Veza is now part of ServiceNow. If you're evaluating your options, here's an honest breakdown of what Veza does well, where it falls short, and how Zluri compares across identity discovery, lifecycle automation, access reviews, and deployment.
Most Zluri vs. Veza comparisons start with a feature checklist. That's the wrong frame. The two platforms were built to solve different versions of the identity security problem.
Veza was built around authorization intelligence — mapping what users can actually do in a system at the entitlement level, particularly across cloud infrastructure and databases.
Zluri was built around the full identity lifecycle: discovering every identity and application across a SaaS-heavy environment, automating joiner-mover-leaver workflows, provisioning and deprovisioning access across 300+ systems, and running access reviews with closed-loop remediation.
Those aren't the same problem. The right choice depends on which one your organization is actually trying to solve.
There's also a timing factor that changes the calculation for many teams evaluating Veza today. ServiceNow completed its acquisition of Veza on March 2, 2026. The IGA capabilities Veza had just launched — Access AuthZ in November 2025, Access Requests still in early access as of mid-2026 — are now being absorbed into ServiceNow's integration work at the exact moment they were supposed to be maturing. For teams that need proven lifecycle automation running in production today, that maturity gap is the real question.
In this article, we break down where each platform genuinely leads, where the gaps are, and who should choose which.
The short answer: If cloud infrastructure entitlement analysis — AWS IAM, Snowflake, database permissions — is your primary identity risk, Veza's access graph is the more specialized tool for that problem. If you need a full identity security platform covering discovery, JML automation, provisioning, access reviews, and posture management across a SaaS-heavy environment, Zluri is the stronger fit — with years of production history and deployment in weeks, not months.
What Veza is actually built for
Understanding Veza clearly is necessary before any comparison makes sense, because Veza's positioning shifted significantly in 2024 and 2025 and the IGA additions can obscure what the platform was originally — and is still best at.
Veza's core technology is the access graph, not lifecycle management
Veza's Access Graph maps what users can actually do in a system at the entitlement level. Not what roles they're assigned — what actions they can execute on which resources. A user in an Admin group might have read-only access to one S3 bucket and full write access to another based on the specific IAM policies in play. Veza shows you that. Most IGA platforms show you the group membership, not the downstream permissions that group actually confers.
This is a genuine differentiator, and it's the capability that earned Veza trust with enterprises like Wynn Resorts, Expedia, and Blackstone. If your primary identity risk lives in complex cloud infrastructure — AWS IAM policies, GCP permissions, Azure roles, Snowflake and database authorizations — Veza's entitlement-level visibility is hard to replicate elsewhere.
Veza's IGA capabilities are real but recently added
Veza has since expanded into IGA territory beyond its original access graph focus. Access Requests, Access AuthZ (provisioning and deprovisioning write-back), Lifecycle Management, and Separation of Duties are all part of the current product. The Access Requests portal is still listed as "request early access" on the Veza product page as of mid-2026.
The more relevant question isn't whether these capabilities exist — they do. It's how long they've been running in production at scale, and who's been developing them since the acquisition closed. Platforms earn trust in lifecycle automation through the edge cases they've already hit and resolved: the offboarding that triggers at midnight, the mover workflow that needs to handle a simultaneous role and location change, the access review that surfaces 10,000 items across 40 systems. That kind of hardening takes time — and that time is what separates a capability from a proven workflow.
Veza was most commonly a complement to IGA, not a replacement
Third-party analyst discussions consistently place Veza as an ISPM tool deployed alongside an existing IGA platform, not as the primary governance system. Teams running SailPoint, Okta IGA, or Saviynt would add Veza for the cloud infrastructure entitlement layer those platforms couldn't surface. If that was your Veza deployment model, the evaluation question isn't just "replace Veza" — it's "what does a consolidated identity security platform look like for us?"
What the ServiceNow acquisition actually means
The acquisition closed March 2, 2026. Veza is now inside a company whose primary business is ITSM. The people who built the access graph, the roadmap customers were evaluating, the support model — those are all ServiceNow's to direct.
For teams primarily using Veza for the access graph
This is the most stable scenario. The core technology Veza was known for is unlikely to be deprecated. ServiceNow's case for the acquisition centers on the access graph as a foundation for agentic AI security workflows. If cloud infrastructure authorization intelligence was your primary use case, the acquisition risk is lower.
For teams relying on Veza's newer IGA capabilities
This is the higher-risk scenario. Access AuthZ and Access Requests are 7–18 months old. They are now being absorbed into a platform integration process. Engineering bandwidth that would otherwise go into hardening and expanding these capabilities is split with integration work. Teams that need proven, production-tested lifecycle automation today — JML workflows, provisioning and deprovisioning at scale, closed-loop access removal — are buying capabilities that are still in their early production maturity inside an organization undergoing structural change.
For teams evaluating Veza as a new purchase in 2026
The honest picture: you're evaluating a platform whose roadmap, pricing, and support model are now determined by ServiceNow. If tight ITSM integration and the ServiceNow ecosystem is part of your strategy, that may be a feature rather than a risk. If your security team wants best-of-breed identity governance evaluated independently from your ticketing system, that alignment is now baked in whether you want it or not.
