TL;DR: Omada Identity Cloud Private lets regulated enterprises run the full Omada Identity Cloud platform inside their own Microsoft Azure tenant, preserving tenant ownership while keeping the same release cadence as SaaS, according to Omada Identity. The move sharpens the governance question for IAM teams: deployment model now matters as much as feature set when auditors, regulators, and risk teams are involved.
At a glance
What this is: Omada Identity Cloud Private is a new deployment option that keeps the IGA platform inside a customer-owned Azure tenant while preserving SaaS-like release cadence.
Why it matters: For IAM and NHI practitioners, it shows how tenant boundaries, data residency, and operational control are becoming core design constraints in regulated identity programmes.
👉 Read Omada Identity's announcement of Omada Identity Cloud Private
Context
Regulated identity governance increasingly runs into a structural problem: cloud delivery is often easier to operate, but shared tenancy can conflict with audit expectations, residency rules, and internal control ownership. For IAM and NHI programmes, that tension is not about preference, it is about whether the operating model itself satisfies governance requirements.
Omada Identity Cloud Private addresses that gap by placing the platform inside the customer’s Azure tenant and selected region while keeping the software on a SaaS-like cadence. That matters because NHI governance often depends on who controls the environment around the identity system, not only the identities managed inside it. For teams aligning identity controls with [NIST Cybersecurity Framework 2.0](https://www.nist.gov/cyberframework), the deployment boundary becomes part of the control story.
Key questions
Q: How should regulated teams decide between shared SaaS and tenant-owned identity platforms?
A: Choose the model that best matches your audit, residency, and operational control requirements. Shared SaaS simplifies provider management, while tenant-owned deployment gives the enterprise clearer boundary ownership. For regulated programmes, the right answer is the one that allows you to prove control ownership, not the one that sounds most cloud native.
Q: What is the difference between tenant ownership and data residency in identity governance?
A: Tenant ownership describes who controls the environment, while data residency describes where the data is stored and processed. They are related but not interchangeable. A deployment can satisfy residency requirements without giving the enterprise meaningful operational control, so both dimensions must be assessed separately in governance reviews.
Q: When does private cloud deployment reduce risk in IAM programmes?
A: Private cloud deployment reduces risk when the main concern is shared tenancy, regulatory evidence, or strict boundary control. It does not automatically reduce entitlement, lifecycle, or logging risk. If the governance weaknesses are inside the workflow, the deployment model changes the perimeter but not the underlying access problem.
Q: How should security teams evaluate cloud identity tools in regulated environments?
A: Evaluate whether the tool can be operated inside the organisation’s control perimeter, whether release cadence can coexist with change management, and whether audit evidence is easy to produce. The key test is whether the operating model supports compliance without forcing manual workarounds or weakening visibility.
How it works in practice
Why tenant-owned cloud deployment changes the control model
Tenant-owned deployment changes where administrative responsibility sits. In a shared SaaS model, the provider controls the application environment and the customer consumes the service. In a customer tenant model, the customer or partner operates the Azure environment while the vendor supplies application software, release packages, deployment guidance, and support. That shifts accountability for residency, logging, network boundaries, and some platform controls back to the enterprise. For regulated IAM, the distinction matters because auditors often care less about whether software is cloud-delivered and more about which party can access the environment, move the data, and evidence control ownership.
Practical implication: Map application ownership, tenant administration, and audit evidence to explicit control owners before adopting the model.
How release cadence and environment ownership interact
The article says the private deployment uses the same release cadence as the SaaS service, which is operationally important. Teams often assume private deployment means slower change, but here the software pace stays aligned while the customer-owned tenant boundary remains intact. That can reduce the usual trade-off between innovation and control, but it also means change management, regression testing, and environment validation must keep up with provider releases. For identity platforms, the main risk is not just feature drift. It is control drift, where the tenant’s local configuration, network posture, or logging setup falls behind the vendor’s software cadence.
Practical implication: Treat release synchronization as a governance process, not just a software update stream.
Why regulated identity governance now includes deployment topology
Identity governance tools increasingly sit at the center of broader NHI control planes because they manage approvals, entitlement changes, and access review workflows for humans and non-human identities alike. When those workflows run in a tenant owned by the customer, the deployment topology itself becomes part of the assurance model. This is especially relevant where regulators or internal risk functions expect demonstrable data residency, named administrative boundaries, and the ability to evidence control inheritance. The architectural question is no longer whether the platform is cloud-native. It is whether the cloud model matches the organisation’s compliance perimeter.
Practical implication: Include tenant topology in identity risk assessments and control mapping for regulated deployments.
NHI Mgmt Group analysis
Tenant control is becoming a first-class governance requirement for identity platforms. The article reflects a broader market reality: regulated buyers are no longer evaluating identity tools only by features or delivery model. They are asking whether the operating environment itself supports auditability, residency, and clear administrative boundaries. For NHI programmes, that is the right question because identity controls fail most often at the seams between application, tenant, and infrastructure ownership. The practitioner conclusion is straightforward: deployment topology belongs in the control design, not the procurement footnote.
