Decision guide · Security
How to choose an IAM, IGA and PAM stack
IAM decisions rarely fail on the core identity provider. They fail at the governance and privileged-access layers — because those two sub-decisions get bundled into the IAM RFP and never get their own weighted scoring. The right decision structure keeps IAM, IGA and PAM as three overlapping but individually-scored decisions, with sovereignty and federation as upstream dealbreakers.
TL;DR
Treat IAM, IGA and PAM as three decisions, not one.
Who owns this decision
CISO or IAM-lead as decision owner, IT Security, IT Operations, HR-IT and a Data Protection Officer as stakeholders.
Key criteria to weight
Federation coverage
SAML, OIDC, SCIM depth across your actual application landscape. Coverage gaps become integration projects.
Lifecycle automation
Joiner-mover-leaver without manual tickets. Directly affects audit findings.
Governance and access review depth
Certifications, SoD analytics, campaign workflow. Weak here means IGA as a separate decision.
Privileged access and session control
Vaulting, session recording, just-in-time elevation. Often a separate PAM decision.
Sovereignty and hosting
EU-hosted tenant, key management, sovereign cloud eligibility. Frequently a dealbreaker.
TCO and connector cost
Per-identity pricing versus flat. Connector fees. Professional services dominate year 1.
Step-by-step decision flow
- 1
Split the decision
Explicitly decide whether IAM, IGA and PAM are one decision or three. Re-bundle only if stakeholders and budgets genuinely overlap.
- 2
Set sovereignty dealbreakers
EU-hosted, key control, federated identity across sovereign boundaries. Not scored — binary.
- 3
Map your applications
The federation matrix decides which vendor actually fits. Walk the top 50 applications and their protocols.
- 4
Weight governance criteria
If you are in NIS2 / DORA scope, governance weights rise substantially.
- 5
Pilot with real lifecycle events
Joiner, mover, leaver, offboarding. Time them. Watch the SoD logic. Do not let vendors demo happy-path only.
- 6
Produce the memo
Per-sub-decision sections (IAM / IGA / PAM) with weighted scoring, dealbreakers, risks and decision rationale.
Compliance note
NIS2 Art. 21 expects identity and access management as a named measure. DORA Art. 9 and 28 add explicit expectations on ICT risk management around identity. Under both, the decision memo is the evidence file.
Common pitfalls
- !Bundling IAM, IGA and PAM into a single RFP with one weighted score.
- !Under-weighting legacy connector requirements.
- !Ignoring IGA until after IAM contract signature, then paying twice.
- !Skipping sovereignty dealbreakers for public-sector workloads.
FAQ
What is the difference between IAM, IGA and PAM?
IAM (Identity and Access Management) covers the broad category. IGA (Identity Governance and Administration) is the governance-heavy subset: access reviews, SoD, joiner-mover-leaver. PAM (Privileged Access Management) focuses on elevated accounts and session recording. Most enterprise decisions involve an IAM core plus an IGA and PAM overlay.
Do I need a separate IGA product, or does my IAM platform cover it?
Many IAM platforms (Entra ID, Okta, Ping) bundle baseline governance. Deep IGA needs — certifications, SoD analytics, connectors to legacy systems — often still drive a separate IGA platform. The decision memo should surface this as an explicit dealbreaker if you are under NIS2 or DORA scope.
Is sovereign IAM a hard requirement in the EU?
For most enterprises, no; for sovereign-cloud candidates and public-sector workloads, yes. DecisionOS treats sovereignty as a dealbreaker that is toggled on or off at the start of the decision, not as a scored criterion.