My Analysis of the 2025 Market Guide for Identity Governance and Administration
By Vladislav Shapiro, IGA Expert, Costidity Inc.
2025 edition of Market Guide is another step into direction of building a business-relevant document. It is 5 pages longer, and it should take the same 39 minutes to read. After hovering over this document, I realized that IAM practitioner, author of 2024 Guide, went to business school for MBA degree and wrote 2025 Guide while in class consistent (~ 70%) to last year’s version with some clarifications and less ambiguous words. Here are some examples supporting this:
- “Security and risk management leaders responsible for IAM” circa 2024 were substituted with “IAM leaders”
- “Vary greatly across organizations and industries, leading to different prioritization in various IGA features” became “specific features or controls differ significantly from one organization to another”
- “There is still substantial innovation” now reads as “Innovation … remain strong” and includes primary drivers starting from “cybersecurity threats” and ending with “need for smarter risk management”
- “Application integration” is changed to “business-critical applications”
- “Native features in IGA tools are still insufficient for some organizations” now sounds stronger with direct message to vendors: “While vendors have made progress, native capabilities often fall short in delivering the speed, depth and visibility”
Another visible trend is moving from “client” to “organizational”. Gartner analysts are treating IAM as an intrinsic part of the organization (infrastructure, business, technology), not a separate service to internal client. This is a significant shift, and we will find evidence through the whole document.
As a mathematician, I pay attention to numbers and words. Traditional number 4 is still dominating (four authors, four Key Findings, four recommendations, four types of specialist vendors, etc,) but 5 is also important: fifth edition of Guide in 2025, 4×5 vendors, 5 market recommendations and 5 new vendors on the list. Word statistics outside of typical “Identity”, IGA”, “security”, “access”, “data”, “feature”, etc. looks like this:
- “Machine” – 50 times
- “AI” – 44 times
- “Business” – 42 times
- “Visibility” – 38 times
- “Organization” – 34 times
- “Analytics”- 32 times
- “Risk” – 30 times
- “SaaS” – 25 times
- “Intelligence” – 20 times
- “Value” – 14 times
- “Innovation” and “Substencial”– 6 times
So, based just on frequency of words, one can see the directions Gartner is proposing:
- For customers: to have a successful IGA program you must concentrate on business value, see what is going on in your organization, use AI as a helper in analysis and decision making and do not forget about machine identities
- For vendors: your solution should be innovative, resonate to business use cases of the customers and bring substantial business value, SaaS-ready, otherwise even agentic AI will not help you.
Unlike 2024 edition, this guide is very direct and prescriptive with the focus on business. Just look at first two pages and you will find “business drivers” (twice), “business-critical applications”, “business outcomes”, “business value”, etc. My opinion: it is a present for any “IAM Leader” who needs to build bridges with the business owners in the organization – just show them first couple of pages of the report and state “Gartner said: IGA means Business!”. Put it on every PowerPoint related to IGA and your chances for getting budget money will increase.
At the same time, there are a lot of indirect, “read-between-the-lines” messages. My analysis will help to reveal them, at least in my opinion.
I do not know if authors used GenAI in writing this year’s Guide, but GenAI knew about this document and influenced it quietly, probably via machine identities. Here are some samples confirming my suspicion: “provide AI-powered recommendations”, “intelligence via AI or machine-powered analytics”, “advanced analytics … to enable rapid improvements (e.g…. AI-based assistants)”, “AI-enabled IGA”, “proliferation of agentic AI… is extending beyond human users”, “AI-augmented software engineering to accelerate application integration to IGA products”. Vendors, are you taking notice of it?
About vendors: 2025 edition continues tradition of 20 representative vendors that “offer a SaaS version … and sell in multiple regions”. I am not sure if this is a coincidence, but three top European football leagues have 20 teams (Premier League, La Liga and Serie A). Knowing analysts well, I can confirm that unlike sports leagues, there is no relegation and promotion within Market Guide, and being not on the list means just being not on the list. Just ask Microsoft. Congratulations to Bravura, Lumos, Pathlock, Radiant Logic and Veza, all well-deserved, respected brand names with great success stories. Gartner also has category of “specialist vendors”, i.e. vendors specializing in specific use cases, and mentioned the same vendors as in 2024 (Aquera, Cerby, Elimity, Oleria, Radiant Logic, Traxion and Veza) who are officially Gartner-certified specialists among other not mentioned vendors.
