My Analysis of 2023 Gartner Market Guide for Identity Governance and Administration

By Vladislav Shapiro, IGA Expert, Costidity Inc.

The third times a charm, or at least that’s what Gartner was thinking when putting together this Market Guide. It looks like 2023 is on a slower pace compared to 2022 in terms of acquisitions as the biggest deal to date is CISCO buying Oort, while Thoma Bravo is sitting on the sidelines figuring out who is the next target. At the same time, there was a hurricane of conferences; all major identity events (Gartner IAM Summit in US and London, Kuppinger Cole and Identiverse) took place within 75 days between March 20th and June 3rd

Since I’m a fan of tradition (Tradition!) we’re continuing to use travel analogies in my analysis of the market guide. As 2021 was an identity traveler’s book, 2022 showed us a travel map of identity, and now 2023 sounds like a review of someone who just came back from their identity travels in a very grumpy mood as all key findings were negative. I don’t think any IGA-related reports (MQ or Market Guide) have previously contained the words “confusion”, “difficult to determine”, “not” (twice!), “inflexible” and “slow” right on the first page. In my opinion, it’s a warning, especially for vendors, that they’re not going into Gartner-suggested directions: change the course or else…. Remember that Gartner is still consulting your potential/existing clients and created this list of “representative vendors”. 

As a mathematician with heart, I pay attention to numbers and feelings. This years’ guide does not contain details on vendors or their products, so one needs to read the in-between-the-line messages and apply them to what we know about the vendors to see the real story. My analysis will help with that.

This year, there are more listed vendors (39 vs. 31 last year, which is more than double from the first guide which was 19), using the same number of authors (5), along with key findings and recommendations (4) as last year’s edition. The big difference is the tone of the findings, which is very concerning.  

The 39 showcase vendors are listed in alphabetical order with no exceptions. The list of newcomers includes Alcor Solutions, CyberArk, FastPath, Fischer International Identity, Netwrix, OpenIAM, Radiant Logic, Tools4ever and Zoho. Two vendors were dropped (Ilantus and Iteris) and three vendors have changed names for different reasons (Hitachi -> Bravura, Microfocus -> OpenText, Paraview -> Shanghai Paraview).  There is one alphabetical order change: E-Trust was listed last year as EmpowerID, which they switched places in 2023. It looks like someone at Gartner decided to ignore the dash in E-Trust, and treated it as “Etrust”, which contradicts the holy NISO ( guidance that – “3.2 The hyphen, dash (of any length), or slash is to be treated as a space” and, according to section 3.0 “order of characters”, spaces go before letters. So, based on NISO, the 2022 order is the correct one. Gartner should trust the vendor’s name, which is very trustworthy, especially with the dash, and restore the NISO order of things. Sorry, Patrick Parker, nothing personal; we know that your solution really empowers! 

General observations:

