By Vladislav Shapiro, IGA Expert, Costidity Inc.
The third times a charm, or at least that’s what Gartner was thinking when putting together this Market Guide. It looks like 2023 is on a slower pace compared to 2022 in terms of acquisitions as the biggest deal to date is CISCO buying Oort, while Thoma Bravo is sitting on the sidelines figuring out who is the next target. At the same time, there was a hurricane of conferences; all major identity events (Gartner IAM Summit in US and London, Kuppinger Cole and Identiverse) took place within 75 days between March 20th and June 3rd.
Since I’m a fan of tradition (Tradition!) we’re continuing to use travel analogies in my analysis of the market guide. As 2021 was an identity traveler’s book, 2022 showed us a travel map of identity, and now 2023 sounds like a review of someone who just came back from their identity travels in a very grumpy mood as all key findings were negative. I don’t think any IGA-related reports (MQ or Market Guide) have previously contained the words “confusion”, “difficult to determine”, “not” (twice!), “inflexible” and “slow” right on the first page. In my opinion, it’s a warning, especially for vendors, that they’re not going into Gartner-suggested directions: change the course or else…. Remember that Gartner is still consulting your potential/existing clients and created this list of “representative vendors”.
As a mathematician with heart, I pay attention to numbers and feelings. This years’ guide does not contain details on vendors or their products, so one needs to read the in-between-the-line messages and apply them to what we know about the vendors to see the real story. My analysis will help with that.
This year, there are more listed vendors (39 vs. 31 last year, which is more than double from the first guide which was 19), using the same number of authors (5), along with key findings and recommendations (4) as last year’s edition. The big difference is the tone of the findings, which is very concerning.
The 39 showcase vendors are listed in alphabetical order with no exceptions. The list of newcomers includes Alcor Solutions, CyberArk, FastPath, Fischer International Identity, Netwrix, OpenIAM, Radiant Logic, Tools4ever and Zoho. Two vendors were dropped (Ilantus and Iteris) and three vendors have changed names for different reasons (Hitachi -> Bravura, Microfocus -> OpenText, Paraview -> Shanghai Paraview). There is one alphabetical order change: E-Trust was listed last year as EmpowerID, which they switched places in 2023. It looks like someone at Gartner decided to ignore the dash in E-Trust, and treated it as “Etrust”, which contradicts the holy NISO (https://www.niso.org/sites/default/files/2017-08/tr03.pdf) guidance that – “3.2 The hyphen, dash (of any length), or slash is to be treated as a space” and, according to section 3.0 “order of characters”, spaces go before letters. So, based on NISO, the 2022 order is the correct one. Gartner should trust the vendor’s name, which is very trustworthy, especially with the dash, and restore the NISO order of things. Sorry, Patrick Parker, nothing personal; we know that your solution really empowers!
- This year, Gartner should change their “Key Finding” into “Key Cautions”, a blast from the past from MQ times. “Confusion” (the first word of the section!) about light IGA functionality, not supporting “continuous and context-aware controls”, machine identity inadequate handling (“tools have not kept up with demand”) are all directed at vendors who didn’t get the hint from the 2022 report. Only one “finding” is pointing to a client’s typical shortcoming: “analytics adoption… is slow and mostly based on descriptive (reporting) and some risk scoring”. There is no “strength” key finding in the report at all, which shows me the frustration by the authors towards both vendors and clients. My advice to all, especially vendors: pay attention to these findings, show some love to Gartner, and react to criticism by showing improvements in 2024. Otherwise, Gartner will go to the next step by adding names to the deficiencies and issues, and you do not want that! One more kudos to the authors: no more “legal language” in findings (see my 2022 analysis for the examples) – all should be clear and understandable, even for a non-native speaker like me.
- The recommendations section starts with the following sentence about who it’s addressed to: “For security and risk management (SRM) leaders responsible for identity and access management (IAM)”. Henrique, thank you for reading my analysis last year and deciphering acronyms! Now the new mystery: if you compare this years’ statement with 2022’s first statement (“For SRM leaders responsible for IAM and fraud”), you will see that “fraud” is gone. I am not sure what kind of underlying message that is: either the SRM’s responsible for IAM are not in charge of fraud anymore, or whoever is still taking care of fraud should not read the recommendations. For non-fraud fighting crows, each recommendation is specifically addressing the “key cautions” (i.e. findings) to check if “light IGA solution” is not too light and “provide sufficient depth of functionality to remediate “confusion” (key finding 1), find solutions “with identity-first security principles to remediate lack of “continuous and context aware controls” (key finding 2), implement “AI/ML analytics capabilities” to fix “descriptive reporting” (key finding 3) and add “lifecycle management of machine identities” (key finding 4). This structure supports my idea of renaming “Key Findings” into “Key Cautions” for 2024 and confirms that Gartner is very serious this time: not fixing cautions means not following recommendations. That’s great news for IGA practitioners when it comes to building an IGA program and choosing an IGA solution: a clear list of what to look for and how to mitigate. This looks like another read-between-the-line message.
