By Vladislav Shapiro, IGA Expert, Costidity Inc.
My 2024 Market Guide analysis is the first edition without Henrique Teixeira, who decided to move on to greener vendor pastures while also now making shoes! This year’s guide became almost twice as long as the previous one (36 minute read vs 19 minutes, and double the number of pages). However, you’ll see a different tone in the guide: the grumpy old Identity traveler (see my 2023 analysis) was substituted with a realist practitioner.
Just look at the Key Findings:
- More concise: 3 findings instead of 4
- No “one advice fits all”: “There is no one best-practice … IGA initiative and corresponding feature set”
- A need for seeing the whole picture: the word “analytics” is out (2 in 2023, 0 in 2024) while words like “visibility” (three times) and intelligence (once) are in
- Often one IGA solution is not enough: “Native features in IGA tools …. are still insufficient… leading … to implement supplemental tooling.”
- Extra attention to product newcomers: the word “vendor” is gone (twice in 2023), while “substantial innovation… robust startup activity” is in.
Summary: Gartner analysts spent more time with mature customers and implementation partners, and decided to give their intelligent views more visibility, which is a substantial shift for the guide.
As a mathematician with heart, I pay attention to numbers and words. This guide has number 4 all over it. The fourth edition of Gartner’s market guide has four authors, released in 2024 on 08/26 (8+2+6=16=4×4), and 20 listed vendors (4×5). Along with that, some key word usage throughout the guide outside of the typical “Identity”, IGA”, “security”, “access”, “data”, “feature”, “business”, include:
- “Visibility” – 30 times
- “Risk” – 25 times
- “SaaS” – 25 times
- “Analytics” – 24 times
- “Intelligence” – 19 times
- “Value” – 14 times
- “Innovation” – 6 times
- “Substantial” – 6 times
Based just on the frequency of those words, one can see the direction Gartner is proposing:
- For customers: to have a successful IGA program, your enterprise should be able to see, measure, analyze and evaluate identity and access data.
- For vendors: to be substantially innovative and have a real SaaS IGA offering.
The 2024 edition has an interesting innovation in the vendor’s list: out of “at least 55 vendors in IGA market”, “20 vendors listed… verified that they offer a SaaS version … and sell in multiple regions”. As a result, many familiar to public vendors are not on the list, including Microsoft and SAP. It’s very interesting that Delinea is the only PAM-centric vendor left from last year’s list, with other players like Broadcom and CyberArk missing. To get the hidden message from Gartner, please pay attention to “verified … SaaS version” in combination with “innovation” and “visibility”. Vendors, take notes.
One of the biggest additions to the guide is the introduction of the VIA model (visibility, intelligence, actions) as a part of the Market Analysis. This model will be a huge help for IGA/IAM practitioners who, for years, have been screaming about a lack of visibility across the industry about actual reasons why a person has assigned entitlements/roles and how it’s used by an individual. The same goes for non-human identities, as one cannot build a successful program being “visually impaired”. As the VIA model states, “Intelligence quality depends on visibility” and “action quality depends on intelligence”.
General observations:
- The Market Guides “Key Findings” has an interesting relationship with “visibility”, as its mentioned more and more with each new finding:
- The first “finding” is about “there is no ONE best-practice for an IGA initiative”, so no visibility
- The second one talks about “enabling visibility” (used 1 times)
- The third one talks about “comprehensive visibility” and “integration and visibility” (2 times)
Combining this with the VIA model, it creates a powerful message that the visibility of the real situation at your organization is key for a successful IGA program.
The most intriguing feature is “support for shared signals”, which includes “continuous access evaluation protocol (CAEP)”, one more unpronounceable acronym for non-native English speakers like me. Then, possibly, bearing in mind people like me, Gartner’s authors decided to become English teachers and explain that “sharing” means “ability to send, receive and respond” signals. Thank you for not going further and explaining the meaning of the verbs above!
Continuing the 2023 tradition, market description contains a forecast, but this time in percent only (13.9%) and for “1Q24”. No more $31.99 billion from a year ago. Since the Market guide was written in August 2024, Gartner is seemingly forecasting the past.
It looks like Gartner analysts read my 2023 analysis and decided to bring acronyms back to Figure 1, but only in one place: “Access policy mgmt..”. To my surprise, PBAC did not make “incl. RBAC, ABAC, SOD). Is it a hidden message to PlainID leadership or did they just run out of room?
The 2024 market directions are, let say, multi-directional. Although drivers are clearly defined ( “shift to SaaS”, “influence of security and business enablement”, “visibility” (again!), “intelligence”, “improved speed/ease of integration”), what will happen next is not. For example, when it comes to SaaS, “some sectors are seeing increased uptake of SaaS migration”, but “self-hosted options will remain in some sectors and regions”. Also, “business drivers are highly variable”, “we don’t anticipate that AI-enabled IGA will become a mandatory feature”, “it is difficult to rapidly and easily integrate target systems with IGA solutions”. At the same time, Gartner is giving one strong prediction: “additional evolution of available IGA technologies from light IGA to full-features IGA in the coming year”. Just combine this statement with the fact that only companies with full-featured IGA solutions are on the list of representative vendors, and you understand why this prediction is solid. An interesting observation is that there is no mentioning of service providers in this section. Instead, the last sentence is about “use of AI-enabled software engineering methods to accelerate target system integration with IGA solutions”. Something tells me that implementation providers should be ready to respond to the “are you using AI?” question in RFP in the nearest future. Just a warning, not a prediction.
