The IGA market is genuinely bifurcating. On one side, large enterprises with dedicated IAM teams, complex on-prem infrastructure, and regulatory requirements that demand deep governance capability are staying with SailPoint — and some are finding the ISC (cloud) version substantially improved. On the other side, mid-market organizations that can't justify 2+ FTE just for platform maintenance are moving to modern alternatives where the time to value is measured in months, not years.
The honest answer from practitioners who have evaluated multiple platforms: both sides of this are right, and the decision comes down to specific requirements rather than marketing positioning.
Why Organizations Stay With SailPoint
The Fortune 500 organization in this thread that renewed SailPoint after a full market review represents a real data point worth understanding. Their reasoning: SailPoint has the depth and feature set for complex enterprise requirements, 50+ applications onboarded with 50,000-100,000 users, and a governance maturity level that newer platforms haven't reached. Production in 6 months was achievable with disciplined scope management.
The specific gaps in the modern alternatives they evaluated: Zilla was feature-poor relative to their requirements. Microsoft would require rebuilding what they've already built. The math on switching cost versus improvement didn't favor a change.
This is the legitimate SailPoint case: large regulated organizations with dedicated IAM teams, complex governance programs already built, and requirements that genuine enterprise IGA depth satisfies. For this segment, the maintenance overhead is a known cost that's been absorbed into operations.
Why Organizations Are Leaving (And What They're Finding)
The maintenance FTE problem. The FormerElk6286 bank evaluation is one of the most detailed in the thread. At 4,000 employees, SailPoint quoted 2 FTE for care and feeding. That's not implementation — that's ongoing maintenance. For an organization without a dedicated IAM team, 2 FTE of maintenance overhead to run a governance platform is a budget and staffing decision, not just a technology decision. This is the structural reason mid-market organizations evaluate alternatives: not because SailPoint is bad at IGA, but because the maintenance model doesn't fit their operating model.
Saviynt concerns across multiple evaluations. The negative signals around Saviynt appear consistently across several independent evaluations in this thread: uptime issues, a sales process that resisted POC environments, roundabout answers to specific technical questions, pricing that exceeded budgets while excluding required connectors, and practitioners who deployed it describing it as "a hot mess." This pattern across multiple independent accounts is more meaningful than any single review. The WirelessBrain-9 experience — walking away when the sales team strongly resisted a real-environment POC — is a useful heuristic: vendors who won't let you test in your actual environment during evaluation are telling you something.
IBM SIM end of life. Multiple organizations in this thread are actively replacing IBM Security Identity Manager specifically because development has essentially stopped. A platform with 5-10 years of minimal development and a clunky access review system isn't a value-for-cost tradeoff that holds up when state regulatory requirements for access certification are incoming (the hospital system case). IBM ISIM/ITIM is a legacy migration situation more than a competitive evaluation.
Platform-Specific Observations From the Thread
SailPoint ISC (IdentityNow / Identity Security Cloud): The cloud version has meaningfully improved and reduced implementation timelines. The Possible-Change6943 comment reflects real progress: fast implementation, low maintenance, evolving workflow capabilities. The maintenance overhead critique applies more heavily to IIQ (on-prem) than to ISC. For organizations evaluating SailPoint today, the ISC vs. IIQ distinction matters significantly.
Lumos: The OP's assessment is the most detailed: strong UX, best access reviews in the modern IGA category, substantial feature development since initial release, good balance across the core IGA capabilities. Primary gap at evaluation time was core IAM features (specific requirements vary). The acquisition of Fastgen extends the roadmap. The Complete-Regular-953 comment from a current Zluri user confirms they shortlisted Lumos as the top alternative — and chose Zluri specifically because Lumos had limited integrations and workflows that were too simplistic for their use case.
ConductorOne: Good access review capability, open-source SDK approach that allows custom connector development without vendor dependency, cloud-native architecture, strong leadership. The OP found it didn't check all required boxes. The LoneSweetRider comment noted that automated access removals were limited (the TehITGuy87 clarification: it's a connector-dependent checkbox, not absent). Best fit for organizations with technical resources to build and maintain custom connectors via Docker/EKS, or for those where the cloud-native connectors cover the stack.
Zilla: Exceptional access certification reports, strong Jira integration. Access review workflows have some rigidity — you do it their way. Limited provisioning options in current form. The fratopotamus1 Fortune 500 evaluation found it feature-poor for their requirements; the FormerElk6286 evaluation found similar limitations on access review workflow flexibility. Better fit as a lower-cost option for organizations whose primary need is access certification reporting rather than full IGA.
