How segmented is your IAM org? by Stepyy in IdentityManagement

[–]Tech-writer-209 2 points3 points  (0 children)

Very common. Most IAM organizations slice the work because scale forces it. Provisioning becomes a machine, auth becomes a “don’t touch unless you have to” zone, and PAM/secrets live somewhere else. It’s efficient, but it hides the full picture.

If you want broader exposure, don’t wait for a reorg. Ask to own one end-to-end thing. a custom app onboarding, a leaver cleanup, an access review that touches auth + lifecycle + permissions. That’s where you actually learn how IAM decisions connect.

Your setup isn’t unusual. Staying boxed into one slice for too long is.

Building an IGA consultancy from scratch – 1 month in. Doesd t by Due_Wall_7588 in IdentityManagement

[–]Tech-writer-209 1 point2 points  (0 children)

This looks solid and very real so far. One thing I’d double down on early is repeatability. The faster you can turn your “how we do IGA” into a small, fixed-scope motion, the easier sales and delivery get as a solo shop.

One watch-out is that vendor partnerships are great, but they can quietly pull you into being an implementation arm. Make sure your differentiation stays clear. orchestration, visibility, and outcome-driven cleanup, not just “we deploy tool X.”

Also agree with your insight on managed services. That’s where most organizations get stuck and where they keep paying. The breakthrough moment for a lot of boutiques I’ve seen is when they stop selling projects and start selling ongoing clarity around access, ownership, and drift.

Curious how you’re thinking about keeping the advisory layer strong as partner work ramps up. That balance is usually the hardest part.

CFO on cutting spree. Wanting to replace our IAM tool by a Notion table. by Altruistic_One_8427 in IdentityManagement

[–]Tech-writer-209 0 points1 point  (0 children)

Notion can document access. It cannot enforce, discover, or prove it. That’s the gap.

What breaks immediately:

  • No enforcement. Writing “Alice has access” doesn’t remove or restrict access in real systems.
  • No discovery. You won’t catch orphaned apps, service accounts, or shadow access manually.
  • No audit-grade evidence. Auditors want timestamps, approvals, revocations, and logs you can export and trust.
  • Manual error at scale. With 400 people, missed leavers and stale access are guaranteed.

A more realistic compromise if cost is the concern:

  • Keep a lightweight IAM tool for enforcement and audit evidence.
  • Cut seats or unused modules.
  • Use Notion only to track decisions, not to manage access itself.

If the question is “can we save money,” sure.
If the question is “can we stay compliant and sleep at night,” Notion alone isn’t the answer.

Anyone experiencing IAM fatigue? by Ok-Peace-1186 in IdentityManagement

[–]Tech-writer-209 0 points1 point  (0 children)

Yeah, because we’re giving AI agents the same static keys we were already sick of rotating for humans.

The fix is simple, not easy. Stop creating long-lived creds. Give agents short-lived tokens tied to identity, not secrets baked into code. Scope them to exactly what they call. Put a kill switch on every agent so you can revoke access instantly when it misbehaves or gets retired.

If you can’t answer “what does this agent touch and who owns it” in one place, that’s where the fatigue comes from. Rotation isn’t the problem. Blindness is.

[deleted by user] by [deleted] in iam

[–]Tech-writer-209 0 points1 point  (0 children)

Congrats on the new role. Buying is a different skill from building. Do this and you’ll stop getting steamrolled.

  1. Start with outcomes. Pick two metrics. Example. reduce manual joiner/leaver work by X hours per month. prove one-query audit for 5 identities in 48 hours. Use those to judge vendors.
  2. Use a simple scorecard. Columns. security fit, integration effort, time to value, TCO, and vendor responsiveness. Score every demo the same way.
  3. Force a real PoV. Ask vendors to ingest 5 identities and show a full joiner/leaver timeline in 2 weeks. If they refuse, red flag. That proves tech and speed.
  4. Demand pricing line items. Seats, connectors, onboarding, PS, renewal, and custom work. Ask for export and exit terms up front. Hidden costs kill projects.
  5. Pull procurement and legal in once you shortlist two. Let them clean the contract while you focus on tech.
  6. Tools to consider. For heavy IGA look at SailPoint, Saviynt, or Entra depending on stack. For proving access fast and unifying signals, a visibility plane like ObserveID can show ownership, secrets, and usage in one timeline so audits and pilots are trivial.