This year’s Market Analysis has a lot to say about identity-first security approach:
- Definition of identity-first security goal: “to shift from a point-in-time configuration to real-time, dynamic enablement, which will include account provisioning and policy orchestration, with the right entitlement and attributes determined dynamically”. This statement needs a separate discussion, but “dynamic” is definitely the most important word defining the direction of the trend.
- “SMR leaders should adopt identity-first security approach to their IAM program positioning their organizations as proactive instead of reactive”
- “Identity-first security requires centralized policies to be extended to decentralized assets”
My conclusion: Gartner analysts realized that identity-first security principles need explanation for both IAM and IT security specialists. Use this guide in a conversation about getting funds from IT Security budget towards IAM for achieving implementation of identity-first security.
There is also a message to the potential customers: “IAM leaders should weigh in the value of adding an IGA integration and visibility solution relative to the acquisition cost”. Here is the hidden message: if you do not have an ROI report on a proposed solution, then chances of getting a budget are very slim.
One more theme of analysis is “machine identity management”. The main statement is about “implementing IGA-based machine identity management capabilities as a part of an identity fabric that includes required PAM and credentials/secrets management components”. I comprehend this as a strong Gartner analyst’s request to treat machine identities with the same attention as human ones.
Now let’s talk about the vendor list. This is the first year using a short list: “Gartner estimates 55 vendors in the IGA market overall. 20 vendors listed offer a SaaS version and sell in multiple regions”. The big news is not who is in the list, but who is not: Microsoft. You can make the conclusions by yourself why.
I am not planning to analyze each of the 20 vendors, rather, provide their unique messages straight from the vendor profile. Note that unique message does not represent solution features or rating, just something essential about the vendor itself:
| Vendor | Unique Message |
| Atos | Atos launched Eviden as a subsidiary company. Evidian the brand for Eviden’s IAM offering, which include IGA, AM, directory services and ESSO |
| Delinea | Delinea has strong brand awareness, specifically in PAM space |
| EmpowerID | EmpowerID operates as a container and microservices-based solution |
| Fischer International Identity | Fischer… workflow studio, a low-code, no-code solution |
| IBM | Its product integrates with IBM ecosystem and other ERP systems |
| Imprivata | Has a strong sales and marketing focus on the healthcare industry |
| ManageEngine | ManageEngine offers IT management products across domain such as IAM |
| Netwrix | Netwrix Usercube offers a SaaS IGA. The software-delivered version of Netwrix’s IGA solution … is less commonly deployed |
| Omada | Omada has two full-featured IGA products with the same codebase |
| One Identity | One Identity Manager product covers the full IGA suite, PAM and access management (AM) capabilities |
| OpenIAM | OpenIAM focuses on a developer-centric solution, an open-source IGA platform that’s free to download |
| OpenText | The following OpenText IGA features are only supported via extensions and customizations, which are CIEM integration, integration with EAM, and support of shared signals |
| Oracle | In addition to IGA products, it also offers a range of cloud business applications, strategic cloud platform services and a cloud database management system |
| Ping Identity | Ping Identity platform includes Ping Identity Governance, PingIDM (for life cycle management), PingFederate (for federated SSO) and PingAuthorize (for policy-based access control) |
| RSA Security | RSA offers its Unified Identity Platform which includes IGA, Governance & Lifecycle, Risk AI, Mobile Lock, Authenticator App and multiple hardware authenticator options. |
| SailPoint | SailPoint offers two versions of IGA suites: IdentityIQ (on-premises) and Identity Security Cloud (built on top of Atlas SaaS platform) |
| Saviynt | Saviynt Identity Cloud is a SaaS solution that can be delivered as a virtual appliance, third-party managed service provider (MSP) or customer cloud infrastructure |
| Soffid | Soffid IAM provides a converged IAM platform that brings AM, SSO, IGA, IRC and PAM as an augmented solution |
| Tuebora | Tuebora offers an IGA solution that seeks to apply machine learning to streamline access administration automation. |
| Zilla Security | Zilla Security provides a suite of three security and compliance-focused IGA solutions. |
Just like last year, I’m continuing the tradition of using the Most Valuable Quotes of the Guide (MVQs). You can vote for MVQ via LinkedIn by connecting with me and messaging your favorite number. Here are the nominees:
- “There is no one best-practice identity governance and administration (IGA) initiative”
- “Support for shared signals, including ability to send shared signals and receive and respond to shared signals”
- “Requirements to add local language models (LLMs), for GenAI specifically, to keep sensitive client access configuration data out of public LLMs”
Gartner provides 3 market recommendations for SRM leaders. This time recommendations are very similar to the first page recommendations, with a couple of clear messages for IAM/IGA leaders:
- IGA program will have success only if it corresponds to an “organization’s required outcomes”
- Spending on IGA is an investment of your enterprise, so “accelerate the realization of business value from IGA investments”
- Follow VIA model and concentrate on visibility
In conclusion on recommendations: it does not matter if you read the first two pages or last two pages – you will see recommendations in both cases.
For the first time, the Market Guide ends with two notes: potential top-value access intelligence use cases and IGA requirements for Machine identities. My guess, Gartner analysts responded to reader’s demands to explain both.
I would love to hear your opinion about the guide and my observations.