Is Your IGA Solution Stuck in the Past? Time for an Upgrade

Introduction

The Identity Governance & Administration (IGA) landscape is evolving rapidly.  SailPoint’s return to the public market sparked fresh conversations – not just about the company, but about the limitations of legacy identity governance systems that many orgs still rely on. These systems were built for yesterday’s identity needs, not today’s fast-moving, cloud-first reality.  Not surprisingly, customers of legacy IGA are increasingly frustrated and actively asking what should come next..

Why Replace Something That’s Working?

Many organizations still find their legacy IGA tools “good enough” for the tasks they were scoped to handle years ago. But today’s access governance requirements—cloud-native apps, non-human identities, dynamic risk contexts—demand more.  That was one topic raised in a conversation I recently had with a healthcare industry CISO (and SailPoint customer) that really got me thinking about SailPoint and legacy IGA solutions in general.

The CISO shared that he, as a SailPoint customer, simply wasn’t looking to SailPoint for vision or technical leadership.  He also shared that he believed that many of SailPoint’s customers were not looking to them for innovation and technical leadership as well.  This CISO went on to state that his organization, like many others, went on to deploy SailPoint years ago and found it to work “just fine” for its original intended purposes.  And, while it may have taken more effort and the organization spent more to deploy it than originally anticipated, it was often doing exactly what the organization deployed it to do when originally brought in years ago – nothing less, but definitely nothing more!

To give an analogy, if your 20-year-old Ford Taurus remains mechanically sound, drives well, and can still haul groceries and passengers around town, then there may not be a great reason to upgrade to a fancy new self-driving electric SUV.  But while your 20-year-old sedan might still get you from A to B, real-time GPS, collision avoidance, and adaptive cruise control are the standards these days, and that old ride just can’t keep up.

So, the thesis isn’t about throwing out an old thing that may work adequately in exchange for something new that does exactly the same thing.  Instead, it’s about acquiring something more innovative and modern that does a lot more while still elegantly handling all of your existing needs.

The New “Must Haves”

When evaluating your next IGA investment, these aren’t “nice-to-haves”; they are the “must-haves” when considering your next platform:

1. Identity Lifecycle Alignment: Prioritize and align with the identity lifecycle – access provisioning (birthright and ad-hoc), governing access, recertifying access, and revoking and deprovisioning access.
2. Human and Non-Human Identities: Natively handle NHIs like service accounts, machine identities, API keys, and more alongside traditional support for employees, contractors, vendors, and guests. 
3. Interconnected Fabric: Ensure capabilities like risk analytics and context, event-driven microcertifications, automated decisioning, access revocation, and monitoring cross-platform for SoD violations are deeply integrated.
4. Permission-Level Visibility: Move beyond roles and groups to granular visibility into permissions, a must for PCI DSS and ISO 27001.
5. Agile Integrations: Easy, high-speed, low-code/no-code integrations for all application types.
6. UI-Driven Workflows: Build workflows and model identity attribute transformations within the UI, not through scripting.
7. Access Profile Intelligence: Automate the creation of Access Profiles for different user populations using access data from your existing access graph.
8. Modernized Access Recertifications: Bubble-up risk factors, automate decision-making, and shift to more proactive, risk-based microcertifications
9. Democratized Visibility: Enable visibility and control for managers, application owners, and auditors – not just the IAM team.

This also isn’t about second-guessing past decisions. Most organizations made smart, rational choices based on the available tools and their priorities of the time.  And, IAM teams worked hard to get those systems running.  But, now the landscape has changed and this post outlines clear, actionable criteria to guide your next investment, so you can drive stronger security outcomes and modernize how access is governed across the enterprise.

Identity Lifecycle Alignment

When preparing to deploy next-generation access governance, the logical flow needs to go from the most critical to the least critical business process.  In other words, it goes from provisioning/deprovisioning access (both birthright and ad-hoc) to governing/adjusting access to recertifying access to revoking access – this aligns with how most identity maturity models and security frameworks portray the identity and access lifecycle.

In many respects, provisioning/deprovisioning birthright access and servicing ad-hoc access requests are two sides of the same coin.  So, when thinking about joiner, mover, and leaver scenarios, ad-hoc access requests are just another way to achieve the “mover” scenario! 

Human and Non-Human Identities

Next-generation access governance obviously needs to handle a diverse user population composed of employees, contractors, vendors, and guests.  But, it also needs to natively handle the explosion of non-human identities occurring in the enterprise right now – local service accounts, service principals, machine identities, API keys, and more.  What’s striking and different is that NHIs represent orders of magnitude more identities than traditional human-based identities and they need to be governed differently – tracked with ownership assignments, monitored, rotated, and eventually decommissioned.

Interconnected Fabric

Access governance and identity security needs to be delivered as a “fabric” of interconnected capabilities driven by a common, authoritative source of access truth, not a patchwork of disconnected tools.  For instance, here are just a few examples of what an access governance and identity security fabric enables:

• Identity security needs to be driving risk analytics and context into the access recertification program – enabling reviewers to complete their reviews faster and with more risk-based context.
• User lifecycle and security events need to drive on-demand access recertifications every bit as much as regulatory mandates for quarterly recertifications.
• Inappropriate or out-of-date grants of access identified during ad-hoc investigations or recertifications need to be immediately and verifiably revoked.
• And, new grants of access – either requested just-in-time or via birthright provisioning – need to be dynamically monitored for SoD violations and governed by policy to minimize standing privilege.

