Skip to main content
Blog
  • Identity Fabric
  • IVIP
  • ISPM
  • IGA

Identity Fabric 2026: how IVIP and ISPM map to your IGA stack

Identity Fabric (KuppingerCole), IVIP (Gartner), ISPM (Forrester) — one read-layer over your IGA. Practitioner checklist for CISO build-vs-buy.

Andrey Promyslov (IdM expert) — Identigy updated

Short answer: there is no single “best” identity fabric solution. The category splits three ways — native expansions (SailPoint, Saviynt, midPoint), tools repositioned as fabric (Wiz, Veza), and standalone posture / platforms. Most enterprises need all three, glued by an in-house aggregation layer. Build that layer first, then buy the slice you can’t.

KuppingerCole’s , Gartner’s Identity Visibility & Intelligence Platform (IVIP), and Forrester’s Identity Security Posture Management () describe the same animal. The animal has been in the enterprise for years; the names are recent.

This post unpacks what those names cover, where they overlap, where they don’t, and what to actually build if a CISO drops “we need an identity fabric” into the next quarterly planning.

The four analyst terms, deduped

TermCoined byWhat it covers
Identity FabricKuppingerColeThe connective tissue between identity sources, IGA, , PAM, and downstream apps. A mesh, not a hub.
IVIPGartner (2024 Market Guide for IGA)A platform layer that aggregates identity data across systems and surfaces risk signals — read-only visibility, not provisioning.
ISPMForresterThe continuous-assessment loop over the same data: scoring, drift detection, recommendation.
Identity Security Fabrica few vendors latelyMarketing rebrand of Fabric with “security” prefix; mostly the same thing.

Strip the labels and the operational pattern is:

A read-layer that knows every identity, every entitlement, and every system in the enterprise, continuously — without owning the systems of record.

That is not new. The enterprise IGA platforms (SailPoint, Saviynt, midPoint, OneIdentity) have always aspired to this. What changed is the acknowledgement that no single IGA tool actually achieves it, and the emerging consensus that a separate read-layer is needed on top of IGA.

Why the gap exists

IGA was designed around the joiner-mover-leaver lifecycle of employees inside a directory the enterprise controls (Active Directory, then Azure / Entra ID, sometimes plus an HR feed). That model breaks in three places, all of which have become production-critical since ~2022:

  1. Non-Human Identities — service accounts, API keys, client credentials, workload identities. We covered in the previous post; the short version is they outnumber humans 50:1 and don’t have a lifecycle the IGA platform was designed to track.
  2. SaaS sprawl outside IDP federation — every business unit’s “small useful tool” that was procured with a credit card, integrated via OAuth, and never registered with central IAM. IGA can’t see it if it doesn’t connect to it.
  3. AI agents — first-class identity holders with permissions that change with each session. Outside IGA’s lifecycle assumptions entirely (see NHI post).

The fabric layer’s job is to see all of this without trying to own all of it.

What an identity fabric looks like in code

Forget the slide diagrams. Operationally, it’s:

  Identity sources (HRIS, AD, Entra, Okta, GitHub Org, AWS IAM,
                    GCP IAM, GitHub OAuth grants, SaaS API tokens)

        ├──── pull / webhook stream

  Aggregation layer (state: per-identity + per-entitlement +
                     per-system, with timestamps)

        ├──── deltas

  Posture engine (rules + ML over the state)

        ├──── signals: risk, drift, dormant, over-privileged

  Routing (back to IGA for action; or SIEM; or
           pager / Slack for the owner)

Three pragmatic implementation observations from running this:

The aggregation layer is the hard part. Not the rules engine, not the ML, not the dashboard. The aggregation layer is what makes the rest work or doesn’t. Building it requires a connector for every identity- issuing system, and the connectors that already exist (in your IGA, in your SIEM, in your CIEM) were optimised for write operations, not fast incremental reads.

The posture engine doesn’t need to be smart. Most useful signals come from boring rules:

  • Service accounts with credentials > 90 days unrotated
  • Identities present in production AD but absent from HRIS for > 30 days (likely terminated, not deprovisioned)
  • OAuth grants with “full access” scopes to SaaS that contain customer data
  • Standing admin role assignments older than the approval window (typically 12 months)

ML helps with anomaly detection on entitlement patterns (this user suddenly has 14 new roles in a week — incident or legitimate transfer?), but it’s a layer on top, not the foundation.

The routing layer is what actually moves risk. Surfacing a risk dashboard nobody reads is a 2018 anti-pattern. Routing a specific finding to a specific human with a specific timeline (“Joe, this service account in your team hasn’t been used in 47 days — deactivate or justify by Tuesday”) is what moves the line.

