Can One Identity Platform Do It All? Here’s Why It Doesn’t

When it comes to identity security, many vendors promise that a single integrated platform can solve every challenge, from everyday user access to privileged admin controls. But does that promise hold up in the real world?

In this candid clip from our ETR Insights interview, a CISO and AVP of IT at a major university shares exactly why his team can’t rely on a single identity platform — and why managing privileged access still demands multiple best-of-breed solutions. He breaks down where integrated identity suites fall short, why mature organizations keep layering tools like CyberArk, SailPoint, and BeyondTrust, and what happens when you trust the “one pane of glass” pitch too much.

Watch the 5-minute clip to hear his straight talk on the real gaps in integrated identity and PAM, then keep reading for a full breakdown of the entire conversation, covering AI threats, student identity challenges, pricing realities, and what’s next for enterprise IAM.

Cost Presents Difficulties with a Very Large User Base…

Microsoft’s Entra is central to this company’s security infrastructure, on its tight integration with their existing technology stack. “They’re so close to the technology that we’re looking to protect, obviously they’re coming out ahead in the gate.” They also rely on specialized tools from vendors like CyberArk for internal privileged access management, and SailPoint to streamline onboarding and offboarding, “What we call the joiners, movers, and leavers within the organization.”

Our guest expresses skepticism about the industry’s push toward consolidating disparate identity tools into unified platforms, cautioning that integrated solutions often fail to fully deliver. “A perfect example: CyberArk does really great internal user privilege access management. However, when I look at my vendor privilege access management—my VPAM—we looked at their demo and we compared them to our Imprivata solution, and they’re not actually meeting the requirements that we have.” Established organizations, in particular, may find transitioning to a single platform impractical due to embedded processes and specialized requirements. “If you have specific requirements on vendor privilege access, versus your domain admin privilege access, versus your regular user access, and you have established toolsets, you may be in a situation where you can’t move away from certain embedded business processes.”

Higher education generally wrestles with legacy technology and cost constraints; the complexity of integrating older systems makes some platforms less appealing. “One of the reasons we’re moving away from Okta is, we’ve got thousands upon thousands of students. Scale is not the challenge with Okta; for us, it was the legacy technology that sits behind it on the identity store. We have a lot of things that we could convert from a SAML perspective, but then we have a bunch of other things that are on the legacy path, which tie right into the ERP system.” Dealing with thousands of students and lifelong alumni email accounts makes licensing with from platforms like Okta prohibitively expensive. “When you look at Microsoft, our A5 and A3 licensing do include those identities, and there’s about a 40-to-1 ratio where for every faculty member, 40 students would be covered, etc. The pricing is very inclusive.”

Figure 1: ETR’s 2025 Identity and Access Management Security Observatory Study asked 330 IT decision makers about which IAM vendor they would prioritize under a complete rebuild of their identity security stack.

This university uses a single-tenant, multi-domain model, which separates administrative and support staff on one domain and students and faculty on another. Faculty, however, have dual roles as both staff and educators, resulting in multiple identities and sign-ons that cause confusion. Internally they are discussing BYOI, or “bring your own identity.” “There are conversations about utilizing social identities. There’s a whole process where students apply and we do the assessment, but in order to integrate and interact, we may be assigning an identity even before we’re confirming them as a student. Can they log in with their Facebook? Can they log in with Instagram? Whatever those login social identities are.”

Generative AI means increasing risk from identity-based cyberattacks and exploitation via compromised student accounts. “Taking an identity artificial intelligence view on this, I would love for these solutions to be able to utilize artificial intelligence to identify abused identities and folks that are taking identities, mistreating them, and utilizing them for misuse. They’re using them to launch attacks, do phishing, etc.” Our guest is concerned that fraudulent identities are being used to exploit higher education’s immigration pathways; they seek identity security solutions to validate international documentation and prevent identity-related fraud.

…but IT Leaders Are Pushing Back

IT leaders are leveraging a growing vendor marketplace to drive tougher negotiations on cybersecurity pricing; to maintain flexibility, this organization is opting for shorter contracts. “We know you’re embedded in the system, and we know it took a lot of time, but we have enough knowledge and enough record to switch on a dime if we need to. I think the vendors are aware of this. We’re not seeing drastic price increases.” Price increases are generally predictable but some vendors like VMware have imposed sudden and extreme hikes, forcing customers to adapt. “You’re pretty much held hostage unless you are quick and able to shift on a dime. That comes back to preparation and being able to manage your organization, understand the trends, and be able to shift and not be locked in.”

SailPoint is deeply embedded and would be difficult to replace. “SailPoint, I see that they have quite a bit of staying power—three or more years—the onboarding, the offboarding, and managing identities.” Our guest appreciates CyberArk’s competitive pricing and continuous improvement; BeyondTrust offers a generally frictionless experience and is effective at minimizing administrative burdens and security risks, making it unlikely to be replaced soon. “My users have not complained since day one, since I removed all admin rights from the endpoints. We did it, and nobody has complained because we’ve given them the ability to continue their work, and an ability to manage appropriately without restricting.”

Figure 2: ETR’s 2025 Identity and Access Management Security Observatory Study asked 330 IT decision makers about the anticipated length of use for IAM tools; the black dot represents the cumulative percentage expecting to use the product for three or more years.

At a high level, they stress the value of clearly defining problems before proposing a solution, to help build a compelling business case. “You can start with a competitive pricing model, get the RFP going, have your pre-conversations, and talk about what’s the art of the possible.” Operational costs for key tools like BeyondTrust, Oracle, and SailPoint become fixed annual expenses that shape future budget discussions. However, “Finance is a little bit more receptive when you say, ‘Hey, you’re an end user. I’m removing all your admin rights. We’re going to cause a lot of pain. However, if I spend this $100,000, I can get you a tool that will make it seamless for you.’”

Despite last year’s outage, CrowdStrike retained this organization’s business by bundling its comprehensive Falcon Complete package—endpoint protection, next-generation SIEM, and round-the-clock monitoring—with aggressive pricing. “We ended up determining that Microsoft Defender was actually not cheaper when you factored in the server costs.” It was, however, important to again first establish a strong negotiating position. “It’s the ability to walk and say, ‘On Monday, I’m ripping CrowdStrike out and going with SentinelOne. Not because I don’t like you, I love your product, but this is a financial decision. At the end of the day, there are many leaders in the space, and we are able and willing to walk.’”

Our guest anticipates rapid changes in cybersecurity, driven by rapid advancements in artificial intelligence. While cautious about current integrated platform, they advocate for a comprehensive security solution with deeply integrated AI capabilities. “I honestly don’t know what identity is going to look like in a few years, but I would love where my identity store sits or where I care about identity, to be giving me the features and functions to protect this full stack with AI oversight and the ability to fight AI.” They predict Microsoft in particular will soon leverage AI to a construct comprehensive, enterprise-scale cybersecurity program. “At the end of the day, it’s going to be AI fighting AI. We just need to be able to enable that and have a smarter, quicker, faster AI than the ones coming from the enemy.”