The access management problem doesn’t scale down with headcount. A 150-person company has the same fundamental requirements as a 5,000-person enterprise: someone needs to know who has access to what, access needs to be reviewed periodically, and when someone leaves, their access needs to go with them. SOX groups need auditability. Service accounts need governance. Privileged access needs controls. What scales down is the budget. And the gap between what the problem requires and what most smaller organizations can afford has left a significant portion of the market running access reviews in spreadsheets, handling lifecycle management via email chains, and hoping that orphaned accounts don’t show up in the wrong place at the wrong time. The $50,000 floor that enterprise IGA implementations typically start at isn’t arbitrary — it reflects the genuine complexity of deploying systems built for organizations with dedicated IGA teams, complex on-premises environments, and the resources to sustain a year-long implementation. But that floor also means a 200-person company with real compliance requirements and real security risk is effectively priced out of the category. Here’s what the access management problem actually looks like at smaller scale, and what a solution built for that market needs to address.

How Are Smaller Organizations Actually Handling This Today? The honest answer: mostly not well, and usually through one of three approaches that each have significant limitations. Spreadsheets are the most common. User lists exported from Active Directory or Entra ID, distributed to managers via email, returned with some version of “looks fine,” and filed as evidence of a review. This satisfies the minimum definition of “we conducted a review” while providing essentially no assurance that the access is actually appropriate. The list is stale when it leaves IT’s hands. The manager reviewing it has no usage context. And the remediation step — actually removing access that was flagged — is a separate manual process that may or may not happen. Email-based workflows are the second pattern: IT identifies a compliance issue, emails the relevant manager, and waits for a response. Without a tracking mechanism, there’s no visibility into whether the issue was resolved, no audit trail of when it was flagged and when it was closed, and no enforcement if the manager doesn’t respond. The third pattern — doing nothing — is more common than most organizations admit, particularly for access categories that are harder to manage: service accounts, admin accounts, shared credentials, and access to systems outside the primary directory.

What Do Smaller Organizations Actually Need? A Single View of Directory Objects and Their State Active Directory and Entra ID are where most smaller organizations’ identity data lives. A tool that pulls in users, groups, OUs, and their attributes — and surfaces policy violations against that data — is the right starting point for the market. The 15-minute setup bar matters enormously here: the reason smaller organizations end up in spreadsheets isn’t that they prefer spreadsheets, it’s that the alternative has historically required a project to configure. A policy engine that can identify missing attributes (department not set, manager not assigned), flag inactive accounts, and generate targeted access reviews from those findings addresses the cleanup problem that most AD environments carry from years of inconsistent administration. Graduated Enforcement That Doesn’t Break Things One of the most useful ideas for smaller organizations is batch-rate enforcement: rather than immediately disabling 1,000 accounts with missing department attributes, apply 10 remediations per day. This lets organizations clean up legacy debt without creating a sudden flood of IT tickets from users whose accounts were disabled without warning. The soft-to-hard enforcement progression — email notification first, then teams message, then account action — gives organizations a path that balances compliance with operational continuity. An organization trying to clean up years of accumulated access issues can’t do it overnight without disruption; a tool that supports graduated remediation makes the cleanup process sustainable. Access Reviews With Real Accountability The specific failure mode of email-based reviews is accountability: there’s no mechanism to ensure the manager actually reviewed the access rather than ignoring the email, and no enforcement if they don’t respond. A 30-day response window with automatic account action for non-response converts a “hope the manager responds” process into a governed one. For SOX groups and other compliance-sensitive populations, the review needs to produce evidence that auditors will accept. This is where most DIY and spreadsheet approaches fall short: a manager’s email reply saying “looks good” isn’t audit evidence in the sense that SOC 2, ISO 27001, or SOX auditors require. A non-editable, timestamped record of who reviewed which accounts, what decision was made, and what action was taken to remediate flagged access — automatically generated at the close of a review cycle — is what the compliance frameworks actually require. Separation of Duties Enforcement SoD is consistently cited as a requirement by smaller organizations, particularly those in regulated industries, and consistently handled poorly without tooling. The logic — if a user is in this department, they should not be a member of these groups — is straightforward to define but tedious to enforce manually across an AD environment that changes continuously. A policy engine that evaluates SoD rules continuously and surfaces violations for remediation converts a periodic audit exercise into an ongoing control. For smaller organizations where one person may wear multiple hats, this is also a way to catch role conflicts that accumulate gradually rather than through any single deliberate decision.

What Is the Market Missing That Would Make This More Valuable? Usage Context for Reviewers The rubber-stamping problem — managers approving access they can’t meaningfully evaluate — is fundamentally a data problem. A manager looking at a list of 50 users who have access to a system has no basis for revocation decisions unless they know something about how that access is being used. Usage activity data changes this. A user who holds an expensive license and hasn’t logged in for 45 days is a meaningful revocation candidate. A user who logs in daily is not. Surfacing this context alongside the access record gives reviewers information they can act on rather than just names on a list. For smaller organizations, the cost dimension of this is particularly compelling. Unused licenses represent recoverable budget — and a tool that surfaces “you’re paying for 12 Salesforce seats but only 7 are being used” has an ROI story that’s easy to quantify. Coverage Beyond Active Directory AD and Entra ID cover the formally managed application estate. They don’t cover the SaaS tools that employees have adopted independently, the vendor portals with local authentication, or the AI tools connecting to company data through personal accounts. For smaller organizations, the Shadow IT problem is proportionally larger than it appears: a 200-person company may have IT managing 30 applications while employees are actively using 80 more. The 50 unmanaged applications carry the same offboarding risk and the same audit exposure as the managed ones — they’re just invisible to the tools that currently manage the managed ones. Discovery mechanisms that surface unmanaged application usage — browser-based agents, financial data integration, or even structured self-reporting workflows — expand the governance perimeter beyond what the directory alone can see. Non-Human Identity Coverage Service accounts are the access review gap that most smaller organizations know exists and struggle to address. They’re excluded from standard user lifecycle workflows because they don’t map to an employee record. They often have elevated privileges. And they’re rarely reviewed because there’s no obvious owner and no established review process. Including service accounts, admin accounts, and API tokens in the same governance framework as user accounts — with their own review workflows, ownership assignment, and compliance reporting — closes a gap that represents real security risk and increasingly shows up in audit requirements.

The Product Opportunity The market for governance tooling that smaller organizations can actually afford and implement is real and underserved. The enterprise platforms serve large organizations well and serve small organizations not at all — not because small organizations don’t have the requirements, but because the pricing and implementation complexity of enterprise tools assumes a customer profile that 200-person companies don’t fit. A tool that handles AD and Entra ID with a 15-minute setup, graduated policy enforcement, governed access reviews, and audit-ready evidence generation covers the majority of what most smaller organizations need. The upgrade path — usage insights, shadow discovery, NHI governance — represents the features that would make it competitive upmarket without losing the accessibility that makes it valuable to the core market. The “WinZip of IT” framing is apt: a tool that does one important thing well, that every organization can have, that scales from free for small environments to supported for larger ones. The access management problem is universal. The solution hasn’t been.