Every IGA vendor demo looks impressive. The access review dashboards are clean, the provisioning workflows animate smoothly, and the integration catalog numbers are large. What you do not see in a demo is what breaks six months into production, which connectors require more custom work than the sales team implied, and which platforms require a dedicated implementation partner just to change a workflow.
This article is built from practitioner accounts — people who have deployed, maintained, and in some cases ripped out IGA platforms — plus a technical breakdown of what modern next-generation platforms do differently. No vendor positioning. Just what actually works and what does not.
How to Frame the IGA Market Before Evaluating Vendors
The IGA market segments roughly into three tiers, and picking from the wrong tier for your environment is the most common procurement mistake.
Enterprise IGA — SailPoint, Saviynt, One Identity Manager, IBM ISVG — is built for organizations with thousands of users, complex on-prem infrastructure, dedicated identity engineering teams, and regulatory environments that require deep connector-based architecture and highly customized workflow logic. Implementation cycles run 12 to 18 months. Ongoing maintenance requires specialized skills. The power is real, but so is the cost and complexity.
Mid-market and next-gen IGA — Omada, Zluri, Lumos, ConductorOne, Zilla Security — targets organizations that need serious governance without enterprise implementation overhead. Faster time-to-value, SaaS delivery, and simpler configuration are the selling points. The trade-offs vary by platform.
Open source IGA — midPoint, Apache Syncope, Wren:IDM — requires in-house technical capability to stand up and maintain, but offers full customization and no licensing cost. A legitimate option for organizations with the engineering resources to run it.
The right question before evaluating specific vendors: which tier matches your user count, technical resources, regulatory requirements, and budget? A 1,000-person organization with mostly SaaS apps and no mainframes should not be evaluating SailPoint against midPoint as if they are comparable options for the same problem.
SailPoint: The Enterprise Standard With Real Trade-offs
SailPoint is the most commonly deployed enterprise IGA platform and for large, complex environments it earns that position. The connector catalog is extensive, the access certification capabilities are mature, and the SailPoint Identity Cloud (ISC) SaaS product has closed a significant portion of the feature gap that existed when it first launched as IdentityNow.
The practitioner accounts on SailPoint are consistent across years of Reddit threads: it is a strong product if you have the resources to use it correctly.
What works. For Fortune 500 environments migrating from homegrown or legacy IGA tools, ISC handles most provisioning requirements and increasingly supports API-based interaction that reduces the need for custom scripting. The VS Code extension has partially replaced the debug functionality that IIQ users miss when moving to ISC. For organizations that will bend their business processes around the tool rather than trying to bend the tool around their processes, ISC is the faster path.
What does not. SailPoint does not expose code on internal processes, which frustrates organizations that prefer to configure things themselves. If you want to understand exactly what a provisioning workflow is doing or modify it directly, you are routing through SailPoint engineers or partners — which means waiting and paying. One practitioner with four years on One Identity Manager specifically noted this as the reason they prefer OIM: full self-service configuration without requiring vendor involvement for every change.
IIQ vs. ISC. If you need deep customization and want to bend the tool around your business processes, IIQ is the right choice — but you are taking on an on-prem deployment with all the maintenance that comes with it. ISC is the right choice if you will standardize around what the platform offers out of the box and use its growing API surface for the edge cases.
Saviynt: Strong in Demo, Variable in Production
Saviynt comes up consistently in practitioner discussions, and the pattern in those discussions is consistent enough to be worth stating plainly: the demo and POC experience frequently does not match the production experience.
Multiple practitioners across multiple threads describe the same thing — impressive UI, a lot of features that look powerful in a presentation, and then production behavior that does not match the demo. One organization that deployed Saviynt in 2019 reported that adding five users in a row to a new role crashed their system. Another described it as "smoke and mirrors from demo/POC vs production." The OP of the source thread, after their own POC, characterized it as "flashy stuff with a mediocre engine running it."
The fair caveat is that some of this reflects implementation quality. Organizations that were early adopters or that used suboptimal implementation partners have rougher experiences than those who set it up correctly from the start, and Saviynt has continued developing the product. But the pattern is durable enough to warrant thorough production reference checks — not just demo references — before committing.
Omada: A Strong Option for Mid-Market and Regulated Environments
Omada comes up repeatedly as the recommendation for organizations that need serious IGA without SailPoint's enterprise overhead. It is a purpose-built IGA platform — not an IAM vendor adding governance features — with a clean data model that practitioners describe as easier to understand than SailPoint's.
The thread OP, after evaluating multiple platforms including SailPoint and Omada, noted that Omada "just has a cleaner/easier to digest data model and a lot of nice features." A separate practitioner seconded it strongly, noting that the product, sales, and engineering teams are all strong and that Omada focuses on IGA exclusively without add-on complexity.
One honest note from the thread: Omada's implementation can be time-consuming to stand up, and the configuration experience has historically required significant consulting investment. One practitioner described a two-year implementation that never finished. That experience may reflect implementation partner quality as much as the platform itself, but it is worth asking direct questions about typical time-to-value and what self-service configuration looks like in production.
For European organizations specifically, Omada's Copenhagen base and European customer focus are practical advantages — both for support and for data sovereignty considerations.
One Identity Manager: Self-Service Configuration for Organizations That Want Control
One Identity Manager has a German engineering base and is particularly common in European enterprise environments. The practitioner who described four years of experience with it made the defining point clearly: you can configure as much as you need on your own, without requiring vendor engineers or partners for every change.
The trade-off is that some parts of the platform still use thick clients — desktop applications rather than browser-based interfaces. For practitioners who prefer direct access to configuration over a polished web UI, this is a non-issue or even a preference. For organizations that need a modern browser-based interface throughout, it is worth verifying in a POC.