How Zluri compares: where the platforms actually diverge
Identity discovery: 8 methods vs. a connector graph
Veza's access graph only maps what's been connected to it. Every system Veza models requires a configured connector. Where those connectors exist, the insight is exceptional. But apps outside the IdP — employees who sign up for tools with a work email, OAuth apps connected to Gmail, SaaS tools that bypass SSO entirely — none of that is visible in the graph. Shadow IT is not a Veza use case.
Zluri's IVIP (Identity Visibility and Intelligence Platform) runs 8 simultaneous discovery methods: HRMS, IdP/SSO, browser agent, desktop agent, direct integrations, CASB, MDM, and Active Directory. The combination surfaces what falls outside SSO control, not just what IT has formally connected. Customers routinely find significantly more applications than expected when Zluri turns on.
The practical difference is this: Veza answers "what can users do in the systems you've connected?" Zluri answers a broader set of questions — what applications and identities exist across the entire environment, including the ones IT didn't know about, what access those identities have, whether that access is appropriate, and then automates the correction when it isn't.
User lifecycle management, JML automation, and provisioning: years of production history vs. 7–18 months
This is where the gap between the platforms is most significant, and where the ServiceNow acquisition creates the most risk for Veza evaluators.
Zluri's JML automation covers the full lifecycle — joiner provisioning, mover access updates, and leaver deprovisioning — across 300+ integrations with 1,500+ granular provisioning actions. When a new hire joins, a single automation rule can provision their accounts, assign licenses, add them to the right groups, and configure role-based permissions across every connected system. When a mover changes roles, Zluri's playbooks remove the old access and provision the new — triggered by an HRMS change, no ticket required. When someone offboards, deprovisioning auto-populates from the employee's actual access footprint, not from a list of what IT thought they had.
That model is production-hardened across hundreds of customers:
- Guesty saved 15,000 IT hours on access requests and offboarding automation
- Roller Networks cut provisioning time from 30 minutes to 1 minute per user
- monday.com runs zero-touch onboarding and offboarding across its entire workforce
Veza added JML workflow capability in 2024 and Access AuthZ (write-back provisioning) launched in November 2025 — one month before the acquisition. Access Requests was still in early access as of mid-2026. The capabilities exist. What they don't have yet is the production history that determines whether workflows run reliably at 9am on a Monday when 50 people are onboarding simultaneously, or whether edge cases surface six months into deployment. That production hardening is what Zluri's customers have already been through.
Access reviews: comparable depth, different remediation model
Both platforms bring intelligence to access review campaigns. Veza's reviews were genuinely differentiated by effective permissions context — reviewers saw what access could actually do, not just which group someone belonged to. That's a meaningful upgrade over role-only certifications.
Zluri's IRIS intelligence layer adds usage intelligence per access item: dormant access is flagged, peer comparisons surface anomalies, and reviewers see not just whether access exists but whether it's been used in the past 30, 60, or 90 days. Reviewers approve or revoke inline, including directly from Slack.
Where the platforms diverge is what happens after the decision. Veza's access reviews historically surfaced the decision; executing the revocation required additional workflow steps. Access AuthZ, launched November 2025, adds write-back for a defined system set, but it is new and not yet production-hardened at scale.
Zluri closes the loop automatically. When a reviewer makes a revocation decision, deprovisioning executes across all connected applications without manual follow-up. Assured Allies is a useful reference point here: they discovered over 300 apps when they expected 100 (using Zluri's discovery layer), then reduced SOC 2 audit prep from a full workday to 30 minutes once access reviews were running — a 90% time reduction, with audit-ready PDFs generated automatically.
Connector coverage: read-only visibility vs. read-write governance
Veza has 325+ out-of-the-box integrations. The critical distinction: most are agentless and read-only. Veza's Access AuthZ write-back covers a more limited defined set, added in November 2025.
Zluri has 300+ integrations with both read (discovery) and write (provisioning). 1,500+ granular provisioning actions covering account creation and deletion, license assignment, group membership, permission grants, and offboarding access transfers. Visibility count and governance count are different numbers — for identity lifecycle automation and access governance, the write-back is what matters.
For custom, on-prem, and homegrown applications with no native integration, Zluri's Universal Identity Connector extends coverage without requiring a full custom build for every system. Veza's OAA (Open Authorization API) write framework supports custom connectors but requires engineering resources to configure and maintain.
Deployment and administration
Zluri is typically live in 4–12 weeks depending on scope. No external implementation partners required. IT admins configure onboarding playbooks, access review campaigns, and SoD policies without writing code. Policy changes take minutes when a workflow needs to update.
Veza's access graph configuration required technical resources — each connector needed to be set up and maintained, and value came after significant initial configuration. For Veza's newer IGA capabilities specifically, how administration and no-code configuration works in practice today is worth verifying directly with the ServiceNow team.
