- Identity Fabric
- IVIP
- ISPM
- IGA
Identity Fabric 2026: how IVIP and ISPM map to your IGA stack
Identity Fabric (KuppingerCole), IVIP (Gartner), ISPM (Forrester) — one read-layer over your IGA. Practitioner checklist for CISO build-vs-buy.
Short answer: there is no single “best” identity fabric solution. The category splits three ways — native IGA expansions (SailPoint, Saviynt, midPoint), CIEM tools repositioned as fabric (Wiz, Veza), and standalone posture / IVIP platforms. Most enterprises need all three, glued by an in-house aggregation layer. Build that layer first, then buy the slice you can’t.
KuppingerCole’s Identity Fabric, Gartner’s Identity Visibility & Intelligence Platform (IVIP), and Forrester’s Identity Security Posture Management (ISPM) describe the same animal. The animal has been in the enterprise for years; the names are recent.
This post unpacks what those names cover, where they overlap, where they don’t, and what to actually build if a CISO drops “we need an identity fabric” into the next quarterly planning.
The four analyst terms, deduped
| Term | Coined by | What it covers |
|---|---|---|
| Identity Fabric | KuppingerCole | The connective tissue between identity sources, IGA, IAM, PAM, CIAM and downstream apps. A mesh, not a hub. |
| IVIP | Gartner (2024 Market Guide for IGA) | A platform layer that aggregates identity data across systems and surfaces risk signals — read-only visibility, not provisioning. |
| ISPM | Forrester | The continuous-assessment loop over the same data: scoring, drift detection, recommendation. |
| Identity Security Fabric | a few vendors lately | Marketing rebrand of Fabric with “security” prefix; mostly the same thing. |
Strip the labels and the operational pattern is:
A read-layer that knows every identity, every entitlement, and every system in the enterprise, continuously — without owning the systems of record.
That is not new. The enterprise IGA platforms (SailPoint, Saviynt, midPoint, OneIdentity) have always aspired to this. What changed is the acknowledgement that no single IGA tool actually achieves it, and the emerging consensus that a separate read-layer is needed on top of IGA.
Why the gap exists
IGA was designed around the joiner-mover-leaver lifecycle of employees inside a directory the enterprise controls (Active Directory, then Azure AD / Entra ID, sometimes plus an HR feed). That model breaks in three places, all of which have become production-critical since ~2022:
- Non-Human Identities — service accounts, API keys, OAuth client credentials, workload identities. We covered NHI in the previous post; the short version is they outnumber humans 50:1 and don’t have a lifecycle the IGA platform was designed to track.
- SaaS sprawl outside IDP federation — every business unit’s “small useful tool” that was procured with a credit card, integrated via OAuth, and never registered with central IAM. IGA can’t see it if it doesn’t connect to it.
- AI agents — first-class identity holders with permissions that change with each session. Outside IGA’s lifecycle assumptions entirely (see NHI post).
The fabric layer’s job is to see all of this without trying to own all of it.
What an identity fabric looks like in code
Forget the slide diagrams. Operationally, it’s:
Identity sources (HRIS, AD, Entra, Okta, GitHub Org, AWS IAM,
GCP IAM, GitHub OAuth grants, SaaS API tokens)
│
├──── pull / webhook stream
▼
Aggregation layer (state: per-identity + per-entitlement +
per-system, with timestamps)
│
├──── deltas
▼
Posture engine (rules + ML over the state)
│
├──── signals: risk, drift, dormant, over-privileged
▼
Routing (back to IGA for action; or SIEM; or
pager / Slack for the owner)
Three pragmatic implementation observations from running this:
The aggregation layer is the hard part. Not the rules engine, not the ML, not the dashboard. The aggregation layer is what makes the rest work or doesn’t. Building it requires a connector for every identity- issuing system, and the connectors that already exist (in your IGA, in your SIEM, in your CIEM) were optimised for write operations, not fast incremental reads.