General observations:
- For this year, “Key Findings”
is a chain of logically connected business approach advice:
- Main message – do not look for a silver bullet solution (“single best-practice” does not exist due to “business drivers, practical execution … differ significantly from one organization to another”), rather find your primary drivers (second key finding)
- Second bullet lists 8 main primary drivers: “cyberthreats”, “regulatory demands”, “digital transformation”, “complex IT environment”, “machine identities”, “user experience”, “decentralized identity model”, “need for smarter risk management”. Choose what relates to your organization and find a “dynamic startup” or “leading vendor”. How? Ask them about what’s in the third key finding, like “Ai-driven identity governance”, “low-code orchestration”, “risk aware and contextual certification”, “governance for machine identities”, etc. Also do not forget about “mandatory and common features” lists on page 3 and 4.
- Any cautions? Yes, they can be found in the fourth bullet: “significant implementation challenges… when it comes to integrating business-critical applications at scale”, “vendors… native capabilities often fall short in delivering speed, depth and visibility”.
Summary for between-the-lines readers: define what drives your IGA, choose wisely based on business outcomes, not rating or marketing, and pace your expectations. Reading recommendations will confirm this: “aligning IGA investments with prioritized business outcome”, “clearly define and rank these drivers”, “maximize the business value of IGA investments”, “giving preference to vendors that meet your specific requirements”.
There is one more important practical advice: “when native IGA integration capabilities are insufficient, close integration and visibility gaps with complimentary tools by leveraging third-party integration platforms, identity data fabrics, or specialized connectors”. IGA leaders: this is your “get-out-of-vendor-jail” card if you have issues with “native IGA”. Tell your management that Gartner recommended looking for “complimentary tools” (page 2, recommendation #4) and “specialized tools … that can be valuable even for organization who are satisfied with current IGA solution” (page 5, paragraph 4). No “lift and shift”, just use “specialized tools” with incumbent for doing most of your work. What a brilliant idea!
2025 Market definition, mandatory features and common features are the same as in 2024, word by word. Even “support for shared signals”, which includes “continuous access evaluation protocol (CAEP)”, one more unpronounceable acronym for non-native English speakers like me, are still there. I mentioned that in my 2024 analysis, and looks like stability and tradition won.
Market description, as in all previous editions, starts with the growth percent from 2023 to 2024 (9.2%) and forecast for 2Q25 (10.7%). Looks like IGA industry missed last year’s prediction (13.9% from 2024 Market guide) by 3.3%, i.e. by almost a third. I hope, along with all publicly traded companies in our industry, that Wall Street analysts do not base their stock price predictions based on IGA Market Guide. The rest of this paragraph, like Market definition is a copy of 2024 version with one exception: when it comes to Light IGA, “dedicated research separate from this Market guide” changed the name from “Is Light IGA Right for Your IAM Needs” to “Is Light IGA Right for You?”. Agree with Gartner: IAM leader has more needs than just IAM, like great career, name recognition among C-suite and performance bonus.
There is one omission: Figure 1 “how IGA capabilities fit together” circa 2024 is gone. Maybe in 2025 they did not fit as well as before? Or one diagram (The Visibility, Intelligence, Action model, page 9) is more than enough? Do not know.
The 2025 market directions have four drivers (“shift to cloud and hybrid delivery”, “rise of security and business enablement as primary adoption drivers”, “integration of GenAI and AI agent automation”, “support machine identities and their access”) , three areas of capability improvements (“identity and access visibility”, “identity and access intelligence”, “API-first and interoperability”) and “customer implementation challenges continue” statement, followed by inviting “additional innovation from both light IGA vendors, niche vendors and full-featured IGA vendors in support of application and access data integration automation”. Both? I am not an English language expert, but I see three (light IGA, niche and full-featured) unless first two authors count as one non-full-feature type. Or maybe there are only two light IGA vendors and both of them were asked to innovate?
This year’s Market Analysis continues and mostly repeats the points from 2024 about identity-first security, VIA model and machine identities. There are couple of changes:
- “SMR leaders” is now “Cybersecurity leaders” and instead of “IAM program” they should adopt to “Cybersecurity program”
- Instead of defining a goal of identity-first security, authors define what identity-first security is.
- Gartner analysts declare “reliance on statics perimeter-based control” as obsolete.
- From “business enablement was likely under prioritized” in 2024, we are moving to “business process enablement and efficiency… remains a key driver”. So, why was it underprioritized before? “Due to perceived more urgent needs to address compliance and security gaps”
- Machine
Identity Management section got two pages instead of half a page in 2024.