Identity events should trigger context-aware certifications, policy enforcement, and access decisions in real-time. Without that integration, security is reactionary at best.

Permission-Level Visibility

Legacy IGA has been stuck in the world of roles and groups since the beginning, yet it also struggles to handle nested roles and groups.  Next-generation systems must provide true visibility into actual permissions on resources – the purest, most basic form of access.  While roles and groups offer useful abstractions, they don’t provide sufficient resolution in terms of understanding permission- and access-level ground truth. Whether you’re aligning with ISO 27001, PCI DSS v4.0, or meeting the growing expectations of GDPR-driven audits in the EU, permission-level visibility is now a baseline requirement, not a future nice-to-have.

Agile Integrations

Traditionally, it’s not been particularly easy to integrate new applications with legacy IGA tools.  Modern IGA platforms are built with low-code, scalable integrations in mind – whether you’re connecting SaaS apps, legacy infrastructure, or custom workloads. Initial setup and integration matter, but it’s the long-term maintenance where complexity (and cost) really stack up. Platforms like Veza have prioritized agile, low-code/no-code integration from day one, helping organizations reduce integration overhead and keep total cost of ownership in check.  As any experienced CIO or CISO will tell you, most of the costs associated with application integrations are tied to ongoing maintenance over time, not the initial development costs

UI-Driven Workflows

Legacy IGA complexity often extends into configurations and deployment. In Veza’s experience working with customers replacing legacy systems, a common pain point is the reliance on scripting, often in some obscure language, just to model basic workflows or identity transformations. Customizing identity workflows shouldn’t require a crash course in coding. Modern platforms allow identity teams to build and manage workflows directly through intuitive UI tools, accelerating deployment, reducing errors, and lowering the skill barrier. With Veza, these workflows and identity logic can be configured natively within the UI, enabling faster, more agile implementations without brittle custom code.

Access Profile Intelligence

Although legacy IGA vendors have touted the promise of their entitlement catalogues for years, the reality uncovered by many organizations adopting these solutions was that integrating the entitlements from their applications and systems into the catalogue took a really long time and, even once entitlements were integrated, customers were left to their own means to determine how birthright or ad-hoc access should be modeled across disparate user populations.  This led to complicated, time-consuming, and (frequently) unsuccessful role mining projects.

In contrast, Veza’s approach, called Access Profile Intelligence, uses the power and knowledge contained within each customer’s Access Graph to automate the creation of Access Profiles using known entitlements belonging to a single “typical” user as a baseline or by analyzing and determining the overlapping access entitlements from a group or set of multiple related users in a common cohort.

Modernize Access Recertifications

Let’s be honest: recertifications are often painful, time-consuming, and compliance theater. But they don’t have to be. Risk-aware platforms use real usage data, outlier detection, and intelligent risk-based suggestions to streamline reviews and shift toward continuous access governance instead of quarterly rubber stamps. Next-generation access governance has focused on reinventing the process by:

• Driving more risk-based context into access recertifications to help accelerate the review process for reviewers.  This includes “bubbling up” context like user and resource risk scores, organizing access into risk levels, identification of access outliers, highlighting toxic combinations and other anomalies, denoting when entitlements under review haven’t recently been used, and more.
• Intelligently automating decision-making by making policy-based suggestions for when reviewers ought to approve vs. reject access, rooted in risk-based metrics, actual usage, and the principle of least privilege.
• Shifting from periodic compliance-based reviews running quarterly or bi-annually to more proactive risk-based microcertifications of access tied to security and/or user lifecycle events.  Or, moving to just-in-time access requests to minimize standing privilege overall across the organization.

Democratized Visibility

Finally, everything is more accessible and democratized in a modern access governance and identity security solution vs. legacy IGA.  Want to give people managers visibility into their direct reports’ access? Not a problem. Need to extend approval workflows for Access Profile changes to application owners? Easy peasy. Looking to empower auditors to review just the recertifications that matter to them, without giving them the keys to everything? Straightforward and simple. In modern platforms like Veza, access intelligence isn’t locked behind IAM—it’s democratized across the business, aligned to roles, and available when and where it’s needed.

Conclusion

These are just a few of the access governance advantages that a modern platform like Veza brings to the table. Identity security today demands more than periodic reviews and siloed controls—it requires continuous visibility, intelligent automation, and governance that flexes with the business.

To explore how an authorization-graph-based architecture revolutionizes identity security, check out The Veza Advantage – Product Whitepaper.

If you’re comparing technical capabilities, download our Platform Overview Data Sheet. It breaks down how Veza delivers privilege monitoring, certification automation, lifecycle management, and integration flexibility.

And when you’re ready to assess fit in your environment, across human and non-human identities, SaaS, cloud, on-prem, and custom systems, schedule a demo to see Veza in action in real-world use cases

Upgrading from a legacy IGA platform isn’t just about replacing something that technically still works. It’s a strategic shift toward better visibility, stronger governance, and the kind of access intelligence that today’s enterprise demands.

---

About the Author

Sandler Rubin is the Senior Director of Product Management at Veza, where he leads strategy and roadmap for the company’s next-generation Access Governance offerings. With over two decades of experience in cybersecurity, identity, and enterprise software, Sandler has held senior product leadership roles at Tenable, Cohesity, Proofpoint, and Symantec. He brings a practitioner’s mindset and a strategic lens to the evolving challenges of access governance, drawing on deep expertise in identity security, data protection, and risk management. Sandler holds a CISSP certification and has authored patents in data loss prevention.