Skip to main content
Blog
  • IGA
  • IDM Evolution
  • Gartner 2025
  • KuppingerCole
  • Forrester
  • Trends 2026

IDM evolution 2000–2026: from provisioning workflows to AI agents, NHI and Identity Fabric

Six eras of IGA — from Sun IdM and Waveset (2003) to NHI, AI Agent Governance and IVIP (2026). What Gartner put in the Market Guide for IGA October 2025, who leads KuppingerCole Identity Fabrics 2025, and what Forrester said about Workforce Identity Platforms.

Andrey Promyslov (IdM expert) — Identigy updated

A CISO in 2026 opens the annual security plan and finds the Identity section sprinkled with new acronyms: , , , , , AI Agent Governance. Ten years ago that section had two terms — and . This post is the map from that era to today, without the vendor varnish.

It draws on three sources: Gartner Market Guide for 2025 (published October 2, 2025), KuppingerCole Leadership Compass for Identity Fabrics 2025 (August 2025), Forrester Wave for Workforce Identity Platforms Q1 2024 + Forrester Wave for Privileged Identity Management Solutions Q3 2025 — and our practice running production IGA deployments since 2007.

Six eras of IDM/IGA

Era 1 — Provisioning and Account Management (2000–2005)

Drivers: enterprise app sprawl (HR, , Notes, mainframe); manual account creation/deletion; orphaned accounts after terminations.

Vendors of the era:

  • Waveset Lighthouse (~2000) — provisioning + workflow pioneer. Sun acquired Waveset in 2003 → Sun Identity Manager (SIM).
  • Access360 — IBM acquired in 2002 → IBM Tivoli Identity Manager (TIM).
  • Thor Technologies Xellerate — Oracle acquired in 2005 → Oracle Identity Manager (OIM).
  • Novell DirXML / Identity Manager, BMC Control-SA, CA Identity Manager (formerly Netegrity / eTrust).

Focus: provisioning workflows, password sync, basic role management.

Era 2 — Compliance Era (2005–2010)

Drivers: SOX (2002), HIPAA, PCI-DSS, GLBA — quarterly access certifications, segregation of duties () enforcement, audit trails.

Key event: SailPoint founded December 2005 by Mark McClain, Kevin Cunningham, Jackie Gilbert (ex-Waveset). First product: Compliance IQ (2006), then IdentityIQ (2008) — purpose-built for governance, sitting on top of existing provisioning tools.

Other arrivals:

  • Aveksa (2005, later acquired by EMC/RSA in 2013).
  • Courion.
  • The category got a name: IAG (Identity & Access Governance) — distinct product class.

Gartner ran two MQs: User Administration & Provisioning (UAP) + Identity & Access Governance (IAG). This was the last era when the two were separate.

Era 3 — IGA Era (2010–2015)

January 2010: Oracle acquired Sun → inherited Sun Identity Manager (formerly Waveset). Most Sun IdM customers migrated to Oracle Identity Manager (OIM). Only Sun Role Manager survived as Oracle Identity Analytics.

2012: Gartner declared identity governance the fastest-growing segment.

2013: Gartner published its first MQ for IGA — formally merged UAP + IAG into a single category. Leaders: SailPoint, Oracle, IBM, CA, NetIQ (formerly Novell), Courion.

2014: SailPoint launched IdentityNow (cloud-first IGA). Thoma Bravo led ~$20M Series E.

New entrants:

  • Saviynt (founded 2010 in LA by Sachin Nayyar) — cloud-native pitch.
  • Evolveum midPoint — open-source project from Slovakia by ex-Waveset team.

Era 4 — Cloud IGA Era (2015–2020)

Drivers: SaaS adoption forced IGA to support hundreds of cloud apps via .

2017: SailPoint IPO (NYSE: SAIL) — ~$240M raise, ~$1B valuation.

2018–2020: Saviynt’s Enterprise Identity Cloud becomes the largest cloud-native IGA platform (50M+ identities).

2019: Thoma Bravo acquired SailPoint and took it private (later re-IPO’d in 2025).

2020: Gartner retired the IGA Magic Quadrant, replaced with Market Guide format. Reason cited: market maturity (slow growth, low differentiation, few new entrants).

OneLogin (2009), Auth0 (2013) reshaped the Access Management side, eventually acquired by One Identity and Okta respectively.