  • This year, Gartner should change their “Key Finding” into “Key Cautions”, a blast from the past from MQ times. “Confusion” (the first word of the section!) about light IGA functionality, not supporting “continuous and context-aware controls”, machine identity inadequate handling (“tools have not kept up with demand”) are all directed at vendors who didn’t get the hint from the 2022 report. Only one “finding” is pointing to a client’s typical shortcoming: “analytics adoption… is slow and mostly based on descriptive (reporting) and some risk scoring”. There is no “strength” key finding in the report at all, which shows me the frustration by the authors towards both vendors and clients. My advice to all, especially vendors: pay attention to these findings, show some love to Gartner, and react to criticism by showing improvements in 2024. Otherwise, Gartner will go to the next step by adding names to the deficiencies and issues, and you do not want that! One more kudos to the authors: no more “legal language” in findings (see my 2022 analysis for the examples) – all should be clear and understandable, even for a non-native speaker like me.   
  • The recommendations section starts with the following sentence about who it’s addressed to: “For security and risk management (SRM) leaders responsible for identity and access management (IAM)”. Henrique, thank you for reading my analysis last year and deciphering acronyms! Now the new mystery: if you compare this years’ statement with 2022’s first statement (“For SRM leaders responsible for IAM and fraud”), you will see that “fraud” is gone. I am not sure what kind of underlying message that is: either the SRM’s responsible for IAM are not in charge of fraud anymore, or whoever is still taking care of fraud should not read the recommendations. For non-fraud fighting crows, each recommendation is specifically addressing the “key cautions” (i.e. findings) to check if “light IGA solution” is not too light and “provide sufficient depth of functionality to remediate “confusion” (key finding 1), find solutions “with identity-first security principles to remediate lack of “continuous and context aware controls” (key finding 2), implement “AI/ML analytics capabilities” to fix “descriptive reporting” (key finding 3) and add “lifecycle management of machine identities” (key finding 4). This structure supports my idea of renaming “Key Findings” into “Key Cautions” for 2024 and confirms that Gartner is very serious this time: not fixing cautions means not following recommendations. That’s great news for IGA practitioners when it comes to building an IGA program and choosing an IGA solution: a clear list of what to look for and how to mitigate. This looks like another read-between-the-line message.
  • The market guide authors continue stressing their points about the importance of analytics and machine identity data by making two corresponding strategic planning assumptions for 2026: “analytics functionally in IGA tools will advance” and “IGA … will include capabilities to… support machine identity data … in their capabilities”.  I hope that SRM leaders have the ability to discover IGA product capabilities which can match machine capabilities in their full capacities. In addition, Gartner provides a very important financial incentive prediction: adding “AI/ML-based IGA analytics” will see “governance costs 50% lower”. If you are thinking of adding this to an IGA presentation for C-level execs or board, be careful and investigate what your current governance cost structure looks like. If you spend most of the money on tools and services outside of your organization, you are fine. Otherwise, you know what is coming in 2026.
  • The Market Definition was updated this year and it’s very interesting. In 2022, it was stated as “provides administrative control… across multiple systems for multiple user types”. However, in 2023, it’s an “enterprise solution to manage… across on-premises and cloud…”.  I think it’s a good change, especially for someone who needs to convince management to buy an IGA product, and “provide control” sounds vaguer than “solution”. As we continue the theme of machine identity, Gartner stresses that “to accomplish this, we need to enhance control over human and machine access”.  Another change from last year is that IGA tools don’t “orchestrate”, they aggregate and correlate. This led analysts to dropping “ensures appropriate access to resource”, which is logical due to removing “orchestration”. To me, it’s a clear message to vendors: spend more effort on analyzing features.
  • In 2023, Gartner decided to categorize capabilities into three groups (compared to two last year): must-have, standard and optional.  The underlying message for vendors is: an IGA solution must provide identity lifecycle management, access request processing and basic analytics and reporting. If you are missing one of them, either add it to the product or do not call it IGA. Clear and simple.  
  • Unlike previous editions, 2023’s market description starts with the size forecast that indicates it doubling over the next 4 years (estimated $31.99 billion market in 2027). Why not just round up the estimate instead of the number looking like a price tag? Well, Gartner is always selling, and between VCs, entrepreneurs and potential start-ups, there will be plenty of money available, so go for it. Analysts even hinted where you should put your money and efforts with “the need for governance of a growing number of IaaS and cloud-based applications… requires more types of workloads”.
  • This year, the focus of Figure 1 changed from explaining what is within the complete IGA suite to layered tasks/modules grouped vertically (module type by administration) and horizontally (by functionality), which looks much closer to what vendors usually draw on their marketing/white paper materials. One big difference from 2022 is most of the blocks have business-like names, which tells more about what this module should do versus how to do it. No more techie acronyms, like PAM, MFA, SCIM, JIT, CIEM, etc. An “analytics and reporting” block in 2022 evolved to 4 analytics blocks this year: Descriptive, Diagnostic, Predictive and Prescriptive. There isn’t a “reporting” module. The message here is the same as in key findings: analytics are critical and sellable, especially for mature clientele.

In 2023, the market direction section is multi-directional. The “on-premises solutions being shunned in favor of SaaS solutions” is followed closely by a “significant number of customers … still favor on-premises solutions”. There “are more ways to consume IGA today…”, “functionality enabled as needed… at the same time…acquisition seeking to add functionality is missing”. These are examples of a lack of general trend followed by everyone. This is a reality and Gartner clearly does not provide a one size fits all solution, but rather pointing to a more customized approach. As a result, vendors and customers are becoming an important piece of the puzzle: “Geography… can be an important consideration for the selection of an IGA vendor … even when solution is SaaS-based”.