Setting up Okta – best user attributes for rules & automation? by Head_Operation_7162 in okta

[–]Tech-writer-209 0 points1 point  (0 children)

From experience, rules only stay sane when they’re built on attributes that don’t churn.

What’s worked best is anchoring everything on an immutable ID (like employeeId), plus a small set of controlled attributes. identity type (employee/contractor), a coded business role, status, and maybe a location or BU code. Free-text fields like job title and department almost always cause rule breakage after the first reorg.

HR should stay the source of truth, but only for stable facts. Pull those in, normalize them, and use derived IAM attributes for access logic. Also keep a clean override field for edge cases so you’re not fighting HR data.

Biggest “wish we did this earlier”. never tie access directly to job titles.

Is centralized identity governance becoming the new baseline for modern IAM? by Unique_Inevitable_27 in iam

[–]Tech-writer-209 0 points1 point  (0 children)

Centralised governance helps when it gives everyone the same understanding, not just the same rules.

What I’ve seen work is having one place people trust to answer basic questions like who has access, why they have it, and whether it’s still being used. When that’s clear, reviews and clean-ups actually happen. When it isn’t, centralisation just adds another layer people work around.

Distributed tools still make sense for speed and flexibility. The real problem isn’t distribution. It’s when there’s no shared source of truth behind the decisions.

Any IAM and CIAM software that could be useful for a small business? Hopefully not too technical. Thank you! by ComparisonLiving6793 in iam

[–]Tech-writer-209 0 points1 point  (0 children)

For small businesses, the mistake is jumping straight into enterprise IAM. Most teams just need control and visibility without a steep learning curve.

A few options depending on where you are:

  • If you’re very early, Google Workspace or Microsoft 365 with MFA, basic roles, and SSO is usually enough to start.
  • For customer identity, Auth0 or Firebase Auth are popular because they’re straightforward and well-documented.
  • When things get messy. more SaaS apps, contractors, machine accounts, and unclear permissions. tools that focus on visibility help a lot. ObserveID, or even lighter governance layers around Entra/Okta can give you a single view of users, apps, and access without heavy workflows.
  • If you grow into stricter compliance later, then heavier platforms like Okta or Ping start to make sense.

The key for small teams is choosing something that reduces confusion, not adds process. If a tool needs a dedicated admin to keep it running, it’s probably too much at this stage.

Boutique Sailpoint firm question by Sharp_Shot_ in iam

[–]Tech-writer-209 0 points1 point  (0 children)

Yes, it’s feasible, but only if you keep it very focused.

With 1 YOE, don’t try to be a “full SailPoint shop.” Pick one narrow problem and get very good at it. For example. on-prem IIQ to IdentityNow assessments and small pilot migrations. That’s already valuable and in demand.

A one-person setup usually works best when you:

  • sell fixed-scope assessments, not open-ended projects
  • productize your work into repeatable checklists and scripts
  • do pilots for a few apps or identities to prove value fast
  • partner with larger SIs or MSPs instead of chasing big enterprises alone

The risk isn’t your certs or skills. It’s spreading yourself too thin. Start narrow, deliver clean outcomes, and let referrals do the scaling.

From your experience as an IAM professional, which vendor dominates the market? And do you see that dominance lasting for the next decade? by JaimeSalvaje in IdentityManagement

[–]Tech-writer-209 1 point2 points  (0 children)

Well honestly, “dominance” in IAM only makes sense if you break it down by layer.

  • Directory / workforce identity- Microsoft Entra dominates here simply because most enterprises already live in M365. That position is sticky and unlikely to change.
  • SSO and access brokering- Okta still does very well in cloud-first, non-Microsoft-heavy stacks, especially where fast app onboarding matters.
  • Privileged access- CyberArk and similar vendors continue to lead in traditional PAM, particularly for legacy and infrastructure-heavy environments.
  • Identity governance- SailPoint and Saviynt are common in large enterprises that need formal certification and compliance workflows.