The posture engine doesn’t need to be smart. Most useful signals come from boring rules:
- Service accounts with credentials > 90 days unrotated
- Identities present in production AD but absent from HRIS for > 30 days (likely terminated, not deprovisioned)
- OAuth grants with “full access” scopes to SaaS that contain customer data
- Standing admin role assignments older than the approval window (typically 12 months)
ML helps with anomaly detection on entitlement patterns (this user suddenly has 14 new roles in a week — incident or legitimate transfer?), but it’s a layer on top, not the foundation.
The routing layer is what actually moves risk. Surfacing a risk dashboard nobody reads is a 2018 anti-pattern. Routing a specific finding to a specific human with a specific timeline (“Joe, this service account in your team hasn’t been used in 47 days — deactivate or justify by Tuesday”) is what moves the line.
How vendors are positioning
Three buckets, roughly:
- Native IGA expansion (SailPoint Atlas, Saviynt Identity Cloud with IGA + Risk modules, midPoint with its risk-analysis engine). Argument: “we already have the data, we add the posture layer.” Reality: works well for the slice their IGA already owns; struggles with the SaaS / NHI / AI agent slice.
- CIEM repositioned as Fabric (Wiz CIEM, Permiso, Sonrai, Authomize pre-acquisition). Cloud-IAM-first; strong on AWS / Azure / GCP permissions and overlap detection; thinner on HRIS-driven lifecycle.
- Standalone Posture / IVIP startups (BeyondID’s posture module, Veza, Oleria, Soluvi). Pure read-layer plays — promise to integrate with whatever you have. Strongest on the visibility narrative, weakest on closing the loop back to action.
For most enterprises the practical answer is all three categories, glued together by you. There is no single tool that ships the fabric.
Practical posture for a CISO in 2026
If a board member or analyst plants “we should look at an identity fabric” in your roadmap discussion, the realistic 12-month plan is:
- Inventory pass — list every identity-issuing system. The list will be longer than you expect. Don’t skip CIAM, OAuth app gallery, GitHub Organisation roles, customer-portal tenants.
- Aggregation pilot — pick three high-risk systems (AD, AWS IAM, one big SaaS). Stand up a database that ingests their state daily. Three connectors, six weeks, no analyst-deck architecture.
- Five boring rules — write five posture rules over that database (the boring ones from above). Output is an email list per owner, weekly.
- One routing path — pick one risk class, send findings to a specific human, measure how long until they act.
That is an identity fabric in production. Everything else is variations on theme. Once steps 1–4 are running, you have ground truth for whether buying SailPoint Atlas or Wiz CIEM or Veza makes sense, because you know what’s missing from what you built.
If a vendor pitch starts with the dashboard, the demo, or “AI-powered intelligence” — they’re selling step 4 to a customer who hasn’t done steps 1–3, and the deployment will stall there too.
What we run
Our internal IDM is Evolveum midPoint. Around it we glue:
- A small Postgres-backed aggregation table over midPoint, AD, GitHub Org, AWS IAM, three SaaS APIs.
- Eight posture rules — most of them the boring ones above.
- A weekly email digest to the system owner, plus a “ping me if rule X fires” Slack hook.
Total engineering effort: roughly three months of one engineer’s weekends. Total commercial software licensed: zero. That covers maybe 60% of what an enterprise fabric platform would cover for us. The remaining 40% — cross-org analytics, ML-driven anomaly detection, fancy dashboard — is in our roadmap, not our production.
We’re not claiming this scales to 100k employees. We are claiming that the shape of the solution is the same at scale, and that starting with a posture pilot rather than a vendor RFP is what gets results.
The TL;DR for a CISO conversation
If the question is “should we buy an Identity Fabric platform?”, the honest answer in 2026 is “not yet — first build the aggregation, then buy the slice you can’t build.” The platforms exist, they’re improving, and there will be a moment when commercial buy-vs-build crosses for each component. That moment is per-company. The companies that have ground truth — meaning, they ran the boring pilot — will know when it arrives. The ones that haven’t won’t.
The fabric narrative is correct as a direction. As a 2026 purchase decision, the maturity isn’t there yet for most enterprises.
Architecture is only half the 2026 picture — the regulations that set your timeline are the other half. Before committing budget to a fabric programme, map it against the 2026 Identity Regulation Map (NIS2, DORA, PCI DSS, NIST 800-63).
That is the post. Comments and disagreements welcome — info@identigy.com.