The last sentence of the market direction is very significant and should be put on the front page of every IGA professional services presentation: “Access to local professional service providers that have technical knowledge and experience… is a key consideration for selecting an IGA vendor”. Thank you, Gartner, and all the hard-working consultants for pointing this out, even in the era of remote work, being local to customers has a huge advantage from the human factor standpoint. It is much easier to build relationships with local folks than remote personnel, and due to the fact that “organizations continue to struggle with the complexity of their ecosystems”, being physically nearby is psychologically advantageous compared to being a face on a screen. So, if you are in the process of choosing an IGA vendor, check if there is a local partner who knows what to do and will be your guide in this complex world of IGA.

The Market Analysis section is traditionally the most informational part of the Market Guide. Here, analysts provide their vision of the current state of IGA and trends. In 2023, this chapter has more than 5 pages and the following subsections with direct relations to key findings:

  • Light IGA Versus IGA Suites (almost two full pages) – Key Finding #1: “Confusion”
  • What Good Looks Like: Identity-First Security (smallest section, less than one page) – Key Finding #2: “not supporting continuous and text-aware control”
  • Improving AI/ML-Based Analytics (almost two full pages) – Key Finding #3: “slow analytics adoption”
  • Improving Machine Identity Management Capabilities (One and a half pages) – Key Finding #4: “not kept with demands on machines identity management”

Note that the shortest subsection is “what good looks like”, which supports my comparison of this year’s Guide with a TripAdvisor’s 1-star travel review describing their journey around the IGA world.  Gartner analysts allowed themselves to write a very straightforward cautionary tale of the IGA state of affairs directed at both vendors and clients. 

Continuing our tradition from my 2020 analysis, we’ll use a table with 2023 quotes and their subsequent hidden messages in Market Analysis for vendors:

Quote Translated message to vendors
Organizations asking how quickly light IGA can make their solutions be considered full IGA suite. Client question: “Can I deploy a light IGA solution and grow with the vendor as the solution is evolving into a suite?” Customers treat light IGA as an ever-expanding real estate construction project: buying a one-bedroom starter house in hopes that one day, it will look like your neighbor’s mansion, at least from the outside. So, when you plan your starter product, you must have space for easy and fast add-ons.  Remember: clients expect you either to be full suite or be purchased by others to complete their full suite. Otherwise, it is a hard sell
Many light solutions still lag in breadth of capabilities in SOD analysis, role engineering and extensive provisioning libraries Light or no light, you better have all of them either available or on the to-do list.
Continuous event-based and/or risk-based approaches to reevaluate access… manage access risk in real time If you claim that you are a leader in UAR (user access review), make sure that you can do it in real time based on risk and events. At the very least, convince the prospect/current customers that you have it on your development roadmap.
These advanced analytics capabilities often include remediation of over privileging situations… recommendations for additional access Are you writing this down? These two are a must if you want to play AI/ML game: learn to be intelligent.
Build private generative AI models on top of a public large language model (LLM) You are welcome Mr. IGA advisory consultant who can comprehend this sentence! This is your deliverable for the next SOW. Be ready for such requests soon. Warning on timing: read the “Quotes of the Guide” list carefully.

This year, there are much more quotes geared towards customers and clients:

