PG&E’s identity platform migration shows what legacy IAM blocks

At a glance

What this is: This is a SailPoint customer story about PG&E replacing a legacy Oracle identity stack with a modern identity platform and the operational gains that followed.

Why it matters: It matters because large IAM programmes rarely fail on policy intent alone; they fail when legacy platforms slow reviews, integrations, and lifecycle operations across human, NHI, and privileged access.

By the numbers:

• PG&E reported $450k in savings after go-live.

👉 Read SailPoint's blog on PG&E's identity platform migration

Context

Legacy identity platforms create governance drag when they make access reviews, integrations, and certification workflows harder to operate at scale. In a regulated environment, that drag becomes a control issue, because slow and brittle identity tooling limits how quickly teams can prove who has access, why they have it, and whether that access still makes sense.

PG&E’s migration sits in the human IAM and identity governance lane, not the NHI or agentic AI lane. The lesson is that modernisation work is rarely just a platform swap; it is a reset of the operating model behind access reviews, certification, and workflow performance, with implications for audit readiness and user experience.

For identity teams, the core question is not whether a legacy system can be kept alive a little longer. It is whether the programme can keep meeting regulatory, operational, and lifecycle demands without the review friction, performance issues, and integration overhead that legacy identity stacks create.

Key questions

Q: How should security teams judge whether an identity modernisation programme is succeeding?

A: Judge it by governance throughput, not by the fact that a new platform is live. The key signals are faster access reviews, fewer workflow exceptions, cleaner integrations, and better evidence for auditors. If the organisation still relies on manual workarounds, the modernisation has replaced one set of problems with another.

Q: Why do legacy identity platforms create risk in regulated environments?

A: They create risk because they slow down the controls that prove access is appropriate. When certifications, provisioning, and reporting are brittle or slow, teams cannot keep pace with organisational change or audit expectations. In regulated sectors, that delay becomes an operational and compliance burden, not just an IT inconvenience.

Q: What do IAM teams get wrong about identity platform replacement?

A: Teams often focus on cutover success and underweight the quality of the controls after cutover. A migration can be technically complete while certification quality, integration reliability, and reviewer experience remain weak. The right question is whether the new operating model makes governance easier to execute at scale.

Q: How do identity teams keep a migration from disrupting audit readiness?

A: Keep the migration phased, preserve evidence trails, and validate the business-critical workflows that auditors depend on before expanding scope. Re-test certification, provisioning, and reporting after each major step so the organisation can show that governance remained intact during transition.

Technical breakdown

Why legacy identity platforms slow governance at scale

Legacy identity managers often accumulate custom workflows, brittle integrations, and performance overhead that turn routine governance into a maintenance exercise. When access certifications, role changes, and provisioning depend on slow back-end logic, the IAM team spends more time keeping the system stable than governing access. That is especially costly in large environments with many applications and identity populations. The practical difference is not cosmetic: if the platform cannot keep pace with business change, review quality drops and exceptions multiply.

Practical implication: measure workflow latency, certification completion time, and integration breakage before deciding whether a legacy platform can still carry the programme.

Modern identity platforms and the role of phased migration

A phased migration reduces operational risk by replacing governance functions in controlled increments rather than attempting a single cutover. In practice, that means isolating dependencies, moving core workflows first, and validating integrations before expanding scope to more applications and identity types. The value is not merely technical. A phased approach lets the organisation preserve audit continuity while reducing the chance that provisioning, recertification, or reporting failures cascade across the programme.

Practical implication: use phased go-live milestones tied to specific governance functions, not just application counts or project dates.

Access review simplification as an identity governance outcome

Simplified access review is a governance outcome, not a user-interface feature. It usually means fewer manual exceptions, clearer entitlement data, and more reliable certification workflows for managers and reviewers. In regulated organisations, that matters because the quality of review evidence depends on the system's ability to surface the right access at the right time with minimal friction. If the platform obscures that evidence, the organisation inherits operational risk even when policy appears sound.

Practical implication: treat certification quality, evidence completeness, and exception volume as first-class success measures during identity modernisation.

NHI Mgmt Group analysis

Legacy identity debt is a governance problem before it is a technology problem. PG&E’s story shows that old identity platforms can make routine control execution harder than the policy itself. When access review, provisioning, and reporting depend on fragile custom logic, governance slows down and the programme starts paying a hidden operational tax. The conclusion for practitioners is that platform age should be assessed as control debt, not just technical debt.

