nexalign

Decision guide · Security

How to choose an IAM, IGA and PAM stack

IAM decisions rarely fail on the core identity provider. They fail at the governance and privileged-access layers, because those two sub-decisions get bundled into the IAM RFP and never get their own weighted scoring. The right decision structure keeps IAM, IGA and PAM as three overlapping but individually-scored decisions, with sovereignty and federation as upstream dealbreakers.

TL;DR

Treat IAM, IGA and PAM as three decisions, not one.

Who owns this decision

CISO or IAM-lead as decision owner, IT Security, IT Operations, HR-IT and a Data Protection Officer as stakeholders.

Key criteria to weight

  • Federation coverage

    SAML, OIDC, SCIM depth across your actual application landscape. Coverage gaps become integration projects.

  • Lifecycle automation

    Joiner-mover-leaver without manual tickets. Directly affects audit findings.

  • Governance and access review depth

    Certifications, SoD analytics, campaign workflow. Weak here means IGA as a separate decision.

  • Privileged access and session control

    Vaulting, session recording, just-in-time elevation. Often a separate PAM decision.

  • Sovereignty and hosting

    EU-hosted tenant, key management, sovereign cloud eligibility. Frequently a dealbreaker.

  • TCO and connector cost

    Per-identity pricing versus flat. Connector fees. Professional services dominate year 1.

Step-by-step decision flow

  1. 1

    Split the decision

    Explicitly decide whether IAM, IGA and PAM are one decision or three. Re-bundle only if stakeholders and budgets genuinely overlap.

  2. 2

    Set sovereignty dealbreakers

    EU-hosted, key control, federated identity across sovereign boundaries. Not scored, binary.

  3. 3

    Map your applications

    The federation matrix decides which vendor actually fits. Walk the top 50 applications and their protocols.

  4. 4

    Weight governance criteria

    If you are in NIS2 / DORA scope, governance weights rise substantially.

  5. 5

    Pilot with real lifecycle events

    Joiner, mover, leaver, offboarding. Time them. Watch the SoD logic. Do not let vendors demo happy-path only.

  6. 6

    Produce the memo

    Per-sub-decision sections (IAM / IGA / PAM) with weighted scoring, dealbreakers, risks and decision rationale.

Vendor market structure

Strukturvergleich der relevanten IAM/IGA/PAM-Stacks für DACH-Enterprise unter NIS2 und DORA.

VendorIAM/IGA/PAM-CoverageEU-HostingFederation-TiefeLifecycle-AutomationListenpreis pro User/MonatIGA-Tiefe
Microsoft Entra IDIAM Core, Governance/PAM über separate SKUEU Data BoundarySehr breit, native im M365-KontextLifecycle Workflows in P2/Governanceab 6 USD P1, 9 USD P2 plus Governance-SKUEntra ID Governance separate Lizenz
Okta Workforce IdentityIAM Core plus Lifecycle/IGA-SKUEU-Cell verfügbarSehr breit, App-Catalog starkLifecycle Management Modulab 2 USD SSO bis 15+ USD LifecycleOkta Identity Governance separates Modul
Ping IdentityIAM Core, IGA via PingOne for EnterpriseEU-Hosting verfügbarSehr tief, Federation-SpezialistProvisioning über PingOneauf AnfragePingOne Neo / Davinci IGA
ForgeRock (Ping)IAM Core, Governance/IGA ModularEU-Hosting verfügbarSehr tief, sehr konfigurierbarForgeRock Identity Governanceauf AnfrageNative IGA-Module
SailPoint Identity Security CloudIGA-First mit IAM-Bridge zu DrittanbieternEU-Hosting verfügbarMittel, Fokus liegt auf GovernanceSehr breit, Governance-zentrischauf Anfrage, Enterprise-TierMarktführend in IGA
OneLogin (One Identity)IAM Core plus optionale IGA-ModuleEU-Hosting verfügbarBreite CoverageOneLogin Mappingsab 2 USD bis 8 USD pro User/MonatBegrenzt, ergänzt durch One Identity Manager
CyberArk Identity / WorkforcePAM-First plus Workforce IdentityEU-Hosting verfügbarSSO mit M365- und SaaS-Fokusüber Identity Compliance Modulauf AnfrageIdentity Compliance separates Modul

Stand: 2026-04. Basierend auf öffentlich zugänglichen Vendor-Angaben. Stand April 2026. Eigene Validierung über DecisionOS-Profil empfohlen.

Anonymised memo excerpt

Versicherer, 1200 Mitarbeiter, DORA in scope, mehrere Legacy-Bestandssysteme

Readiness score

74

Trigger
DORA Art. 9 fordert ein dokumentiertes Identity-Management, das für ICT-Drittanbieter-Risiken transparent ist. Die bestehende AD-zentrische Architektur erfüllt die Audit-Anforderungen nicht ohne Erweiterung.
Top criteria (weights)
  • Federation-Tiefe und SaaS-Coverage20%
  • IGA-Reife und Access Reviews25%
  • EU-Hosting und Sovereign-Option15%
  • PAM-Integration15%
  • Lifecycle-Automation15%
  • TCO Jahr 1-310%
Shortlist
  • Microsoft Entra ID P2 plus Entra ID Governance
  • Okta Workforce Identity plus Okta Identity Governance
  • SailPoint Identity Security Cloud plus Entra IAM-Bridge
Decision
Microsoft Entra ID P2 plus Entra ID Governance für Workforce Identity. PAM über dedizierten CyberArk-Vertrag.
Rationale
Entra-Lock-in ist akzeptabel, weil das Bestandssystem bereits Microsoft-zentrisch ist und Compliance-Reporting nativ integriert ist. SailPoint deckt die IGA-Tiefe, war aber als Add-on überkompliziert. Okta scheiterte an EU Data Boundary-Tiefe und Lifecycle-Connector-Aufwand.
Residual risks
  • PAM-Workflow noch nicht in Entra-IGA-Reviews integriert
  • SoD-Analytik für Solvency-II-relevante Rollen muss in Phase 2 ergänzt werden
Run your own memo →

Compliance note

NIS2 Art. 21 expects identity and access management as a named measure. DORA Art. 9 and 28 add explicit expectations on ICT risk management around identity. Under both, the decision memo is the evidence file.

Common pitfalls

  • !Bundling IAM, IGA and PAM into a single RFP with one weighted score.
  • !Under-weighting legacy connector requirements.
  • !Ignoring IGA until after IAM contract signature, then paying twice.
  • !Skipping sovereignty dealbreakers for public-sector workloads.

FAQ

What is the difference between IAM, IGA and PAM?

IAM (Identity and Access Management) covers the broad category. IGA (Identity Governance and Administration) is the governance-heavy subset: access reviews, SoD, joiner-mover-leaver. PAM (Privileged Access Management) focuses on elevated accounts and session recording. Most enterprise decisions involve an IAM core plus an IGA and PAM overlay.

Do I need a separate IGA product, or does my IAM platform cover it?

Many IAM platforms (Entra ID, Okta, Ping) bundle baseline governance. Deep IGA needs, certifications, SoD analytics, connectors to legacy systems, often still drive a separate IGA platform. The decision memo should surface this as an explicit dealbreaker if you are under NIS2 or DORA scope.

Is sovereign IAM a hard requirement in the EU?

For most enterprises, no; for sovereign-cloud candidates and public-sector workloads, yes. DecisionOS treats sovereignty as a dealbreaker that is toggled on or off at the start of the decision, not as a scored criterion.

Run this decision in DecisionOS →What is DecisionOS?