Zluri: The Complete-Regular-953 comment represents a current production deployment at 2,500 FTE. Primary decision factors: SaaS discovery and access visibility depth, deep access review flexibility with auto-remediation, JML automation with automation rules that minimize workflow sprawl. Shortlisted against Lumos after evaluating Zilla, ConductorOne, and Veza. Chose Zluri over Lumos for integration depth and workflow flexibility. Combined SaaS management and IGA positioning was a factor.
Opal: JIT access model is well-executed, PAM-adjacent feel with broader governance capability. Strong for tech startups and engineering-heavy environments that want audit-ready access management without a full IGA deployment. Limited for multi-org or complex enterprise governance requirements.
Okta IGA: Works within a single Okta tenant for simple governance needs, falls short quickly when requirements involve disconnected apps, complex workflows, or anything outside the Okta perimeter.
Veza: ISPM (Identity Security Posture Management) rather than full IGA — granular entitlement visibility for complex cloud infrastructure. Best as a complement to an IGA platform for organizations with complex AWS, Snowflake, or database entitlement requirements, not as a primary IGA replacement.
Clear Skye: Native ServiceNow IGA — mature beyond its chronological age because it inherits the ServiceNow platform's maturity. Strong fit if you're making ServiceNow the front door for IT. Platform lock-in is the primary risk.
Access Auditor (SCC): The FormerElk6286 bank case is the most detailed deployment account in the thread. Key selection criteria: ability to import any data format including PDFs and messy exports, FuzzyID for linking identities without clean keys, speed to deploy (access reviews running in a month), RBAC review capability, and provisioning module as an add-on. Best fit for organizations with significant disconnected systems and non-API data sources.
The Evaluation Lessons Practitioners Shared
Insist on a POC in your actual environment. The WirelessBrain-9 story of walking away from Saviynt when they resisted a real-environment POC is practical wisdom. A vendor demo in their controlled environment is an optimized showcase. A POC with your data, your messy data formats, your disconnected applications, and your access review workflow requirements reveals what the platform actually does.
Define your requirements before seeing demos. The OP's detailed evaluation was possible because they had specific requirements against which each platform was evaluated. Generic demos make everyone look good. Bring specific requirements: what data formats do your source systems produce, what does your access review workflow look like, what connectors do you need that might not be in the standard catalog.
Separate access review from provisioning in your evaluation. Several platforms in this space are stronger on access certification than on provisioning automation, or vice versa. Understanding which of the two is your primary pain point changes the evaluation weighting significantly.
The maintenance model is a feature, not just a cost. The 2 FTE SailPoint maintenance figure isn't just about budget — it's about organizational capability and risk. Who owns the platform when the person who built the workflows leaves? Who maintains the connectors when Microsoft changes an API? This is a staffing and operational resilience question as much as a cost question.
Frequently Asked Questions
Why are companies moving away from SailPoint and Saviynt?
The most common reasons are: implementation timelines measured in months to years rather than weeks, ongoing maintenance overhead that requires dedicated IAM staff (SailPoint quoted 2 FTE for care and feeding at a 4,000-person bank), and pricing that makes the platforms cost-prohibitive for mid-market organizations. For Saviynt specifically, practitioners also cite reliability concerns, a sales process that resists real-environment POCs, and pricing that exceeds budget while excluding required connectors.
What's the difference between SailPoint IIQ and SailPoint ISC?
SailPoint IIQ (IdentityIQ) is the mature on-premises platform that most large enterprise customers historically deployed. SailPoint ISC (Identity Security Cloud, formerly IdentityNow) is the cloud version that has meaningfully improved and now offers faster implementation timelines and lower maintenance overhead. The maintenance overhead critique applies more heavily to IIQ. Organizations evaluating SailPoint today should evaluate ISC specifically, as it's a different deployment and operational experience.
What modern IGA platforms are companies switching to?
The most commonly cited in practitioner evaluations are Lumos (strong UX and access reviews, growing feature set), ConductorOne (open-source SDK for custom connectors, cloud-native, strong for technical teams), Zilla (exceptional access certification reports, Jira integration), and Zluri (combined SaaS management and IGA, deep integration library, access review flexibility). For organizations with significant disconnected system data, Access Auditor from SCC is cited for its data format flexibility.
How do you evaluate IGA platforms before switching?
Insist on a POC in your actual environment rather than a vendor-controlled demo. Bring your messiest data sources and watch how each vendor handles them. Test the specific access review workflow structure your compliance requirements need — approval chains, delegation, exception handling. Verify connector coverage for your specific application stack, not the generic catalog count. Evaluate total cost of ownership including implementation, annual license, and ongoing maintenance staffing — not just the headline license comparison.
.svg)