One Identity also offers Active Roles as a lighter-weight option specifically for AD lifecycle management and RBAC, without the full IGA implementation complexity. For organizations whose primary requirement is AD lifecycle rather than full governance, it is worth evaluating separately.
midPoint: The Open Source Option With Real Capability
midPoint by Evolveum is the closest open source equivalent to enterprise IGA. Practitioners who have run it in production describe it as genuinely capable — full provisioning, access reviews, role management, and a connector library covering AD/LDAP, Microsoft Graph, Exchange, and more.
One practitioner at REWE Group described being reasonably happy with it in production. Another described being able to get HR data into the system and creating AD accounts with group assignments within a few days of starting evaluation.
The honest constraints: documentation is not beginner-friendly, you need some identity engineering experience to navigate it effectively, and the open source community activity could be more active than it currently is. It is also a self-hosted deployment, which means your team owns infrastructure, upgrades, and operational maintenance.
For organizations with in-house technical capability, a preference for not depending on US vendor support, or a budget that cannot support commercial licensing, midPoint is a legitimate production option. For organizations that need vendor-backed support and a managed SaaS experience, it is the wrong fit.
Next-Gen SaaS IGA: What the Modern Platforms Do Differently
The category that includes Zluri, Lumos, ConductorOne, and Zilla Security approaches IGA differently from legacy enterprise platforms — and differently enough that it is worth understanding the architectural distinctions before assuming they are just cheaper versions of the same thing.
Discovery breadth. Legacy IGA platforms discover users and access through the systems they are connected to. If an application is not connected to the IGA platform, it is invisible. Next-gen platforms pull from multiple sources simultaneously — SSO logs, financial transaction data (expense reports and AP records), browser extensions, and desktop agents — to surface applications that IT has never formally managed, including tools purchased directly by employees or teams. One practitioner in the thread noted this specifically: their organization uses Zluri for access reviews, provisioning, and an app store that replaced Jira tickets for access requests, across a mix of 2,600 employees and 400 external users with mostly SaaS apps.
Handling non-API apps. For applications that lack APIs or SCIM support, modern platforms use AI-powered browser automation to execute provisioning and deprovisioning actions by navigating the application UI directly. This is more durable than traditional RPA because AI fallbacks can interpret UI changes rather than breaking when a button moves.
Auto-remediation in access reviews. Rather than generating a spreadsheet of review decisions that then require manual follow-up, platforms like Zluri can automatically trigger deprovisioning in the downstream application when a reviewer revokes access during a certification campaign. The review and the remediation are the same workflow.
Where next-gen platforms have real limitations. SSO activity data can be misleading — a user marked "active" in a downstream app may have logged in once via SSO and never returned. Getting accurate usage data for specific applications often requires building direct API integrations beyond the SSO layer. API rate limits from downstream applications cause sync failures that require manual intervention to resolve. Browser and desktop agent deployment has coverage gaps — Safari on Mac, for example, is restrictive enough that agent-based tracking is not practical. Advanced analytics dashboards have steep configuration learning curves. These are real trade-offs to evaluate honestly, not dismiss.
A Framework for Choosing
The questions that actually determine which tier and which platform is right:
How many users, and what is the technical composition of your stack? Primarily SaaS with a few federated directories points toward next-gen platforms. Complex on-prem infrastructure, mainframes, or SAP points toward enterprise IGA. Hybrid with custom data sources requires verifying specific connectivity capabilities with each vendor.
What is your implementation resource? Enterprise IGA requires either a dedicated internal team or a partner. Next-gen SaaS platforms typically deploy faster but still require configuration investment. Open source requires in-house engineering capability throughout.
What are your compliance requirements? SOC 2 access reviews are manageable with modern SaaS platforms. HIPAA, SOX, and similar frameworks require more rigorous audit trail capabilities and may favor platforms with longer track records in regulated environments.
What does the production reference check reveal? Demo references are not useful. Ask for references from organizations of similar size and similar stack complexity that have been in production for at least 12 months. Ask specifically about what broke, how long it took to resolve, and what ongoing maintenance looks like.
FAQ
What is the best IGA platform for mid-sized organizations?
It depends on stack complexity and resources. For primarily SaaS environments with 500–3,000 users, next-gen platforms like Zluri or Omada offer faster deployment and lower maintenance overhead than enterprise platforms. For environments with complex on-prem infrastructure or heavy regulatory requirements, SailPoint ISC or One Identity Manager are more appropriate. Open source options like midPoint are viable for organizations with in-house engineering capability.
What are the main differences between SailPoint IIQ and SailPoint ISC?
IIQ is the on-premises product designed for deep customization — you can bend it around your business processes, but it requires significant engineering investment. ISC is the SaaS product designed for organizations that will standardize around what the platform offers, with an expanding API surface for edge cases. Feature parity between the two has improved significantly since ISC launched.
Is Saviynt a good IGA platform?
Saviynt has strong demo presence but mixed production reviews. Practitioners consistently report that the POC experience does not always match production behavior. Before committing, request production references from organizations with similar complexity that have been live for 12+ months, and ask specifically about performance under load and support response quality.
What is the difference between enterprise IGA and next-gen IGA platforms?
Enterprise IGA platforms (SailPoint, Saviynt, One Identity Manager) are built for large organizations with complex on-prem infrastructure, dedicated identity teams, and highly customized governance requirements. Next-gen platforms are designed for mid-market organizations with primarily SaaS stacks, prioritizing faster deployment, SaaS delivery, and lower ongoing maintenance over deep customization capability.
.svg)
