Identity decisions rarely fail on features. They fail on fit, workflow, and cost. This article summarizes a feedback panel tied to ETR’s 2025 Observatory for Identity and Access Management, shared now as a preview before the 2026 report releases, to help leaders pressure-test what’s realistic in consolidation, pricing, passwordless, and governance.
Identity has become the centerpiece of modern security architecture, particularly as remote work and decentralized infrastructures undermine traditional firewall perimeters. “Once upon a time, we were all fairly insular. We had our internal networks, and everything was behind the firewall,” says one CSO, with experience across multiple industry verticals. “Now many companies don’t have LANs, so really identity is that one thread that ties us all together.” Our panelists note that businesses of all sizes need solutions flexible enough to align with both budgetary constraints and technical expertise, yet the market still lacks a single all-encompassing platform. “Once upon a time, most of these were point solutions, and they’ve morphed over time and become platforms. Even still, though, I haven’t found a good one-stop shop just yet. Some of that functionality is still a bit kludgy, or it was bolted on in an acquisition rather than grown internally.” These organizations are deploying overlapping products in lieu of a complete identity solution, relying instead on internal controls and workflows to maintain security and consistency. “You can have a wonderful tool, but if the workflow is not in compliance, then you will still have some major hiccups.”
“Okta is a great tool if you can afford it,” said one senior executive, pointing to its scalability but lamenting its expense. “I feel like Okta is doing the Splunk thing, out-pricing itself, and eventually they’re going to pay the price in the long run.” Their team ultimately chose SailPoint, with lower cost cited as the major factor. Other professionals offered similar critiques, noting Okta's high-quality service but expressing frustration with its pricing model. Moreover, “once they get their hooks into you, when you’re going through your contract negotiations to renew, the one thing they can’t seem to live with is a reduction in overall spend.” Microsoft Entra has grown more capable but carries a premium E5 price tag for advanced security features. In response, organizations may piece together multiple offerings—including niche solutions to manage non-human credentials—to satisfy requirements without breaking the budget. “I deal with a lot of small businesses that maybe have 50 seats or 100 seats, and they’re getting hammered from the cost and complexity of the solutions that are out there.”
Another panelist, on the evolving nature of identity architecture, reminds that while services like Microsoft’s Azure Entra can streamline day-to-day authentication, “passwordless” logins require careful handling of multiple passkeys, which can undercut some of the perceived benefits. In a world of increasingly automated actors, a solid foundation of password managers, tokens, and other security measures is critical. “You have to worry about identifying and authorizing devices, processes, and individuals, and identify them in a trustworthy way so that there’s no ability for counterfeiting.” Another executive complains about limited accountability, with modern tools not always confirming whether the right individuals are granting the right level of access. “They have validation in these tools for, did person or identity X receive the proper access? But what they don’t have is whether or not that access was even properly given in the first place.”
Leaders may need to knit together multiple tools for IAM, including PAM and IGA, with broader security, particularly in environments where insurers mandate specific architectures. At one company, this was resolved by using both Varonis and Tripwire, creating an auditable workflow based in “zero trust” principles. “That’s my reason for not having a one-stop shop. You can give access, but I don’t have that within these tools that has the accountability side of it.” These IT executives stress that zero trust requires more than simply layering on additional security software; it demands a fundamental shift in organizational mindset, as continuous checks and verifications become the norm. Our panelists warn that the C-suite and non-technical decision makers may be initially confused at the need. “As soon as I said, ‘zero trust,’ both the chairman and the CEO of the company just looked at me, ‘What do you mean, we don’t trust our people?’ I ended up doing a strategic retreat, and when I re-presented it, I presented it as continuous authentication and continuous assurance, as opposed to ‘zero trust.’”
Microsoft Entra is a promising building block for identity and access management, primarily because it integrates so easily with core company assets. “You have to know what that organization consists of. Entra solves that, because Entra—if you go to its desired reach—they want to know everything that’s touching and communicating with one another, and they want to know what each one has as a particular level of trust.” However, organizations that deploy Mac devices or rely on non-Microsoft cloud providers may face hurdles. “The more Microsoft-centric you are, the easier Entra becomes, though I really do think if Microsoft would finally admit to itself that neither Linux nor AWS are going away, they’d be better off.”
Under any protocol, in highly regulated sectors such as finance, the consensus is that any IAM solutions must handle data and compliance seamlessly. “It has to touch on so much, it has to be compliant with every last regulation that I have, or best practice that I have to abide by.” To satisfy, our panelists are adopting an increasingly holistic view of compliance, training, and technology, and are looking for solutions that deliver both broad regulatory compliance and a manageable user experience. “It’s typically not the technology that’s the challenge, it’s the user adoption, getting the humans to change. Getting them to learn something new and training them, that is always the huge challenge.” Despite more open APIs and a greater willingness among vendors to collaborate, switching to a new system remains time-intensive, on legacy software dependencies and retraining. “Inertia is powerful. Once you get one of these things in place, you tend to make do rather than change.”
These companies purchase IAM solutions via both direct sales and channel partners, though several panelists find that established relationships with value-added resellers help them verify if a given tool will mesh with their existing technology stack, or tackle problems faster, especially during an outage. “Whether it’s directly to Microsoft or through a VAR, it’s the relationship that really matters to me. I want someone who I can call up and say, ‘Hey, man, I’m having some trouble here. Help us out. Send me your team, or get me an answer today, because you’re holding up a major implementation.’” Cloud hyperscalers Microsoft, Amazon, and Google are expanding steadily through new features and acquisitions. “I wouldn’t be surprised if Microsoft continues to evolve and mature Entra and then makes a big acquisition to cap it off. They may go after Okta, CyberArk, or SailPoint, or something to shore up their Entra ID. They’re usually slow to figure that out, but once they do, they start finding the right things and doing the right things.”
Generative AI appears set to revolutionize IAM by allowing organizations to issue and revoke privileges in near real time, combating threats via dynamic zero trust security; rather than relying on manual processes—or help desk protocols prone to social engineering—our panelists envision AI-based systems that validate user credentials automatically. “One area that I really would love to see the vendors deploy generative AI in would be on a defensive approach for password resets, MFA re-enrollment, new phones, etc., because that process varies by company and is generally fairly easy to circumvent.” As IAM vendors embrace AI internally and through third-party integrations, the next few years could see an explosion of advanced capabilities, particularly around ‘just in time’ permissions and automated anomaly detection. “I think it’s going to help us catch the bad guys quicker, and it’s also going to help us give out identities even faster than we can today.”
If IAM is on your 2026 roadmap, treat this as your early warning system. Map your highest-risk identity workflows, identify where your tooling fails to enforce policy end to end, and align your consolidation goals with what your team can actually operate.
Then, when the 2026 Observatory for Identity Security releases February 19, use it to validate which vendors are gaining momentum and where peers are seeing ROI. That is how you turn market data into leverage during planning and renewals.