Where Veza was genuinely stronger
Two areas where Veza's depth is real:
Cloud infrastructure authorization depth
Veza's graph modeled AWS IAM policies, GCP permissions, and Azure roles at the granular entitlement level — showing what specific actions a user could execute on which specific resources, not just their group membership. If 70% or more of your identity risk lives in cloud infrastructure authorization analysis, Veza's depth belongs in your evaluation.
Zluri covers cloud systems within its identity governance layer. It is not a cloud IAM policy analysis tool at Veza's entitlement modeling depth.
Database and data system authorization
Veza modeled Snowflake, Databricks, PostgreSQL, MySQL, and Oracle at the query-permission level — showing what users could actually query, create, or modify, not just their role assignments. For organizations where data system authorization is a primary security concern, this granularity was Veza's strongest capability.
Zluri connects databases for identity and access governance at the identity level. It does not model query-level data authorization the way Veza did.
The qualifying question: What percentage of your identity risk lives in cloud infrastructure authorization and database permissions versus SaaS lifecycle governance, JML automation, and shadow IT? That ratio is the most honest signal for which platform fits your environment.
The comparison, laid out
Who should choose Zluri
Zluri is the right fit if your organization needs a unified identity security platform — not a point tool for one slice of the problem. Zluri brings together IVIP (identity and application discovery, including shadow IT), full IGA (JML automation, user provisioning and deprovisioning, lifecycle management, access requests, access reviews, and SoD enforcement), and ISPM (continuous posture monitoring for overprivileged accounts, dormant access, and orphaned identities) in a single platform. The SMP layer also surfaces unused licenses and redundant app spend — so the platform pays for itself in a way that resonates with procurement and finance, not just IT and security teams. Deployment is typically 4–12 weeks with your own team, no external consultants required.
Who should consider staying with Veza (or choose it for specific use cases)
Veza remains a reasonable choice if your primary identity risk is cloud infrastructure authorization — AWS IAM policy analysis, Snowflake entitlement modeling, database permission graphs. The access graph remains Veza's strongest capability and is unlikely to be deprecated inside ServiceNow. If you're already deeply embedded in the ServiceNow ecosystem and tighter ITSM-to-identity integration is a feature rather than a concern, the combined roadmap may serve you well over time.
If you're evaluating Veza primarily for its IGA capabilities — Access AuthZ, Access Requests, lifecycle management — the maturity of those capabilities and their trajectory inside ServiceNow is worth pressure-testing directly before committing.
The verdict
If your primary risk is cloud infrastructure entitlement analysis, Veza's access graph is still the most capable answer to that question — with an honest look at what ServiceNow ownership means for your roadmap.
If the problem is SaaS lifecycle governance, JML automation, and proven provisioning at scale, Zluri is the cleaner fit — a full identity security platform with years of production history, deployed and operated by your own team.
See how Zluri handles identity discovery, JML automation, provisioning, and access reviews across your full environment — including the apps outside your IdP. Book a demo.
Frequently asked questions
Is Veza a full IGA platform? Historically, Veza was positioned as an ISPM and authorization intelligence tool deployed alongside an IGA platform rather than one. Veza added lifecycle management, Access Requests, and Access AuthZ in 2024–2025, moving toward full IGA positioning. Those capabilities are real but recently launched and are now inside ServiceNow's integration process.
What happened to Veza's roadmap after the ServiceNow acquisition? ServiceNow completed the acquisition on March 2, 2026. Veza's product direction, pricing, and support model are now determined by ServiceNow. The acquisition's stated focus is on agentic AI identity security and integrating Veza's access graph into the ServiceNow platform. Independent IGA roadmap evolution is no longer the primary driver.
Does Zluri handle cloud infrastructure authorization the way Veza did? No. Zluri covers cloud systems within its identity governance layer but is not a cloud IAM policy analysis tool at Veza's entitlement-modeling depth. If AWS IAM, GCP, and Snowflake entitlement analysis is the primary requirement, that distinction matters and should be evaluated in a proof of concept.
How does Zluri handle custom and on-prem applications? Zluri's Universal Identity Connector covers custom, on-prem, and homegrown apps with no native integration — configured by IT admins without engineering involvement. Teams migrating from Veza's OAA custom connectors typically find the migration scope smaller than expected once the coverage is mapped out.
What does Zluri's JML automation cover? Zluri's joiner-mover-leaver automation handles the full lifecycle across 300+ integrations with 1,500+ provisioning actions. Joiner playbooks provision accounts, assign licenses, configure role-based permissions, and add group memberships across every connected system from a single automation rule. Mover events trigger access updates based on HRMS changes. Offboarding auto-populates from the employee's actual access footprint — not from a list of what IT thought they had.
What does Zluri's access review process look like end-to-end? Zluri runs access review campaigns with configurable cadence, four reviewer roles, automated reminders and escalation for non-responses, and automatic deprovisioning on revocation decisions — no manual follow-up. IRIS surfaces usage intelligence per access item so reviewers see whether access has been used, not just whether it exists. Audit-ready PDFs are generated automatically at the end of each campaign.
How long does it take to deploy Zluri? Standard integrations are live in 2–4 weeks. Enterprise connectors take 4–8 weeks. Custom integrations vary based on system complexity. No external implementation partners required.
.svg)
