and missed opportunities for digital agility.

So how can IAM leaders select an IGA solution that not only meets today’s governance requirements but also adapts to the dynamic needs of tomorrow’s identity landscape? This buyer’s guide provides a strategic framework for evaluating IGA solutions, grounded in the latest market trends, architectural shifts and operational demands. It outlines essential capabilities such as identity life cycle automation, access review effectiveness, risk-aware decision making and integration flexibility.

Whether you are modernizing an outdated system or making a first-time investment, this guide will help you identify vendors and solutions aligned to your business, regulatory and digital transformation goals. This research further supports IAM leaders by adding actionable advice specific to buying the right IGA solution. It also describes the most critical elements of success at each step of the way to effectively select an IGA tool during the RFP process (see Figure 1).

Figure 1: Five Steps of an IGA Buying Journey

The IGA buying journey follows five steps: drivers, inventory and use cases, trends, requirements and selection, progressing from defining vision and architecture to building a business case, with focus shifting from external to internal considerations.

Analysis

Document the Planned Business Outcomes of the IGA Initiative

Many IGA initiatives fail because they are not created with business outcomes in mind. Aligning the IGA initiative’s objectives with business drivers helps establish relevance for the organization and increases the likelihood of funding. This is done by linking the IGA buying process with the goals and values of the organization it supports and starts with translating goals communicated through the overall business strategy. For example, set the right expectation with business partners and technical stakeholders on any customizations that may be required to support the business.

IAM leaders must obtain consensus from stakeholders and select value propositions for the initiative that are aligned with the desired business outcomes. The most important business outcomes of an IGA initiative are described in the four drivers in Figure 2.

Figure 2: IGA Business Drivers and Related Core Value Propositions

IGA delivers value by improving operational efficiency, security and risk management, compliance and business enablement through centralized access controls, risk mitigation, oversight and enhanced user experiences.

Each business driver shaded in dark blue in Figure 2 should be linked to specific technical goals or core value propositions. For instance, if compliance is the primary business objective, the technical goals should include enforcing segregation of duties (SOD), certifying the appropriateness of user access and ensuring oversight and accountability. Those should be mandatory expectations in the RFP and everything else should be “nice-to-have” or optional.

IAM leaders should create a working group that includes stakeholders from each line of business, as well as primary user roles such as audit, project management (PMO), HR, application owners, system owners, IT architecture and security teams. This IGA working group should agree to implement the following practices:

Define a high-level list of deliverables for the IGA initiative in a responsible, accountable, consulted and informed (RACI) matrix (see Table 1).
For each IGA deliverable, identify the accountable and responsible stakeholders. Each deliverable must have a single accountable stakeholder.
Require each accountable stakeholder to identify the necessary responsible stakeholders and their corresponding responsibilities.
Identify informed and consulted stakeholders and record each participant in the RACI matrix.
Task this team of stakeholders to define the drivers and goals for the IGA RFP in the next step of the IGA buying process (clearly communicate your expectations and context to vendors).
Ensure internal audit and data privacy representation. This is a must-have, particularly for global implementations that may involve transfer/use of data (such as employee, customer or supplier) across borders. These staff members will often need to coordinate with evaluation team regional leads to ensure consultation with relevant work councils as part of requirements gathering and process definition.

Example of a RACI Matrix With Mapping of Required Stakeholders to Procure an IGA Solution

Deliverable	Description	Audit team	IAM team	Application support	Enterprise architecture (IT)	Information security
Management of authoritative identity sources	Provide timely and accurate authoritative identity data	I	C Specify requirements for access to data	R, A As owners of the data, need to provide access and, for example, maintain 99.9% SLA	I	I
Entitlements management, segregation of duties, role-based access control	Maintain accurate and descriptive entitlement data to facilitate access requests and certifications	I	R, A Provide platform to manage entitlements	R Provide subject matter expertise to update entitlements	I	I
Audit reports	Provide reporting interface to create reports to satisfy audits	R Provide requirements	R Create the reports in IGA platform	I Provide input if application is part of an audit requirement	I	C May specify requirements for audits
Application access	Provide access to underlying identity and entitlement data to manage identity life cycle and entitlements	I	R Integrate to application using connectors	R, A Support and availability of APIs that provide access to identity data	I	I
R = responsible A = accountable C = consulted I = informed

Source: Gartner

Having a broader team involved in your IGA stakeholder decision-making process may take longer. But the benefit of avoiding issues down the road highly outweighs the extra effort of managing a wider team of stakeholders.

IAM leaders should ensure the list of stakeholders and individual responsibilities are reflected in the overall IGA strategy by updating the overall IGA program vision document (see IAM Leaders’ Guide to IAM Program Management).