Quote Translated message to customers
Larger organizations are searching for solutions that are easier to deploy and manage We understand that “large” is always in the eye of the beholder so… do not buy products because they are cheap or called “light”. Check the real deployment time and how difficult it is to manage them
SRM leaders should clearly specify IGA requirements before acquiring an IGA tool How many years in a row must we repeat this? A use case should always be a part of the requirements. Start with them.
Looking at the completeness of IGA Solution capabilities … the depth of these capabilities Starting to solve current IGA issues is good, but how deep can we go with the proposed product? Can we resolve the issue and put in some prevention controls?
“Light IGA is not very suitable for the following” Stay away from light IGA products if your organization hits one or more from the list
IAM professionals have formed a view that identity is the core foundation of cybersecurity posture. SRM leaders should adopt identity-first security approaches… as proactive instead of reactive You are welcome, Mr. Customer IAM leader! Here is your ROI on the Gartner subscription. Put this in your presentation for C-suite folks and ask for more Identity money allocated to cybersecurity. It clearly said “Identity-first security”, so Identity should get the money first! 
IAM leaders must combine centralized IAM controls… with decentralized and context-sensitive enforcement You are welcome again, Mr. Customer IAM leader! This is yet another reason for more money to come to your side of the business. When your C-boss responds with “we’ve already given you money to build a centralized IGA”, you can use this quote and say “so, as Gartner said, we need to enforce it even in a decentralized manner, and our business needs to provide us the context. Otherwise, we are not following the best practices, according to Gartner!”
SRM leaders should evaluate all potentially high-valued use cases for IGA analytics… and include those … in their IGA solution selection We know that these use cases are standard for organizations, so use them! We use business-like language which shouldn’t much of an explanation for business leaders.
Implementation of IGA technology remains slower than expected, with a number of factors contributing to this “drag” including lack of sufficient data quality to enable AI/ML Another present from Gartner; if anyone asks why IGA doesn’t use AI/ML, you can just use this quote and complain about data quality. You will never go wrong with this argument. The last two of the “drag” reasons include required lawyers and compliance/audit people involved. 

This year, I’m introducing a new category in my analysis called the Most Valuable Quotes of the Guide (MVQs). You can vote for MVQ’s via LinkedIn by connecting with me and messaging the number of this year’s nominees:

  1. . “Ask not if the IGA solution feels “complete” or “light” for you, ask how “complete” or “light” the IGA solution looks for your customers.”
  2. Gartner predicts that the application of generative AI to IGA use cases will deliver additional value in the future, though neither the timeline nor the additional value for IGA specifically is clear yet.
  3. For machines, ownership means the “responsible human”, not the actor who should be using the identity/account.

Lastly, the 4 market recommendations for SRM leaders. These recommendations are very similar to the first page’s recommendations, but with more details:

  • Added note to “light IGA” discussion that “it is rare that those opting for IGA suites fully implement all of their capabilities”. My reading of the in-between-the-line message: do not be afraid of light IGA, most companies implement light version of IGA suite anyway.
  • Added into the “identity-first” 1st sentence is “complement the rest of your identity fabric” followed by “enable decisions throughout the user journey, focus … on a consistent user experience”. 

At the same time, the third recommendation is about “business value from your IGA investments” which somehow lost all “AI/ML-based” words before analytics. Most likely, the authors realized that the reader is tired, and they should limit acronyms to just IGA (10 times across all four vs. only 5 times in the first page recommendation section)

In conclusion on recommendations: it does not matter if you are a person who just reads the first two pages or last two pages – you will see recommendations in both cases.

I would love to hear your opinion about the guide and my observations.

My Analysis of the 2022 Market Guide for Identity Governance and Administration

This is the second edition of the Market Guide for Identity Governance and Administration, circa 2022, the year of the comebacks. Thoma Bravo is back on a shopping spree, Tom Brady is back with the Buccaneers, conferences are mostly back to an in-person format (with the ever-present online option sticking around), while the bravest among us attended them despite an unpleasant comeback, a spike of COVID-19. Hail to the strong-willed, adventurous vaccinated folks!

In last year’s analysis, I compared the market guide with a traveler’s book. This year, that comparison wouldn’t work since the vendor details were omitted. So, the better analogy would be a traveler’s map as all the landmarks are there, but with non-descript locations. An odd thing I noticed was that every non-North American HQ is represented in cities like Shanghai, Sao Paulo and Melbourne while the North American ones are states or provinces like California, Texas, and Ontario. Perhaps Copenhagen is easier to spell than Cupertino?

Anyway, as a mathematician with heart, I pay attention to numbers and feelings. We know that the guide is missing those vendor details, so will Gartner write in-between the line messages directed at specific vendors, or will those wise thoughts only be for customers? Let’s investigate.

This year there are more authors (5 vs. 3), more listed vendors (31 vs. 19), more key findings (4 vs. 3), and more recommendations (4 vs. 3) using fewer pages (15 vs. 19) than last year’s edition.