- The market guide authors continue stressing their points about the importance of analytics and machine identity data by making two corresponding strategic planning assumptions for 2026: “analytics functionally in IGA tools will advance” and “IGA … will include capabilities to… support machine identity data … in their capabilities”. I hope that SRM leaders have the ability to discover IGA product capabilities which can match machine capabilities in their full capacities. In addition, Gartner provides a very important financial incentive prediction: adding “AI/ML-based IGA analytics” will see “governance costs 50% lower”. If you are thinking of adding this to an IGA presentation for C-level execs or board, be careful and investigate what your current governance cost structure looks like. If you spend most of the money on tools and services outside of your organization, you are fine. Otherwise, you know what is coming in 2026.
- The Market Definition was updated this year and it’s very interesting. In 2022, it was stated as “provides administrative control… across multiple systems for multiple user types”. However, in 2023, it’s an “enterprise solution to manage… across on-premises and cloud…”. I think it’s a good change, especially for someone who needs to convince management to buy an IGA product, and “provide control” sounds vaguer than “solution”. As we continue the theme of machine identity, Gartner stresses that “to accomplish this, we need to enhance control over human and machine access”. Another change from last year is that IGA tools don’t “orchestrate”, they aggregate and correlate. This led analysts to dropping “ensures appropriate access to resource”, which is logical due to removing “orchestration”. To me, it’s a clear message to vendors: spend more effort on analyzing features.
- In 2023, Gartner decided to categorize capabilities into three groups (compared to two last year): must-have, standard and optional. The underlying message for vendors is: an IGA solution must provide identity lifecycle management, access request processing and basic analytics and reporting. If you are missing one of them, either add it to the product or do not call it IGA. Clear and simple.
- Unlike previous editions, 2023’s market description starts with the size forecast that indicates it doubling over the next 4 years (estimated $31.99 billion market in 2027). Why not just round up the estimate instead of the number looking like a price tag? Well, Gartner is always selling, and between VCs, entrepreneurs and potential start-ups, there will be plenty of money available, so go for it. Analysts even hinted where you should put your money and efforts with “the need for governance of a growing number of IaaS and cloud-based applications… requires more types of workloads”.
- This year, the focus of Figure 1 changed from explaining what is within the complete IGA suite to layered tasks/modules grouped vertically (module type by administration) and horizontally (by functionality), which looks much closer to what vendors usually draw on their marketing/white paper materials. One big difference from 2022 is most of the blocks have business-like names, which tells more about what this module should do versus how to do it. No more techie acronyms, like PAM, MFA, SCIM, JIT, CIEM, etc. An “analytics and reporting” block in 2022 evolved to 4 analytics blocks this year: Descriptive, Diagnostic, Predictive and Prescriptive. There isn’t a “reporting” module. The message here is the same as in key findings: analytics are critical and sellable, especially for mature clientele.
In 2023, the market direction section is multi-directional. The “on-premises solutions being shunned in favor of SaaS solutions” is followed closely by a “significant number of customers … still favor on-premises solutions”. There “are more ways to consume IGA today…”, “functionality enabled as needed… at the same time…acquisition seeking to add functionality is missing”. These are examples of a lack of general trend followed by everyone. This is a reality and Gartner clearly does not provide a one size fits all solution, but rather pointing to a more customized approach. As a result, vendors and customers are becoming an important piece of the puzzle: “Geography… can be an important consideration for the selection of an IGA vendor … even when solution is SaaS-based”.
The last sentence of the market direction is very significant and should be put on the front page of every IGA professional services presentation: “Access to local professional service providers that have technical knowledge and experience… is a key consideration for selecting an IGA vendor”. Thank you, Gartner, and all the hard-working consultants for pointing this out, even in the era of remote work, being local to customers has a huge advantage from the human factor standpoint. It is much easier to build relationships with local folks than remote personnel, and due to the fact that “organizations continue to struggle with the complexity of their ecosystems”, being physically nearby is psychologically advantageous compared to being a face on a screen. So, if you are in the process of choosing an IGA vendor, check if there is a local partner who knows what to do and will be your guide in this complex world of IGA.
The Market Analysis section is traditionally the most informational part of the Market Guide. Here, analysts provide their vision of the current state of IGA and trends. In 2023, this chapter has more than 5 pages and the following subsections with direct relations to key findings:
- Light IGA Versus IGA Suites (almost two full pages) – Key Finding #1: “Confusion”
- What Good Looks Like: Identity-First Security (smallest section, less than one page) – Key Finding #2: “not supporting continuous and text-aware control”
- Improving AI/ML-Based Analytics (almost two full pages) – Key Finding #3: “slow analytics adoption”
- Improving Machine Identity Management Capabilities (One and a half pages) – Key Finding #4: “not kept with demands on machines identity management”
Note that the shortest subsection is “what good looks like”, which supports my comparison of this year’s Guide with a TripAdvisor’s 1-star travel review describing their journey around the IGA world. Gartner analysts allowed themselves to write a very straightforward cautionary tale of the IGA state of affairs directed at both vendors and clients.