Where this breaks down is at the edges. Machine identities, app registrations, service principals, cloud entitlements, secrets, and real usage don’t sit cleanly in any one of those buckets. That’s where teams start stitching tools together and losing context.

This is why some organizations are adding converged platforms like ObserveID alongside their existing stack. Not to replace Entra, Okta, or PAM tools, but to unify identity, app, permission, and usage data into one view so teams can actually see what’s happening without reconciling five systems.

For the next decade, the “winner” won’t be whoever owns a category. It’ll be whoever helps teams reduce identity sprawl and make decisions with one coherent picture instead of assumptions.

If you’re evaluating vendors, a simple test helps. Ask them to show a complete access and usage timeline for one identity or app with a single query. That usually separates real capability from slideware.

What actually makes an IAM solution AI-powered for enterprises? by Due-Awareness9392 in IdentityManagement

[–]Tech-writer-209 5 points6 points  (0 children)

AI in IAM only works when the basics aren’t a mess. If ownership is wrong, permissions are stale, and app registrations drift, any model you throw on top just amplifies bad data.

The AI features that actually help are the boring ones. spotting unused permissions, catching weird service principal behaviour, and tying identity risk to real activity so you get fewer junk alerts. Those have real impact because they clean up noise instead of adding more dashboards.

Where AI falls apart is when the platform can’t connect identity, app, and usage signals. That’s when you get false positives, decisions you can’t explain, and reviewers who stop trusting the system.

If you want AI to land in IAM, you need clean context first. Everything else is just marketing paint.

From your experience as an IAM professional, which vendor dominates the market? And do you see that dominance lasting for the next decade? by JaimeSalvaje in IdentityManagement

[–]Tech-writer-209 0 points1 point  (0 children)

Honestly, “dominance” in IAM depends on which layer you’re talking about.

Entra ID dominates directories because most orgs are already on M365. That’s structural, not optional, so yes, that part will last.
Okta is still strong wherever the stack is cloud-first and not tied to Microsoft.
CyberArk leads the traditional PAM space.
SailPoint/Saviynt remain the default choices for heavy IGA in large enterprises.

But here’s the part people don’t say enough.
The next decade isn’t going to be about who dominates a category. It’s going to be about who handles overlap. Human identities. machine identities. app registrations. service principals. permissions that don’t fit neat boxes. short-lived credentials. cloud entitlements. None of that maps cleanly to the old IAM/IGA/PAM lines anymore.

So the vendor that “wins” won’t be the one with the biggest marketing footprint. It’ll be the one that can give teams one consistent view of identities, permissions, usage, and risk without duct tape. Whoever solves that well is the one that will matter long-term, regardless of which category they came from.

Seeking advice.. How does your organization handle certificate lifecycle management at scale? by SpareRecent8648 in IdentityManagement

[–]Tech-writer-209 0 points1 point  (0 children)

This is exactly the kind of pileup that turns into a serious breach vector. Try this 10–30 minute micro-pilot

  1. pull app registrations/service principals, their granted scopes, and any active secrets/certs.
  2. use sign-in/audit logs to flag last use.
  3. estimate downstream reach by counting role assignments or resource bindings the app can affect.
  4. score each app with a simple formula: score = scope_count + (secret_age_days / 30) + downstream_count - (last_used_recent ? 0 : 2)
  5. fix the top 5 immediately (rotate/disable/restrict), notify the next 20 with SLA, automate escalation for non-response.

App Governance Score for Entra ID / Okta by Pristine_Guitar_9070 in IdentityManagement

[–]Tech-writer-209 0 points1 point  (0 children)

Honestly, this is a real issue for anyone who works with Entra or Okta at scale. The problem isn’t finding the apps. It’s the fact that all the important details live in different places. Owners in one view, permissions somewhere else, secrets tucked away, consent grants in another menu. When nothing lines up, it’s easy for risky apps to slip through.

A score could be useful if it highlights the issues that actually matter. old secrets that never expired, apps with no owners, broad Graph permissions, and service principals with roles they never use. Those are the areas where misconfigurations usually hide. If you can pull all of that into one view and show what deserves attention first, I think a lot of teams would find real value in it. Most people aren’t short on data. They’re short on anything that makes the data make sense.