Platform replacement only matters when it restores the programme’s operating cadence. Eleven months is a meaningful migration window only if it results in faster certification cycles, cleaner integrations, and better user and auditor experience. The important metric is not the cutover itself but whether the new environment reduces the work needed to prove access is appropriate. Practitioners should judge modernisation by governance throughput, not by product refresh narratives.

Access review simplification is the clearest sign that identity modernisation is working. When reviewers can complete decisions faster and with less ambiguity, the programme has likely reduced entitlement noise and workflow friction. That outcome matters across human IAM, privileged access, and connected machine identities because the same governance machinery must scale across all of them. The implication is that identity modernisation should be measured by decision quality, not just feature count.

Heavily regulated industries expose the real cost of identity friction. In environments like utilities, performance issues in identity tooling become compliance pressure points because the organisation must sustain evidence, review cadence, and operational resilience at the same time. That makes legacy architecture a business risk, not just an IT inconvenience. The practitioner lesson is to evaluate whether identity systems can support the programme's regulatory pace without constant workaround engineering.

Identity platform replacement is now part of resilience planning. Modern identity governance is not only about cleaner administration. It is about whether the organisation can adapt to app churn, workforce change, and audit demands without losing control of access. PG&E's experience reinforces a broader field truth: when the identity layer becomes rigid, the rest of the security programme inherits the delay. Practitioners should treat identity modernisation as a resilience investment, not a cosmetic upgrade.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• The same governance pressure is visible in lifecycle work, so compare your controls with NHI Lifecycle Management Guide before expanding migration scope.

What this signals

Identity modernisation exposes a programme design issue that many teams delay for too long: when access review and provisioning depend on legacy plumbing, governance slows to the pace of the weakest integration. That is why platform replacement should be treated as a control redesign exercise, not an infrastructure refresh. Teams that are planning broader identity change should benchmark the operating state against NIST Cybersecurity Framework 2.0 functions for protect, detect, and recover.

The larger signal for IAM leaders is that modernisation success now depends on whether the platform can sustain evidence quality across the full identity lifecycle. If not, certification and audit work will continue to absorb operational time that should be spent on risk decisions. For teams moving from legacy stacks, the practical next step is to align the migration plan with Ultimate Guide to NHIs , Regulatory and Audit Perspectives where machine and service identities are also in scope.

For practitioners

• Assess identity platform control debt Inventory workflow latency, certification backlog, integration failure rates, and custom-code dependencies to determine where the current platform is slowing governance decisions. Use those findings to decide whether the environment can still support regulated operations without repeated manual intervention.
• Tie migration milestones to governance outcomes Define success criteria around access review completion, provisioning reliability, evidence quality, and audit continuity rather than only application counts or project dates. A migration that preserves uptime but weakens review execution has not actually reduced risk.
• Simplify certification workflows before expanding scope Remove entitlement noise, reduce reviewer ambiguity, and validate data quality in the first application waves before scaling to broader populations. That sequencing helps ensure the new platform improves decision quality instead of merely moving the same friction into a new system.
• Re-test regulated access processes after cutover Re-run the business-critical certification, workflow, and reporting scenarios that matter for audit and compliance once the new platform is live. Do not assume the migration succeeded because provisioning works; verify the controls that prove governance is functioning.

Key takeaways

• Legacy identity platforms can turn routine governance into a control debt problem when workflows, integrations, and reviews become hard to operate.
• PG&E’s migration shows that modernisation success is measured by governance throughput, reviewer experience, and evidence quality, not just by cutover completion.
• In regulated environments, identity platform replacement should be treated as a resilience and audit-readiness decision, not a cosmetic technology refresh.

Key terms

• Identity platform modernisation: Identity platform modernisation is the replacement or restructuring of legacy IAM tooling so governance can operate with less friction. It usually involves simplifying workflows, improving integration reliability, and reducing the manual work needed to certify access, provision users, and produce audit evidence.
• Access review: Access review is the process of checking whether an identity still needs the permissions it holds. In practice, it is only as strong as the system that supports it, because poor data quality, slow workflows, and ambiguous entitlements can turn certification into a box-ticking exercise.
• Certification workflow: Certification workflow is the sequence of tasks and approvals used to confirm access remains appropriate. For large organisations, the workflow must be reliable, understandable, and auditable, otherwise reviewers delay decisions or approve without enough context, which weakens governance.
• Identity control debt: Identity control debt is the accumulated operational burden that appears when legacy identity systems make governance harder to execute than it should be. It shows up as manual exceptions, brittle integrations, slow reviews, and poor evidence quality that eventually affect audit readiness and resilience.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Blog Legacy to Modern, Replacing Legacy Identity at PG&E. Read the original.