Include an Inventory of the Current IGA Environment and Expectations

Define your use cases: After defining the main business drivers for building an RFP in the first step, IAM leaders should start by choosing which focus-oriented use cases are most aligned with each stakeholder’s drivers:

Security and governance-focused: Organizations of any size that focus on security and governance are concerned primarily with managing and enforcing access policies and demonstrating control over user access through functionality like access reviews and certifications, along with SOD and regulatory reporting and audit trails. These use cases are more aligned with drivers like security and risk management, and compliance.
Automation and user-experience-focused: Provisioning is the original automation and user-experience-focused use case for IGA deployments, targeting operational efficiency and cost reduction through reducing manual workload and faster onboarding/offboarding processes. These use cases are more aligned with drivers like operational efficiency and business enablement.

IAM leaders must focus (by considering with a heavier weight) on the use-case type that matters most to their organization. High-quality RFPs are able to give more importance to the requirements that will be useful when differentiating the solution evaluated. Too many requirements with the same weighting will generate poor responses that will be harder to compare.

Some organizations will invariably be more aligned with an automation and user-experience-focused use case. If this is true, IAM leaders should prioritize fulfillment capabilities, including a comprehensive list of out-of-the-box connectors that is aligned to the main target systems in the organization. For economic or technical reasons, not all target systems will be good candidates to be integrated via automated fulfillment.

Evaluating a vendor’s ability to offer out-of-the-box integrations with ITSM (or other intermediary solutions, like SaaS-delivered IGA or RPA, for example) should be an important capability. At the very least, the IGA vendor should provide a very robust case management system for handling provisioning requests to disconnected target systems and for addressing those indirect fulfillment scenarios.

Assess the Latest IGA Market Trends When Building Your Strategy

Now is the time to look outside of the organization and study market and industry trends. Defining an IGA roadmap that addresses both tactical and strategic goals will position you to meet the requirements and challenges of the future (see Figure 3).

Figure 3: IGA Buying Trends

This figure shows industry buying trends for IGA

Trends to consider:

ITSM/human capital management (HCM) solutions: ITSM solutions with light IGA capabilities are alternatives to a full IGA platform. Full-featured ITSM tools, like ServiceNow or Zendesk, that integrate or embed light IGA capabilities are good options, especially for unified access requests and password management. HCM solutions like Workday, for example, have also started to offer light IGA capabilities for user account provisioning into Active Directory domains.
CIEM: Cloud infrastructure entitlement management (CIEM) tools help enterprises manage cloud access risks via administration-time controls for the governance of entitlements in hybrid and multicloud infrastructure as a service (IaaS). They use analytics, machine learning (ML) and other methods to detect anomalies in account entitlements, like accumulation of privileges, and dormant and unnecessary permissions. CIEM ideally provides enforcement and remediation of least-privilege approaches. Some vendors providing CIEM capabilities also provide coverage to on-premises applications to support hybrid environments. An IGA system is fed data on entitlements, accounts, identities and access logs from multiple sources, such as IaaS, software as a service (SaaS) and on-premises systems. If your IGA system does not have the ability to connect and gather required data from IaaS and SaaS systems, consider using a CIEM solution to supplement your IGA system and enable access governance.
Machine identity: Treat machine identities as distinct identity types that need to be discovered, managed and governed in a similar way to human identities. Since most IGA solutions typically only cover “accounts,” ensure IGA tooling supports your use cases for accounts that are used in machine-to-machine interactions/service accounts, as well as built-in accounts.
Identity fabric: The market is shifting to IGA solutions connecting devices and applications using modern APIs and other “wiring.” IGA leaders should target standards-based solutions that link solutions, applications and other devices. Specifically, for IGA this means use of System for Cross-Domain Identity Management (SCIM) and API access to insights, risk decisions and data that can support other security tooling as part of an identity fabric. Equally it means looking to IGA vendors that have plans to take external input into their analytics decision-making processes.
Customer identity and access management (CIAM): Business customers now routinely use more digital services, conduct more complex and sensitive interactions and otherwise engage more deeply with organizations online. Cybercriminals are increasingly targeting third-party access. These changes are placing additional demands on IGA infrastructure for external customer relationships. So, which IGA tools should you look at now for delegated administration, federation, governance, authorization and access management functionality for your customer users? How should you handle delegated administration for external users like business partners, brokers and other types of supply chain providers? This is one of the biggest feature differences between external customer IGA (which may focus on both businesses and individuals) and consumer IGA (which focuses on individuals). In response to these trends, organizations with external customer users are increasingly looking to IGA tools that support both customer users in a single offering. Gartner has identified a sharp increase in interest in CIAM based on the volume of inquiries it receives.
AI: AI is rapidly becoming a transformative force in the IGA space, offering the promise of smarter, more efficient identity life cycle management, access certifications, application onboarding and policy enforcement. When evaluating IGA solutions with AI capabilities, buyers should look beyond the buzzwords and assess how AI is practically applied. Consider things like automating role mining, detecting anomalous access patterns or recommending access rights. It’s also important to consider the transparency and explainability of AI-driven decisions, the ability to tune models to your organization’s unique context and how AI integrates with existing governance workflows. Ultimately, AI should enhance, not replace, human oversight and risk management, helping organizations scale governance while maintaining control.
Visibility and observability: Modern IGA solutions are increasingly incorporating advanced analytics and reporting capabilities that provide comprehensive insights into user activities, access patterns and potential security risks. This trend is driven by the growing need for organizations to not only manage identities and access but also to continuously monitor and understand how access is being utilized across the enterprise. Enhanced visibility allows organizations to quickly identify anomalies or unauthorized access attempts, thereby improving their security posture. Observability, on the other hand, enables a deeper understanding of the system’s internal states by providing real-time data and metrics, which are crucial for troubleshooting and ensuring compliance with regulatory requirements. As organizations continue to face complex security challenges, investing in an IGA solution with robust visibility and observability features becomes essential for proactive risk management and maintaining a secure, compliant environment.