Continuing our tradition from my 2020 analysis, we’ll use a table with 2023 quotes and their subsequent hidden messages in Market Analysis for vendors:
|Quote||Translated message to vendors|
|Organizations asking how quickly light IGA can make their solutions be considered full IGA suite. Client question: “Can I deploy a light IGA solution and grow with the vendor as the solution is evolving into a suite?”||Customers treat light IGA as an ever-expanding real estate construction project: buying a one-bedroom starter house in hopes that one day, it will look like your neighbor’s mansion, at least from the outside. So, when you plan your starter product, you must have space for easy and fast add-ons. Remember: clients expect you either to be full suite or be purchased by others to complete their full suite. Otherwise, it is a hard sell|
|Many light solutions still lag in breadth of capabilities in SOD analysis, role engineering and extensive provisioning libraries||Light or no light, you better have all of them either available or on the to-do list.|
|Continuous event-based and/or risk-based approaches to reevaluate access… manage access risk in real time||If you claim that you are a leader in UAR (user access review), make sure that you can do it in real time based on risk and events. At the very least, convince the prospect/current customers that you have it on your development roadmap.|
|These advanced analytics capabilities often include remediation of over privileging situations… recommendations for additional access||Are you writing this down? These two are a must if you want to play AI/ML game: learn to be intelligent.|
|Build private generative AI models on top of a public large language model (LLM)||You are welcome Mr. IGA advisory consultant who can comprehend this sentence! This is your deliverable for the next SOW. Be ready for such requests soon. Warning on timing: read the “Quotes of the Guide” list carefully.|
This year, there are much more quotes geared towards customers and clients:
|Quote||Translated message to customers|
|Larger organizations are searching for solutions that are easier to deploy and manage||We understand that “large” is always in the eye of the beholder so… do not buy products because they are cheap or called “light”. Check the real deployment time and how difficult it is to manage them|
|SRM leaders should clearly specify IGA requirements before acquiring an IGA tool||How many years in a row must we repeat this? A use case should always be a part of the requirements. Start with them.|
|Looking at the completeness of IGA Solution capabilities … the depth of these capabilities||Starting to solve current IGA issues is good, but how deep can we go with the proposed product? Can we resolve the issue and put in some prevention controls?|
|“Light IGA is not very suitable for the following”||Stay away from light IGA products if your organization hits one or more from the list|
|IAM professionals have formed a view that identity is the core foundation of cybersecurity posture. SRM leaders should adopt identity-first security approaches… as proactive instead of reactive||You are welcome, Mr. Customer IAM leader! Here is your ROI on the Gartner subscription. Put this in your presentation for C-suite folks and ask for more Identity money allocated to cybersecurity. It clearly said “Identity-first security”, so Identity should get the money first!|
|IAM leaders must combine centralized IAM controls… with decentralized and context-sensitive enforcement||You are welcome again, Mr. Customer IAM leader! This is yet another reason for more money to come to your side of the business. When your C-boss responds with “we’ve already given you money to build a centralized IGA”, you can use this quote and say “so, as Gartner said, we need to enforce it even in a decentralized manner, and our business needs to provide us the context. Otherwise, we are not following the best practices, according to Gartner!”|
|SRM leaders should evaluate all potentially high-valued use cases for IGA analytics… and include those … in their IGA solution selection||We know that these use cases are standard for organizations, so use them! We use business-like language which shouldn’t much of an explanation for business leaders.|
|Implementation of IGA technology remains slower than expected, with a number of factors contributing to this “drag” including lack of sufficient data quality to enable AI/ML||Another present from Gartner; if anyone asks why IGA doesn’t use AI/ML, you can just use this quote and complain about data quality. You will never go wrong with this argument. The last two of the “drag” reasons include required lawyers and compliance/audit people involved.|
This year, I’m introducing a new category in my analysis called the Most Valuable Quotes of the Guide (MVQs). You can vote for MVQ’s via LinkedIn by connecting with me and messaging the number of this year’s nominees:
- . “Ask not if the IGA solution feels “complete” or “light” for you, ask how “complete” or “light” the IGA solution looks for your customers.”
- Gartner predicts that the application of generative AI to IGA use cases will deliver additional value in the future, though neither the timeline nor the additional value for IGA specifically is clear yet.
- For machines, ownership means the “responsible human”, not the actor who should be using the identity/account.
Lastly, the 4 market recommendations for SRM leaders. These recommendations are very similar to the first page’s recommendations, but with more details:
- Added note to “light IGA” discussion that “it is rare that those opting for IGA suites fully implement all of their capabilities”. My reading of the in-between-the-line message: do not be afraid of light IGA, most companies implement light version of IGA suite anyway.
- Added into the “identity-first” 1st sentence is “complement the rest of your identity fabric” followed by “enable decisions throughout the user journey, focus … on a consistent user experience”.
At the same time, the third recommendation is about “business value from your IGA investments” which somehow lost all “AI/ML-based” words before analytics. Most likely, the authors realized that the reader is tired, and they should limit acronyms to just IGA (10 times across all four vs. only 5 times in the first page recommendation section)
In conclusion on recommendations: it does not matter if you are a person who just reads the first two pages or last two pages – you will see recommendations in both cases.
I would love to hear your opinion about the guide and my observations.