Era 5 — Convergence + Zero Trust (2020–2024)

Drivers:

  • Convergence: borders between IGA, PAM and AM blur. CyberArk acquires Idaptive (2020); SailPoint acquires Intello/SaaS Mgmt (2021); Saviynt enters PAM.
  • Zero Trust becomes the framing — NIST SP 800-207 published August 2020. Identity = “the new perimeter.”

April 2022: Thoma Bravo took SailPoint private at $6.9B all-cash.

2023: ForgeRock acquired by Thoma Bravo, merged into Ping Identity.

ITDR category emerges (Gartner Hype Cycle 2022–2023) — distinct product class for real-time identity threat detection.

2024: Gartner introduces Identity Security Posture Management (ISPM) as a Hype Cycle profile.

Era 6 — AI Agents + NHI + ISPM (2024–2026, current)

Drivers:

  • NHI explosion — generative AI creates a flood of service accounts and API tokens. Gartner data — average 82 NHIs per human in enterprise, up to 40,000:1 in cloud-native environments.
  • AI agents as identity — category emerged in 2024–2025. No predecessor.
  • OWASP NHI Top 10 (2025) — non-human identity risk standard published June 2025.
  • Gartner introduces IVIP in Hype Cycle for Digital Identity (July 2025) — Identity Visibility and Intelligence Platforms, a new read-only layer above IGA.

Key 2025–2026 events:

  • February 2025: SailPoint re-IPO (NYSE: SAIL).
  • July 2025: Gartner Hype Cycle for Digital Identity introduces IVIP at Innovation Trigger stage.
  • August 2025: KC Leadership Compass for Identity Fabrics 2025 — CyberArk first-time Overall Leader.
  • October 2, 2025: Gartner Market Guide for IGA 2025 published.
  • October 13, 2025: Gartner MQ for PAM 2025 — Leaders: CyberArk, BeyondTrust, Delinea.
  • November 11, 2025: Gartner MQ for Access Management 2025 — Leaders: Microsoft (9th consecutive year), Okta (9th consecutive year), Ping Identity, Transmit Security (first-time Leader), RSA.
  • December 2025: Gartner IAM Summit Las Vegas, theme — “Identity at the Core” with AI agents.

What’s in the Gartner Market Guide for IGA 2025

Published: October 2, 2025 (Gartner doc #7012098).

Confirmed Representative Vendors (vendors that publicly announced inclusion — full ~20-vendor list paywalled):

  • SailPoint
  • One Identity
  • Omada
  • Pathlock
  • Lumos
  • Veza
  • Radiant Logic
  • Bravura Security
  • Saviynt

Historically also in the list: ForgeRock (now part of Ping), IBM Verify, Oracle Identity Governance, EmpowerID, Hitachi ID/Bravura, Clear Skye, Beta Systems, Tuebora, ConductorOne, Brainwave (Radiant Logic).

What “MQ retirement” means for buyers: there is no longer a Magic Quadrant with Leaders, Challengers, Visionaries, Niche Players. Market Guide is a format where Gartner lists “representative vendors” without ranking. For the buyer this means: you can no longer point at “the leaders quadrant” — you have to do your own due diligence.

Identigy positioning: as a consulting practice we do not appear in the Market Guide (it lists platform vendors). But we work with vendors who are listed — and that’s an explicit trust signal in any RFP conversation.

KuppingerCole Leadership Compass for Identity Fabrics 2025

Date: August 2025 (KC report lc81426).

Overall Leaders 2025 (publicly confirmed):

  • Ping Identity (post-merger with ForgeRock)
  • One Identity
  • Saviynt
  • CyberArkfirst-time Overall Leader for Identity Fabrics; KC specifically called out unified human + machine privilege control

The shift is significant: Identity Fabric used to be a theoretical architectural concept; it’s now a category in which a PAM vendor (CyberArk) leads. The PAM/IGA boundary blurs definitively.

Gartner IAM Summit 2025 theme: “Identity at the Core”

Top 10 insights from Las Vegas (December 2025):

  1. AI agents are the new class of identity. Workload IAM is now a maturing discipline.
  2. NHI keeps proliferating beyond what traditional IAM tooling was designed to handle.
  3. AI in IAM — three vectors: (a) AI improving IAM, (b) governance for AI agents, (c) defending against AI-driven attacks (deepfakes, social engineering).
  4. Identity data = strategic infrastructure — that’s the business case for IVIP.
  5. Passwordless + phishing-resistant authentication — table stakes, not stretch goals.
  6. Zero Standing Privilege () — Gartner pushing as default model.
  7. (externalized authorization standard, OpenID Foundation) — gathering momentum.
  8. ITDR is operationalizing — real-time session monitoring, behavioral analytics.
  9. Authorization maturity — moving from coarse to fine-grained, policy-driven.
  10. ISPM as a continuous hardening layer atop visibility.