In your discussions with potential IGA vendors, ensure that a vendor’s future outlook matches your vision. Evaluate how much you trust the vendor to adequately address future requirements. Use your vision as a filter, rather than polluting an RFP with a long “laundry list” of every possible feature that you think you may need in the future.

Write a Precise Identity Governance RFP Using Only the Essential Requirements

Historically, some organizations have chosen not to reveal business priorities to vendors in the RFP, or omitted those details by mistake. They believed that vendors would custom tailor their responses to make the solution appear to be a better fit. Gartner recommends, however, disclosing requirement priorities throughout the evaluation process. The more the vendor knows about the needs of the prospect in advance, the better it is able to effectively qualify its ability to make the prospect a happy customer.

There are instances when IAM leaders may feel that sharing too many details about their company’s technology infrastructure could pose a potential risk. In that case, provisioning target and authoritative source information, for example, could be shared under an NDA. However, providing high-level provisioning target names, or at least an explanation, would be helpful when selecting and filtering the best vendors. This is particularly true if the target is based on custom or homegrown technology, or if it offers provisioning APIs.

Here is a list of the six most important items to include right at the beginning of the RFP process:

One single business driver, many technical goals
All authoritative sources of identities
Major provisioning targets
High-level description of the current IT environment architecture, including number and types of users
Other systems (apart from provisioning targets) that must be integrated, such as: ITSM, privileged access management, access management and multifactor authentication.
Security principles and compliance restrictions

This will help attract the attention of the right vendors and will be the best way to filter out vendors that would fail to address your most important requirements, drivers and principles. For example, if your organization’s security compliance dictates that user data must not leave country borders, that would restrict any SaaS-delivered vendor that operates and hosts outside the country from bidding. The same applies with target systems. If a vendor doesn’t have a native connector to a critical target application, this deficiency should be communicated early in the process. And it would save precious time during the evaluation.

Gartner’s suggested weightings are listed in Figure 4. This guidance can be adjusted according to the requirements of each organization.

Figure 4: IGA Required Capabilities Mapped to Business Drivers

This figure shows the IGA critical capabilities mapped to use cases.

Create a Viable Shortlist of Vendors

IGA tools are complicated and their deployment affects multiple teams and business processes. Knowing IGA deployments are complicated, there is a risk that something could go wrong, which could result in extended deployment timelines and even require rework from the system integrator or professional services vendor. Refer to Best Practices for Managing IAM Vendor Partnerships.

Modern IGA architectures enable deployment flexibility with cloud-hosted and cloud-architected IGA options, which will reduce overall maintenance overhead and total cost of ownership. Whenever possible, IAM leaders should declare a preference (by providing a higher weighting) for SaaS-delivered IGA approaches, especially for midsize and large enterprises.

On-premises IGA is also an option, with software delivered for deployment within an organization’s own infrastructure. This allows for a much higher level of customization, but the cost of infrastructure maintenance and overhead of administration makes this a far less appealing option.

IAM leaders should be very precise with the selection of required capabilities in the previous section to ensure a SaaS-delivered, cloud-architected IGA solution will be a good fit.

Incorporating these leading practices into the IGA technology evaluation team’s methodology and plan will significantly increase the likelihood that the team will have gathered sufficient data to have a clear and objective view of the pros, cons and implications of each evaluated solution. It is difficult (if not impossible) to eliminate all bias from the selection. You can, however, arm your selection team with the right data to weigh all the trade-offs and build stakeholder consensus on which solution is best fit for the organization.

Evidence

This research has been evidenced by client interactions and existing Gartner research.