SailPoint vs ForgeRock shows where IGA decisions still hinge on access

At a glance

What this is: This is Zluri’s comparison of SailPoint and ForgeRock for IGA selection, with the key finding that governance depth, lifecycle control, and review automation matter more than feature checklists.

Why it matters: It matters because IAM teams are choosing controls that shape how access is reviewed, revoked, and audited across human, machine, and emerging autonomous identities.

👉 Read Zluri’s comparison of SailPoint and ForgeRock for IGA selection

Context

IGA tool selection is really a governance decision about how an organisation discovers access, certifies entitlements, and removes privileges when roles change. In practice, the hard part is not comparing product labels, but deciding which control model can keep pace with SaaS sprawl, cloud integrations, and review fatigue.

The article positions SailPoint and ForgeRock as different answers to the same problem: how to make identity governance operational rather than manual. That is relevant well beyond human users, because the same lifecycle discipline increasingly applies to service accounts, workloads, and other non-human identities that also accumulate access over time.

Key questions

Q: How should security teams evaluate IGA tools for access governance coverage?

A: Start with coverage, not features. A credible IGA platform should discover the full application estate, certify entitlements across those systems, and execute removal when access is no longer justified. If discovery is partial, the governance model is partial, even if the workflow looks complete.

Q: Why do access reviews often fail to reduce real risk?

A: Because many programmes stop at approval. If a review result does not trigger deprovisioning, entitlement reduction, or a documented exception workflow, the organisation has produced evidence but not changed exposure. Risk falls only when the access state changes after the decision.

Q: What do organisations get wrong about automated provisioning and offboarding?

A: They assume automation is the same as governance. Automation only moves tasks faster; it does not prove that access is correctly scoped, fully visible, or actually removed when roles change. The control objective is lifecycle accuracy, not workflow speed.

Q: How should teams judge whether an IGA programme is mature?

A: Look for three things: complete visibility into the identity estate, recurring certification with enforced remediation, and measurable reduction in stale access. Mature governance is visible in shorter revocation lag, cleaner audit evidence, and fewer exceptions that outlive their business need.

Technical breakdown

IGA lifecycle governance in hybrid environments

Identity governance and administration is the set of processes that proves who should have access, confirms who still needs it, and removes what is no longer justified. In hybrid environments, that means synchronising HR, application, directory, and SaaS signals so provisioning, certification, and offboarding are not handled as separate one-off tasks. The technical challenge is not only policy definition, but identity correlation across systems that each hold partial truth about access. Practical implication: choose controls that can sustain continuous lifecycle governance across all connected identity sources, not just a single directory.

Practical implication: choose controls that can sustain continuous lifecycle governance across all connected identity sources, not just a single directory.

Access certification and automated deprovisioning

Access certification is the recurring validation of whether a user or account still needs a permission set, while deprovisioning is the enforcement step that removes access after a decision. The article’s emphasis on automated review and remediation reflects a simple governance reality: manual spreadsheets cannot keep up once access counts, application counts, and reviewer workload rise. The value is not only speed, but the audit trail that proves decisions were made and executed. Practical implication: align certification campaigns with automated removal actions so review outcomes become enforcement, not just documentation.

Practical implication: align certification campaigns with automated removal actions so review outcomes become enforcement, not just documentation.

Why SaaS discovery changes the governance model

A discovery engine changes identity governance by exposing where access actually exists, not just where policy says it should exist. In SaaS-heavy environments, organisations often lose track of shadow applications, inherited entitlements, and delegated access paths, which makes review quality dependent on visibility first and workflow second. The technical issue is coverage: if the platform does not see the account, it cannot govern the account. Practical implication: verify that discovery reaches the full application estate before treating access reviews as complete.

Practical implication: verify that discovery reaches the full application estate before treating access reviews as complete.

Threat narrative

Attacker objective: The attacker objective is to exploit excessive or stale access to reach sensitive systems or data that should no longer have been reachable.

1. Entry occurs through fragmented identity visibility, where access persists across SaaS, directory, and application layers without a single authoritative view.
2. Escalation follows when over-assigned entitlements and delayed offboarding let users or accounts retain privileges beyond their business need.
3. Impact is unauthorized data exposure, audit failure, and a larger breach surface when governance cannot remove stale access quickly enough.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA tool choice is really a control-design choice, not a feature comparison. The article is framed as a vendor comparison, but the real decision is whether an organisation can prove access legitimacy across the full lifecycle. SailPoint and ForgeRock are presented as different implementations of governance depth, yet the governing question is whether certification, provisioning, and removal are all linked tightly enough to survive scale. Practitioners should evaluate control completeness before they evaluate interface preferences.

