Notifications
Clear all
Topic starter
25/06/2026 3:22 pm
TL;DR: Choosing an identity-management vendor compounds across years of workforce sign-in, provisioning, compliance evidence, and integration work, with migration friction often lasting three to five years if the selection is wrong, according to Avatier. The real test is whether lifecycle, authentication, governance, and scaling decisions hold up under enterprise mover flows and audit pressure, not whether the demo looks polished.
NHIMG editorial — based on content published by Avatier: an evaluation framework for choosing an identity management vendor in 2026
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams evaluate identity management platforms for lifecycle automation?
A: Security teams should test how the platform handles real mover activity, not just onboarding and offboarding.
Q: When does identity certification become less useful than runtime access controls?
A: Certification becomes less useful when it only records entitlement decisions after the fact and does not reduce entitlement drift.
Q: What do organisations get wrong about identity vendor demos?
A: They often mistake a clean demo path for operational maturity.
Practitioner guidance
- Script mover scenarios in every demo Require the vendor to show role changes, contractor conversions, leave-of-absence handling, and termination in one continuous lifecycle flow, with the event log visible at each step.
- Validate recovery paths for privileged authentication Test what happens when phishing-resistant MFA is challenged by a reset, a device change, or a failed verification flow, especially for high-privilege users.
- Inspect connector maintenance, not connector counts Ask how quickly the platform updates when a target application changes its API and whether custom connectors are configuration work or a development project.
What's in the full article
Avatier's full article covers the operational detail this post intentionally leaves for the source:
- The full 12-criterion evaluation matrix with the vendor's demo questions for each category.
- Detailed guidance on scoring lifecycle, authentication, governance, scaling, and implementation trade-offs.
- The vendor's own buyer-guide context for IGA, ILM, MFA, and passwordless shortlist comparisons.
- The implementation-phase sequencing and evaluation rubric used to structure the purchase decision.
👉 Read Avatier's identity-management vendor evaluation framework for 2026 →
Identity-management vendor selection: what criteria actually hold up in 2026?
Explore further
25/06/2026 4:52 pm
Identity vendor selection is really a control-plane decision. The buyer is not just choosing workflow software, it is choosing how lifecycle events, authentication decisions, and audit evidence will be normalised across the enterprise. That means weak mover handling or brittle integration becomes a governance failure, not just an implementation inconvenience. Practitioners should treat vendor selection as a long-term identity control-plane choice, not a feature comparison.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when identity workflows fail during an audit or incident?
A: Accountability sits with the organisation that owns the identity control plane, not with the vendor demo. Frameworks such as the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 help teams define ownership, evidence, and control expectations. Practitioners should map the platform to internal control owners before deployment.
👉 Read our full editorial: Identity-management vendor selection in 2026: the criteria that matter