The 31 showcase vendors are listed in alphabetical order with no exceptions, whereas last year there was a disturbance of alphabetical peace (see my 2020 report on that) and was excluded from the sample list, which immediately resulted in changing the Web front-page to Italian ( I believe this is related to the subpar performance of Firenze in Serie A but I’m not certain, we need to ask Henrique.

General observations:

  • Gartner did a great job on refreshing key findings as instead of focusing on famous corporate Bingo words such as “cloud” and “zero trust”, the authors found a new approach: discovering challenges. They hit on topics such as Asset Management, Operations Problems and Machine Identities, but it’s interesting that one of their key findings contains actual recommendations on how to deal with challenges, which before you’d only find in the recommendations section. They say to “look beyond technical capabilities and evaluate how, and how easily, they can be deployed, integrated and operated”. What is the message between the lines here? My take is that it’s all about the human factor. Each key finding is directed towards the specific needs of the specific group of individuals, like SRM and IGA managers, and giving them talking points for promoting their agenda within the organization (“It’s not me talking – it’s GARTNER!”). There is also a message to vendors: here are the real issues, please address them in the products. My question for Gartner is: did you consult with your lawyers before writing “underpinning identity fabric in which insights from identity and access management (IAM) tools are shared reciprocally with insights from adjacent tools”?  I understand that Halloween recently passed, but this is too spooky for even someone whose native tongue isn’t English. 
  • As in 2020, the recommendations section starts with a shorter version of the same revealing sentence about who it’s addressed to: “SRM leaders responsible for IAM and fraud detection”.  However, unlike in 2020, there’s no decoding of both acronyms. The message to the readers is if you don’t know what this is by now, stop reading. This edition’s recommendations are definitely deeper and more multifaceted than in 2020. Instead of just “simplify the selection of

IGA vendors” and “ensure you have a long-term strategy “(2020), the authors recommend to “Evaluate not just traditional capabilities, but also meet upcoming cloud-related needs, security coverage, and support AI and ML” (2022). Instead of suggesting to “target a SaaS or cloud-based deployment first” (2020), the analysts proposed a different strategy that it’s “important to examine SaaS and platform solutions, estimates, and cost of using professional services or managed service.” (2022). In addition, there are two new recommendations: “Treat machine identities as distinct identity types that must be managed and governed similarly to human identities” and “Identify key use cases early in any review process”. What is the underlying message behind all of that? To me, it is a request for shifting from an architectural-project approach to a more practical business/financial one with a much wider view. Gartner hopes that users and vendors will follow these recommendations.

  • The same shift is visible in changes related to strategic planning. In 2020 it was very architectural with “SaaS-delivered, converged IAM platforms like IGA, AM, PAM”, but in 2022 it’s about “using IGA analytics and insights as part of a wider identity fabric to reduce security risks across IAM estate”, which is clearly more of a business-like approach that appeals to a larger crowd than just IGA. Since strategic planning is addressed to business leaders, who understand and appreciate “security risk reduction”, this shift should help you to get better funding. Again, I did not say it, Gartner did.
  • The market direction and market analysis sections showed us why Gartner decided to forego vendor details as it gives the reader’s a different perspective and hints which can be easily interpolated on a particular software maker. You just need to find the golden nuggets hidden in their messaging, and that’s exactly what we’ll do. 

Let’s get deeper into the market direction, or at least the Gartner analysts’ opinion of where we’re going. In 2020, we were going to expand on the “unaddressed market segment for large to global enterprises in emerging geographical markets”, and evaluate “IGA technology rapidly being adopted by midsize organizations with less demanding requirements”. In 2022, the direction changed as it started by getting “cloudy” for two paragraphs which then led to RPAs with a “significant number of machine identities …to the extent that nonhuman identities now outnumber humans” and the emergence of “identity fabric” which was mentioned 9 (!) times in the report overall. As a comparison, “identity governance” appeared 7 times.

Hint to vendors: you better start including “identity fabric” in your marketing materials as a new checkbox is coming into your RFI and RFPs! Especially since there is no official definition of what it is. KuppingerCole version is that it “stands for a paradigm of a comprehensive set of Identity Services, delivering the capabilities required for providing seamless and controlled access for everyone to every service”, while the Security Boulevard version is a “distributed, multi-cloud identity management framework integral to Identity Orchestration software”. Wikipedia has no idea as the page “Identity Fabric” does not exist as of October, 1st 2022, but Wikitia has a version that states an “architecture design approach that serves as a foundation for defining or continually updating enterprise architectures for Identity and Access Management (IAM).”