Access certification without enforced deprovisioning is a governance artefact, not a control. The article repeatedly centres review campaigns, but review alone does not reduce exposure unless the outcome is executed. That distinction matters for IGA programmes because many environments create evidence without changing access state. Practitioners should treat execution linkage as the real test of governance maturity.

Lifecycle drift is the hidden risk behind every IGA shortlist. The comparison focuses on access management and compliance, but the deeper failure mode is stale entitlements accumulating faster than review cadence can remove them. This is especially relevant as service accounts, workflows, and application integrations expand the number of identities that must be governed. Practitioners should judge tools by how well they shrink stale-access dwell time.

Visibility is the named concept that separates governance intent from governance reality. If discovery cannot see all apps, all delegated access, and all related entitlements, then every certification campaign starts incomplete. That is not a reporting problem, it is a control boundary problem. Practitioners should define governance coverage before they define remediation targets.

Non-human access now inherits the same governance failures that once defined human access sprawl. The article is about human-facing IGA tooling, but the same lifecycle logic increasingly applies to service accounts, tokens, and other machine identities that do not self-correct over time. That means IGA programmes should be evaluated as cross-identity governance systems, not user-only workflow engines.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why identity governance keeps failing at the visibility layer.
• For a broader lifecycle lens, read the NHI Lifecycle Management Guide for the governance steps that visibility has to support.

What this signals

Visibility is now the first control boundary in identity governance. If organisations cannot see third-party and delegated identities completely, they cannot certify or revoke them confidently, no matter how polished the workflow looks. That is why tooling selection should be judged against estate coverage before automation claims, not after.

The governance lesson extends beyond human users. Service accounts, OAuth-connected access, and other non-human identities create the same stale-access problem once they fall outside the review graph, so programme leaders should align IGA, PAM, and lifecycle controls around a single inventory.

As identity estates widen, control quality depends on whether review, remediation, and evidence generation happen in one chain. Teams that want a practical baseline should compare their current state against the 52 NHI Breaches Analysis and the OWASP Non-Human Identity Top 10.

For practitioners

• Map governance coverage before product selection. Inventory which identity sources, SaaS apps, and directories the platform can discover, certify, and deprovision. If the tool cannot see an access path, do not count that access path as governed.
• Tie review outcomes to enforced removal. Require evidence that certification decisions trigger deprovisioning or entitlement reduction automatically, with an auditable record of the action taken and the account state after closure.
• Test stale-access dwell time. Measure how long it takes for revoked or unneeded access to disappear from applications after a review concludes, then use that lag as a shortlist criterion for IGA tooling.
• Include machine identities in the same governance model. Extend lifecycle reviews to service accounts, API tokens, and other non-human identities so governance does not stop at employee accounts and miss the fastest-growing access population.

Key takeaways

• IGA selection should be judged by whether it can see, certify, and remove access across the full identity estate, not by feature counts alone.
• Access review that does not trigger remediation leaves the underlying exposure untouched, which means governance has been simulated rather than enforced.
• The same lifecycle discipline that matters for employees now has to extend to service accounts and other non-human identities or stale access will keep accumulating.

Key terms

• Identity Governance And Administration: Identity governance and administration is the set of controls that define, review, and enforce who or what should have access. It combines access request, certification, provisioning, and offboarding so entitlement decisions are auditable and reversible across systems, not just documented in policy.
• Access Certification: Access certification is the recurring review of whether a permission, role, or entitlement is still justified. In mature programmes it is tied to enforcement, so approval or rejection changes the live access state instead of creating a paper-only record.
• Deprovisioning: Deprovisioning is the removal of access after it is no longer needed, often when a user changes role or leaves an organisation. It is a control action, not just an administrative task, because delayed removal leaves a window for misuse and audit failure.
• Identity Discovery: Identity discovery is the process of finding where identities, entitlements, and access paths actually exist across applications and services. It is the visibility layer that determines whether governance can see the full estate before review and remediation begin.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance SailPoint vs ForgeRock: Which IGA Tool To Choose? Read the original.