TL;DR: An eleven-month migration from Oracle Identity Manager to SailPoint at PG&E covered 165,000 identities, 75 apps in production, and 400+ requirements, with reported gains in access review simplicity, performance, and $450k in savings, according to SailPoint. Legacy identity debt is no longer just a tooling problem; it is a governance and operating-model problem.
NHIMG editorial — based on content published by SailPoint: Blog Legacy to Modern, Replacing Legacy Identity at PG&E
By the numbers:
- PG&E reported $450k in savings after go-live.
Questions worth separating out
Q: How should security teams judge whether an identity modernisation programme is succeeding?
A: Judge it by governance throughput, not by the fact that a new platform is live.
Q: Why do legacy identity platforms create risk in regulated environments?
A: They create risk because they slow down the controls that prove access is appropriate.
Q: What do IAM teams get wrong about identity platform replacement?
A: Teams often focus on cutover success and underweight the quality of the controls after cutover.
Practitioner guidance
- Assess identity platform control debt Inventory workflow latency, certification backlog, integration failure rates, and custom-code dependencies to determine where the current platform is slowing governance decisions.
- Tie migration milestones to governance outcomes Define success criteria around access review completion, provisioning reliability, evidence quality, and audit continuity rather than only application counts or project dates.
- Simplify certification workflows before expanding scope Remove entitlement noise, reduce reviewer ambiguity, and validate data quality in the first application waves before scaling to broader populations.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The migration sequencing and integration work needed to unwind Oracle Identity Manager at enterprise scale.
- The specific certification, workflow, and compliance requirements that shaped PG&E's project plan.
- The phased go-live approach across 75 applications and how the team managed cutover risk.
- The reported savings and post-migration benefits that support the business case for change.
👉 Read SailPoint's blog on PG&E's identity platform migration →
PG&E’s Oracle-to-modern identity shift: what IAM teams should note?
Explore further
Legacy identity debt is a governance problem before it is a technology problem. PG&E’s story shows that old identity platforms can make routine control execution harder than the policy itself. When access review, provisioning, and reporting depend on fragile custom logic, governance slows down and the programme starts paying a hidden operational tax. The conclusion for practitioners is that platform age should be assessed as control debt, not just technical debt.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do identity teams keep a migration from disrupting audit readiness?
A: Keep the migration phased, preserve evidence trails, and validate the business-critical workflows that auditors depend on before expanding scope. Re-test certification, provisioning, and reporting after each major step so the organisation can show that governance remained intact during transition.
👉 Read our full editorial: PG&E’s identity platform migration shows what legacy IAM blocks