Main reasons: AI, AI Agents and AI bots. Here are some important messages
from this section:
- “Struggle with visibility, ownership and governance of these identities”
- “62% of organization has experienced at least one deepfake attack”
- “Shift towards a unified identity governance model”
- “Managing all machine identities will require a concerted effort and coordination among multifaceted teams”
- “Machine identity management demands strategic evolution and cross-practice coordination”
These messages are clearly directed to IAM leaders: you are part of the business enablement; you cannot do your work alone, so find partners across the organization by talking about machine identities and “AI-native risks”. Refer to Gartner if needed: you can find plenty of citation materials in the Guide.
Message to the potential customers is still the same as in 2024: “IAM leaders … should weigh in the value of adding an IGA integration and visibility solution specialist solution … relative to the acquisition cost”. Here is the hidden message: if you do not have an ROI report on a proposed solution, then chances of getting a budget are very slim.
Now let’s talk about the vendor list. I am not planning to analyze each of the 20 vendors, rather, provide their unique messages straight from the vendor profile. Note that unique message does not represent solution features or rating, just something essential about the vendor itself:
| Vendor | Unique Message |
| Bravura | Formerly known as M-Tech, then part of Hitachi Ltd, Volaris Group, part of a full IAM product suite, the Bravura Security Fabric. |
| CyberArk/Zilla | Zilla IGA platform has been integrated into the CyberArk Identity Security Platform. Continues to offer the core components Comply and Provisioning |
| EmpowerID | EmpowerID offers functionality across all deployment options through a containerized, microservice-based architecture |
| Fischer International Identity | Fischer provides OOTB capabilities for or integration with systems, as well as delivering a “no-code” platform that is configurable |
| IBM | IBM Verify Identity Governance (IVIG) solution has Operational Visibility Dashboard, which offers performance and entitlement visibility with faster response time. |
| Lumos | Lumos builds on an access graph that ingests data from HRIS, IDP, app permission sets, role groups and usage signals. Albus, a multiagent AI system, enables self-improving and autonomous governance |
| ManageEngine | ManageEngine offers IT management products across domain such as IAM |
| Omada | Omada has two IGA products: Omada Identity Cloud and Identity. Omada has a best-practice framework called IdentityProcess+ that is available to decrease its Identity Cloud deployment time. |
| One Identity | One Identity Manager product covers the full IGA suite, PAM and access management (AM) capabilities |
| OpenIAM | OpenIAM focuses on a developer-centric solution, an open-source IGA platform that’s free to download |
| OpenText | The following OpenText IGA features are only supported via extensions and customizations, which are CIEM integration, integration with EAM, and support of shared signals |
| Oracle | OIG supports integration with enterprise applications and infrastructure, including both Oracle and non-Oracle systems |
| Pathlock | Compliant Provisioning module addresses identity life cycle management with built-in controls that prevents risk and eliminate SOD violation at the time of the provisioning |
| Ping Identity | Ping Identity Governance enables organizations to extend their identity governance deployment with native identity verification-based onboarding, help desk and self-service flows, contextual risk and fraud prevention, and comprehensive access management, supporting employees, non-employees, customers and B2B partner population |
| Radiant Logic | RadiantOne platform delivers actionable insights and risk scoring through built-in identity analytics, continuously monitors identity events across systems using a graph-based model. |
| SailPoint | SailPoint offers two versions of IGA suites: IdentityIQ (on-premises) and Identity Security Cloud (built on top of Atlas SaaS platform). It has three license options: Standard, Business and Business Plus |
| Saviynt | Saviynt Identity Cloud is a SaaS solution that can be delivered as a virtual appliance, third-party managed service provider (MSP) or customer cloud infrastructure |
| Tuebora | Tuebora offers an IGA solution that seeks to apply machine learning to streamline access administration automation. |
| Veza | Powered by the Veza Access Graph, platform aims to improve visibility, control permissions, enforce least privileged and remediate identity and access management issues |
Gartner provides the same 3 market recommendations as in 2024, but this time for IAM leaders:
- IGA program will have success only if it corresponds to an “organization’s required outcomes”
- Spending on IGA is an investment of your enterprise, so “accelerate the realization of business value from IGA investments”
- Follow VIA model and concentrate on visibility
In conclusion on recommendations: it does not matter if you read the first two pages or last two pages – you will see recommendations in both cases.
I would love to hear your opinion about the guide and my observations.