Forrester data — Workforce Identity Platforms + PIM 2025

Forrester does not publish a standalone IGA Wave any longer (consistent with Gartner’s MQ retirement direction). But two adjacent Waves give you the leadership picture:

Forrester Wave: Workforce Identity Platforms, Q1 2024 — Leaders:

  • Okta — top current offering
  • Microsoft (Entra) — top current offering
  • CyberArk
  • Ping Identity
  • (SailPoint = Strong Performer)

Forrester Wave: Privileged Identity Management Solutions, Q3 2025 — Leaders:

  • CyberArk
  • BeyondTrust
  • (Other major vendors as Strong Performers)

The pattern: same names show up in Forrester, Gartner and KuppingerCole 2024–2025 — the leadership group is small and consolidated. New entrants (Veza, Lumos, ConductorOne) appear as Representative Vendors in Gartner Market Guide but don’t yet hit Wave/Compass leadership.

KuppingerCole 100-Day Identity Security Plan

KC whitepaper (wp81281). Core thesis: ~90% of breaches involve compromised identities. + IGA alone are no longer sufficient.

Plan components:

  • ISPM (Identity Security Posture Management)
  • ITDR (Identity Threat Detection & Response)
  • Identity Recovery (IR)
  • Passwordless + AI as accelerators
  • Assume-breach + continuous verification + least privilege + ZSP

Goal: tangible identity security wins in under 100 days, not multi-year roadmap. This is a sharp contrast with the typical enterprise IGA programme which stretches across 3–5 year horizons.

What this means for an enterprise CISO in 2026

Strategy 1 — catch up on terminology. If your team still talks about “IdM modernization”, reframe it as “Identity Posture Assessment” (ISPM framing) or a discovery-first audit (IVIP). Internal docs and auditors get the same operational reality presented through ISO 27001 / NIS2 / DORA mapping. Board materials get the Gartner / KuppingerCole vocabulary.

Strategy 2 — make NHI the first 2026 campaign. OWASP NHI Top 10 (2025) is the checklist any mature IGA programme should already be running against. Service accounts in most enterprises are a minefield. Discovery + ownership + rotation + recertification = three months of engineering work and minimal OpEx, no new licences.

Strategy 3 — treat AI agents as first-class identity. If your organisation has AI assistants (ChatGPT Enterprise, Claude, Copilot, in-house LLMs with agents) — those are NHIs with corporate access. Who governs them? Who revokes their access on scope change? In most enterprises — no one. Not a theoretical problem — a real 2026 attack surface.

Strategy 4 — re-evaluate the platform choice. If your current IGA is Oracle OIM, IBM Security Identity Manager (SIM) or a legacy on-prem stack, modernization to SailPoint Identity Security Cloud or Evolveum midPoint solves not only platform debt but gives you the stack on which you can build NHI and AI-agent governance without vendor lock or multi-year SaaS contracts. Open-source IGA (midPoint) is no longer the experimental option — Gartner Market Guide for IGA 2025 includes Evolveum-track deployments at enterprise scale.

What Identigy offers

We are a boutique IGA consultancy since 2007. Not a product vendor. Not Big4. Six platforms in focus (SailPoint IIQ + ISC, Evolveum midPoint, Oracle OIM, OneIdentity) + JumpServer for PAM.

If you need:

  • Discovery-first audit of your existing IGA (our IDM Modernization Concept = the same operational IVIP engagement Gartner describes) → talk to an architect
  • Migration off Oracle OIM, IBM SIM or OneIdentity to midPoint or SailPoint Identity Security Cloud — we have engagements across financial services, telecom, marine insurance, pharma
  • NHI programme build or AI Agent governance — we are already doing this for our own internal contour through midPoint connector matrix + SoD; ready to replicate for you

Vendor-neutral by design: we are not commission-driven on one platform. We will tell you when midPoint fits and when SailPoint Identity Security Cloud fits — and the trade-offs of each.

Related posts:

Comments and disagreements welcome — info@identigy.com.


Sources: