Notifications
Clear all
Topic starter
25/06/2026 3:21 pm
TL;DR: Choosing an identity-management vendor in 2026 is a multi-year decision that shapes lifecycle automation, authentication, certification evidence, integrations, and security operations, according to Avatier’s framework for evaluating vendors. The real test is whether the platform handles mover complexity, verification architecture, and operational scale without creating years of migration friction.
NHIMG editorial — based on content published by Avatier: the 2026 identity management vendor evaluation framework
Questions worth separating out
Q: How should organisations evaluate identity management vendors beyond feature lists?
A: Treat vendor evaluation as an operating-model decision, not a product comparison.
Q: Why do mover workflows matter so much in identity programmes?
A: Mover workflows expose whether a platform can keep access aligned to changing employment state without leaving stale privileges or forcing manual cleanup.
Q: What do security teams get wrong about phishing-resistant MFA?
A: They often treat the factor as the control and ignore recovery, reset, and exception paths.
Practitioner guidance
- Script the mover scenario before you score the platform Run a joined, moved, leave, and rehire sequence across a real user record and inspect how approvals, roles, and entitlements change at each step.
- Test recovery as part of authentication governance Walk through password reset, MFA reset, and privileged account recovery with the same scrutiny as primary sign-in.
- Score certification by scope reduction, not campaign volume Measure whether the platform narrows the review population using risk, role, or application context.
What's in the full article
Avatier's full article covers the operational detail this post intentionally leaves for the source:
- The full criterion-by-criterion vendor evaluation rubric with demo prompts you can reuse in procurement.
- The extended trade-off discussion for each control area, including where vendors tend to overstate maturity.
- The suggested phased selection process from shortlist to proof of concept to final negotiation.
- The specific buyer's-guide cross references for IGA, ILM, MFA, and Passwordless shortlists.
👉 Read Avatier's identity management vendor evaluation framework for 2026 →
Identity management vendor selection: are your criteria keeping up?
Explore further
25/06/2026 4:50 pm
Vendor selection is an identity governance decision, not a feature checklist. The platform you choose becomes the control plane for who gets access, how access changes, and how much evidence you can trust later. That means evaluation criteria must map to operating reality, not to brochure language. The practitioner consequence is simple: shortlist vendors against lifecycle, authentication, governance, integration, and recovery as one connected programme.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when access certification becomes rubber-stamped?
A: The identity governance owner, application owners, and control stakeholders all share responsibility, because weak scoping turns review into theatre. When campaigns are too broad, reviewers lose signal, evidence quality drops, and the control stops supporting audit or risk decisions.
👉 Read our full editorial: Identity management vendor selection in 2026: what matters most