If you Google it, the “People also ask” section has the following answer:

An Identity Fabric is an abstraction layer in a distributed identity management framework provided by Strata’s Maverics Platform

Bravo, Strata! Your money was not wasted on Google advertisements. Someone deserves a promotion!

The Authors dedicated 4 (!) paragraphs to vendor directions as “vendors are responding”, “vendors have relatively stable offerings”, “vendors have SaaS deployment options”, and “vendors are striving to improve.. support for nonhuman identities”. All of these research insights are hidden demands aimed at product management teams across the esteemed IGA space. Another hint for vendors: potential customers will read the market guide too! Look for more checkboxes! 

Continuing our tradition from my 2020 analysis, we’ll use a table with 2022 quotes and their subsequent hidden messages:

Quote Message to vendors
IGA vendors are providing solutions to consolidate tools and .. for an identity fabric, but not necessarily at the same time. Do it in the same product, under the same set of licenses, please!
Most of the complete IGA suite vendors will meet most of their (customers) use-case requirements If you cannot meet use cases, you are either not a complete IGA suite or you fall into the category of “not most IGA suite vendors”. Fix it!
All the main IGA suite vendors have SaaS deployment options, which are increasingly recommended by them in preference to their software-based solutions, even for large, complex organizations. Three things to note: If you want to call yourself a “main” IGA suite, offering SaaS options is a must. Push SaaS good, push it “real good”! Do not limit SaaS proposals to SMBs.
Proliferation of new IGA applications based on the popular ServiceNow platform. How is your proliferation going? Better hurry up, or we’ll call ClearSkye!
Existing vendors offering light IGA capabilities as part of a platform will continue to enhance their capabilities to get closer to those of a suite. Two-directional message: do not be satisfied with the status-quo (for light IGA) and do not sleep on light IGA (for complete IGA), who knows….
Suites typically offer much stronger management of contract workers, third-party access, deeper connectors, and flexible workflow with policy-based access controls. Are you covering all of that, Mr. Suite IGA vendor? Look carefully at the order: contract and third party come first on the list and are very specific requirements. The rest are more general. SecZetta, anyone?

The next three paragraphs are for leaders, SRM and IAM. Interestingly the authors assume that leaders have more time to read, so the title “Gartner’s Buyer’s Guide for Identity Governance and Administration” is directed to them. It’s probably because IAM leaders are too busy with “assessing the capabilities and deployment and management implications of available solutions against the needs of their organization both now and for the lifetime of an IGA tool” for “five to eight years”. I’m not sure if these overwhelmed people can foresee needs for 5-8 years ahead, or prepare the next generation of IAM leaders to replace the solution in 5-8 years, perhaps both. Meanwhile both types of leaders should remember that “platform-based tools have technical deficiencies, they have attractions in terms of cost, ease of deployment and ongoing management of fewer solutions … reduces the overall IT overhead within an organization.” Here is my reading between the lines: choose your list of “must haves” and look at a platform-based solution. Maybe you do not need all these extra technical capabilities?

Now let’s talk about Market Analysis. As done previously, I’ll extract some interesting quotes and decode their messages.

Quote Message
Robust governance and transparency of consumption are required across a range of cloud service providers Choose your service providers based on transparency and governance, not price or marketing slides!
IGA tools have to support this move by using proprietary connectors and converging on standards-based connectors To vendors: do more with standards-based connectors for cloud applications To users: always prefer using standards-based connectors and avoid customization as much as you can!
SaaS IGA offerings: dig below any marketing in order to assess their true cloud credentials and ability to manage other cloud-based assets Evaluate SaaS IGA only based on use cases, which should include scenarios involving managing cloud assets and credentials. No Marketing people in the room allowed during POC.
The ability to participate fully in an identity fabric will act as a value multiplier, compared with insular IGA offerings that fail to play a full part. Be ready for a new checkbox for “Identity Fabric” to your RFI/RFP. It will multiply your value, unlike isolated IGA. More instructions to follow in 2023.
We expect IGA functions to be more composable as part of a cybersecurity mesh by 2025. Analysts call for a joint venture between IGA and IT Security (see figure 2). Maybe joined budget? In 2025?
Analytics and ML .. to add them they will need to accept input from external sources and systems. Similarly, they will need to help make decisions and constructed insights available to other, related systems in security mesh This is how you can get money for an analytics tool: a joint proposal with other sources with a promise of cooperation on data and analysis level. Don’t forget the “Value Multiplier” from an earlier comment!
IGA solutions…to plan mainly for likely requirements in 2030 Vendors: you better come up with a roadmap for 2030 that includes “likely requirements”. Users: Plan to stick around until 2030 to see if your predictions come true. Also, prepare Plan B in case you’re wrong, but you have another 7 years for that.