How vendors are positioning

Three buckets, roughly:

  • Native IGA expansion (SailPoint Atlas, Saviynt Identity Cloud with IGA + Risk modules, midPoint with its risk-analysis engine). Argument: “we already have the data, we add the posture layer.” Reality: works well for the slice their IGA already owns; struggles with the SaaS / NHI / AI agent slice.
  • CIEM repositioned as Fabric (Wiz CIEM, Permiso, Sonrai, Authomize pre-acquisition). Cloud-IAM-first; strong on AWS / Azure / GCP permissions and overlap detection; thinner on HRIS-driven lifecycle.
  • Standalone Posture / IVIP startups (BeyondID’s posture module, Veza, Oleria, Soluvi). Pure read-layer plays — promise to integrate with whatever you have. Strongest on the visibility narrative, weakest on closing the loop back to action.

For most enterprises the practical answer is all three categories, glued together by you. There is no single tool that ships the fabric.

Practical posture for a CISO in 2026

If a board member or analyst plants “we should look at an identity fabric” in your roadmap discussion, the realistic 12-month plan is:

  1. Inventory pass — list every identity-issuing system. The list will be longer than you expect. Don’t skip CIAM, OAuth app gallery, GitHub Organisation roles, customer-portal tenants.
  2. Aggregation pilot — pick three high-risk systems (AD, AWS IAM, one big SaaS). Stand up a database that ingests their state daily. Three connectors, six weeks, no analyst-deck architecture.
  3. Five boring rules — write five posture rules over that database (the boring ones from above). Output is an email list per owner, weekly.
  4. One routing path — pick one risk class, send findings to a specific human, measure how long until they act.

That is an identity fabric in production. Everything else is variations on theme. Once steps 1–4 are running, you have ground truth for whether buying SailPoint Atlas or Wiz CIEM or Veza makes sense, because you know what’s missing from what you built.

If a vendor pitch starts with the dashboard, the demo, or “AI-powered intelligence” — they’re selling step 4 to a customer who hasn’t done steps 1–3, and the deployment will stall there too.

What we run

Our internal is Evolveum midPoint. Around it we glue:

  • A small Postgres-backed aggregation table over midPoint, AD, GitHub Org, AWS IAM, three SaaS APIs.
  • Eight posture rules — most of them the boring ones above.
  • A weekly email digest to the system owner, plus a “ping me if rule X fires” Slack hook.

Total engineering effort: roughly three months of one engineer’s weekends. Total commercial software licensed: zero. That covers maybe 60% of what an enterprise fabric platform would cover for us. The remaining 40% — cross-org analytics, ML-driven anomaly detection, fancy dashboard — is in our roadmap, not our production.

We’re not claiming this scales to 100k employees. We are claiming that the shape of the solution is the same at scale, and that starting with a posture pilot rather than a vendor RFP is what gets results.

The TL;DR for a CISO conversation

If the question is “should we buy an Identity Fabric platform?”, the honest answer in 2026 is “not yet — first build the aggregation, then buy the slice you can’t build.” The platforms exist, they’re improving, and there will be a moment when commercial buy-vs-build crosses for each component. That moment is per-company. The companies that have ground truth — meaning, they ran the boring pilot — will know when it arrives. The ones that haven’t won’t.

The fabric narrative is correct as a direction. As a 2026 purchase decision, the maturity isn’t there yet for most enterprises.

Architecture is only half the 2026 picture — the regulations that set your timeline are the other half. Before committing budget to a fabric programme, map it against the 2026 Identity Regulation Map (NIS2, DORA, PCI DSS, NIST 800-63).

That is the post. Comments and disagreements welcome — info@identigy.com.

FAQ

Frequently asked questions

What is an identity fabric?

A read-layer that continuously knows every identity, entitlement, and system in the enterprise — without owning the systems of record. KuppingerCole named it; Gartner calls the pattern IVIP, Forrester ISPM. It sits on top of IGA, IAM, PAM and CIAM, not in place of them.

Identity fabric vs IGA — what is the difference?

IGA provisions and certifies access inside directories you control. A fabric only reads — it aggregates identity data across IGA, cloud IAM, SaaS and non-human identities to surface risk, then routes findings back to IGA for action. The fabric sees; IGA changes. You need both.

Should we build or buy an identity fabric in 2026?

Build the aggregation layer first, then buy the slice you cannot. No single product ships a complete fabric today, so an RFP before you have ground truth tends to stall. A three-connector pilot over your highest-risk systems shows what is actually missing before you spend.

IVIP vs ISPM — are they different products?

The same data layer from two angles. IVIP (Gartner) is read-only visibility — aggregating identity data, surfacing risk. ISPM (Forrester) is the continuous-assessment loop over that data: scoring, drift detection, recommendations. Most platforms marketed under either label do both.