Private cloud deployment does not remove the need for continuous identity governance. Keeping the platform in a customer tenant may satisfy residency and boundary concerns, but it does not solve entitlements, orphaned accounts, over-privilege, or access review quality. The governance burden shifts rather than disappears. Teams that treat tenant ownership as a substitute for strong lifecycle controls will still accumulate NHI risk. The practitioner conclusion is to use the deployment model as an enabler of assurance, not as evidence of assurance itself.
Regulated IAM teams should expect more demand for deployable assurance, not just deployable software. Buyers in DORA, NIS2, FINMA, and similar environments increasingly want platforms that can be placed inside their own control perimeter without sacrificing operational cadence. That signal extends beyond one vendor. It suggests the NHI security market is moving toward architectures that reconcile cloud operations with customer-evidenced governance. The practitioner conclusion is to re-evaluate whether current tooling can prove control ownership as cleanly as it can automate identity workflows.
Identity governance and NHI governance are converging at the infrastructure boundary. Once the identity stack is deployed inside a customer tenant, the distinction between application governance and environment governance narrows. Logs, roles, residency, and release processes all become part of the same assurance chain. That convergence is where many programmes are underprepared. The practitioner conclusion is to align IAM, cloud platform, and risk teams around one control narrative before the next platform change arrives.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
- Private deployment models need to be paired with lifecycle discipline, as shown in NHI Lifecycle Management Guide.
What this signals
Tenant-owned deployment can help regulated programmes answer the auditor’s first question, which is who controls the environment, but it does not answer the harder question of whether identity workflows are governed well enough to survive scale. The practical shift is toward treating deployment boundary, logging, and approval chains as one programme. That is where the identity risk picture becomes operational instead of theoretical.
Control boundary debt: when a platform is easy to consume but hard to evidence, the programme accumulates assurance debt that shows up later in audits and incident response. Teams should close that debt by aligning cloud operations, IAM controls, and NHI governance on the same evidence package, then keep the package current as releases change.
The broader signal is that regulated identity buyers are moving toward architectures that reconcile cloud cadence with customer-held assurance. If your current platform cannot show that balance cleanly, the next procurement cycle is the time to re-evaluate.
For practitioners
- Define tenant ownership in the control model Document who administers the Azure tenant, who approves changes, and who can evidence control ownership for auditors. Separate application support responsibilities from infrastructure administration so the boundary is explicit.
- Map residency requirements to deployment decisions Tie data residency, region selection, and tenant placement to the specific regulatory obligations driving the deployment. Do this before architecture approval, not after implementation begins.
- Review identity workflows for control drift Test whether entitlement reviews, approvals, logging, and access recertification still meet policy when the release cadence matches SaaS but the tenant is customer operated.
- Align IAM and cloud teams on evidence collection Build a shared evidence package for auditors that covers tenant administration, release management, logging, and administrative access. Use one control narrative across identity and infrastructure reviews.
Key takeaways
- Tenant-owned identity deployment changes the governance model, not just the hosting model.
- Cloud cadence without control evidence still leaves regulated IAM programmes exposed.
- NHI governance should treat deployment topology, residency, and tenant administration as core control inputs.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Tenant ownership affects how least-privilege access is enforced and evidenced. |
| NIST CSF 2.0 | GV.RM-01 | Regulated deployment choices should align with governance and risk decisions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity platform control boundaries affect credential lifecycle and rotation oversight. |
Verify NHI credential rotation and administrative access controls remain intact under customer-owned tenancy.
Key terms
- Tenant-owned deployment: A deployment model where the customer controls the cloud tenant and operating environment while the vendor provides the application software and support. In identity governance, this arrangement can satisfy residency and boundary requirements, but it also shifts responsibility for environment administration, evidence collection, and some control operations to the enterprise.
- Control boundary: The line that defines who can administer, observe, and change a system. For NHI and IAM programmes, the control boundary matters because auditors and risk teams care about where authority sits, not just where the software runs. Clear boundaries make assurance easier; blurred ones create governance debt.
- Release cadence: The rate at which new software versions and fixes are delivered. In identity platforms, release cadence affects change management, regression testing, and the stability of control evidence. A fast cadence is not inherently risky, but it must be matched with disciplined validation and environment oversight.
- Data residency: The requirement that data remain in a specific jurisdiction or region for storage, processing, or both. In regulated identity programmes, residency is part of the assurance model because it influences legal exposure, audit scope, and the set of controls needed to prove compliance.
Deepen your knowledge
Tenant-owned identity deployment and regulated IAM governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a control model around customer-operated cloud identity, it is worth exploring.
This post draws on content published by Omada Identity: Omada Identity Cloud Private for regulated enterprises. Read the original.
Published by the NHIMG editorial team on 2026-05-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
