Business objective

The IdP decides who you are; identity governance (IGA) decides what you should be allowed to do, and proves it. It runs the joiner/mover/leaver lifecycle (access granted on hire, changed on transfer, revoked on exit), runs periodic access certifications, and gives auditors a defensible answer to “who has access to what, and why.” Identity security posture management (ISPM) is the visibility/posture sibling — discovering accounts, entitlements, and risky standing access across the estate.

The job is right-sizing standing privilege: finding the dormant admin account, the contractor who never lost access, and the over-broad role no one reviews.

When you need it

Day-2 for most funds — you need an IdP first, then governance on top. It becomes pressing under regulatory/audit pressure, at headcount scale where manual access reviews break down, and when agents and service accounts add a flood of new entitlements no human is reviewing. A 50-person fund may run light IGA out of Entra; a larger or heavily regulated shop will want a dedicated platform for certification and audit evidence.

Security role

Controls access to sensitive data, indirectly. IGA is preventive but out-of-band — it does not inspect traffic; it shrinks the blast radius by ensuring fewer identities (human or non-human) hold standing access to sensitive systems, so a compromised account or rogue agent has less to reach. Lives across all zones as a governance overlay rather than an inline control.

Vendors

IGA / ISPM platforms:

  • sailpoint — the enterprise IGA incumbent; broad, mature, heavy. Also strong in data access (SailPoint DAS).
  • saviynt — converged identity-governance and cloud-PAM platform; enterprise scale.
  • veza — access-graph / authorization visibility (“who can do what to which data”); strong on entitlements across SaaS and data.
  • conductorone — AI-native, modern IGA focused on access requests and certifications.
  • lumos — AI-native identity/access governance with an app-store/self-service access model.
  • linx-security — AI-native IGA that also covers non-human identity.
  • hydden — identity visibility/discovery layer that feeds IGA tools (competes with Silverfort/Sharelock/Andromeda per seed).
  • silverfort — identity security and posture across human and non-human accounts; discovery and MFA enforcement.

Cross-listed:

  • cyberark — PAM-first incumbent extending into IGA (per seed, acquired by Palo Alto).

Consolidation / M&A dynamics

  • CyberArk — per seed, acquired by Palo Alto Networks (per seed; unverified — to confirm in research).

Two dynamics: incumbents (SailPoint, Saviynt, CyberArk) defending the enterprise install base, and a wave of AI-native challengers (ConductorOne, Lumos, Linx) attacking the slow, expensive certification workflows. Veza sits somewhat apart as an access-graph/visibility play that overlaps data-access governance.

Adjacent categories

  • identity-access — the IdP IGA governs on top of.
  • non-human-identity — IGA extended to service accounts and agents; Linx/Silverfort straddle both.
  • data-access-governance — strongly overlapping: Veza, SailPoint, ConductorOne, Silverfort appear in both; IGA governs identity entitlements, DAG governs data permissions, and they meet at “who can open which file.”
  • secrets-management — governs machine credentials; complementary.

Survey

Question. Which identity governance / IGA / ISPM tool(s) is your firm currently using or evaluating?

Answer options. SailPoint; Saviynt; Veza; ConductorOne; Lumos; Linx Security; Hydden; Silverfort; CyberArk; Other (Please Specify).

Response scale. multi-select; Interested; Considering/evaluating; Pilot/implementing; In production; Would recommend; Would not recommend.

Notes for survey design. SailPoint and Saviynt are the table-stakes incumbents; the AI-native group (ConductorOne, Lumos, Linx) will skew toward “evaluating/pilot.” Veza and Silverfort overlap data-access-governance — respondents may report them under either question, so the two surveys should be cross-referenced. CyberArk is PAM-first and may be reported here for the wrong reason; the CyberArk→Palo Alto deal (per seed) dates that option. Hydden is a visibility layer, not full IGA — niche.

Open taxonomy questions

  • Large overlap with data-access-governance (Veza, SailPoint, ConductorOne, Silverfort) — confirm the IGA-vs-DAG boundary stays clean for survey mapping.
  • ISPM (posture) vs. IGA (lifecycle) could split as posture-only vendors (Hydden) differentiate.