The next two paragraphs within the market analysis are dedicated to two thoughts:

  1.  Light, Platform-based IGA is a real thing and, in some cases, even preferable for fulfilling certain needs.
  2. A machine Identity avalanche is coming and requires management strategy now. Due to the sheer number of such identities projected in the near future, governing them will become a necessity and part of regulatory requirements and compliance, so you’d better plan for what’s coming.

Similar to the previous report, the “Market Guide does not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings”. Again, there are two hidden messages here (like in 2020):

  1. To potential customers: “An exhaustive list exists; it is long and dynamic (requires timestamp, almost like attestation), so we decided not to exhaust ourselves to assemble it. If you found a good match in terms of value/capabilities, you can tell your management that this vendor is on the list. We will confirm it as long as your organization is our client.”
  2. To a vendor: “You are always on our exhaustive list. We care about you even if you are not a listed vendor. You are still important; just help the customers!”

Finally, 5 market recommendations for SRM leaders. Please note: they are not the same as the recommendations on page 2. Why are there two sections on recommendations? My answer is the following: it does not matter if you are a person who just reads the first two pages or last two pages – you cannot avoid direct recommendations! Smart! It allows busy people to save tons of time and get straight pointers on both ends.

I would love to hear your opinion about the guide and my observations.

First NPR report presentation at Gartner IAM Summit 2022 in Las Vegas.

Vladislav Shapiro, Costidity and Stan Hammer, WCU were invited to present at Gartner IAM Summit 2022 about the human factor in IGA. The presentation took place on August 22nd with more than 100 Summit participants. For the first time, NPR method and reports were revealed for the public to observe based on WCU real data. There were several questions asked by the attendees and many follow-ups conversations during and after the conference. If you would like to get the presentation in PDF format, please fill out contact form and request it.


2017 is a year of changes:  a new four-year cycle, a new US President, and a new Magic Quadrant. Congratulations to Gartner with breaking from previous trends shown the during second term of the Obama administration for releasing MQ later and later every year. This time, surprisingly, the report came one week earlier than in 2016, which corresponded to my prediction in last year’s analysis.


Gartner Identity, Governance and Administration Magic Quadrant 2016 analysis

This time, Gartner was able to beat last year’s delay: the results of their 2015 research became available in… March 2016. The “Magic Quadrant for Identity, Governance and Administration” is dated February 29, which is some kind of a record: you cannot release it later if you want to stay with winter months. And the next three reports will be released earlier for sure, just because the next February 29 will be in 2020.

Read more Gartner Identity, Governance and Administration Magic Quadrant 2016 analysis

C-Level Management and Costidity

Why Costidity is Important to C-Level Management

We are certain the subject of Costidity is of relevant interest to IT Security and Identity, Governance and Administration practitioners. But at the same time, we know that these practitioners need support from C-level management and executives to get anything done and manage Costidity. Support comes from personal interest though, so it’s important to know what each C-level manager can gain from implementing Costidity management. Read more C-Level Management and Costidity

Costidity & Risk in IT Security and IGA: A Comparison

Why Managing Risk in IT Security and IGA Isn’t Enough

When we started talking about the cost of the human factor, i.e. Costidity, people began asking me, “Why are we creating another dimension for assessing governance elements, like business policies and processes? Everybody is doing risk management. And risk already includes the human factor, in particular, the ability to lose the information by emailing it to the wrong person.” Read more Costidity & Risk in IT Security and IGA: A Comparison