Demo buchenDE
Charter

Iden

Identity governance has been “solved” four times. Why we’re stupid enough to do it again.

Pranay YadavPranay Yadav·Co-founder, Iden

I. The dynamo years

Forty years.

That's how long it took factories to get any productivity out of electricity after it arrived.

The technology showed up in the 1880s. Factories pulled out the steam engine and dropped a dynamo in its place. Same floor. Same layout. The same long shafts running overhead, the same belts hanging down to each machine, the same arrangement around a central spindle. Now the spindle was electric. They'd done the upgrade. They were modern.

A late-1800s factory floor: machines arranged in rows around a central electric dynamo, long overhead shafts and belts running power down to each workstation, exactly as they had under the steam engine.
A factory floor in the dynamo years.

And then, for forty years, nothing happened.

Productivity barely moved. The factories had the new power source, but they used it like the old one. Power still flowed from a center. Machines were still arranged around it. The whole geometry of work was unchanged.

It took until the 1920s for someone to ask the obvious question:

If every machine can have its own motor, why are we still building the factory around a single spindle?

That's when the modern factory got built. Not as a steam plant with electricity bolted on. As a different kind of building, organized around what electricity actually was.

The forty years in between is one of the most expensive lessons in industrial history. The technology had changed. The imagination hadn't.

Identity governance is in those forty years right now. I think we're about twenty years in.

II. Four dynamos, one floor plan

This is the slide I opened my last board meeting with:

A board-meeting slide reading 'Identity has been solved. Four times.' with a timeline across four eras: Active Directory in the 1990s, Sailpoint in the 2000s, Okta and Saviynt in the 2010s, and Lumos, Veza and ConductorOne in the 2020s.
“Identity has been solved. Four times.”

Each time, the industry called it a new era. Each time, it was a new dynamo dropped onto the same floor plan.

The products aren't bad. SailPoint is genuinely capable. Okta is excellent at what it does. The modern tools have better UX than what came before. The engineering is fine. The problem is that none of them redesigned the work.

The work is this. Every time a person joins a company, leaves it, changes roles inside it, requests access to a system, or gets reviewed for an audit, something has to happen across every system that person touches. That's not a feature. That's the job.

And in almost every company between 50 and 2000 people, that job is being done by hand. One or two or three people, sitting in IT, doing it on top of everything else they're responsible for.

The IT team is the spindle. Every onboarding ticket, every offboarding scramble, every access review, every audit-week panic still routes through a person. We dressed the problem in better software and called it solved.

Nobody in this industry wants to say it clearly, so I will.

"We automated identity governance" almost always means "we automated the easy fifth."

The fifth comprises of the cloud apps that support SCIM. The systems with clean APIs. The ones the vendor wanted to support because they were easy.

The other four-fifths is still a person doing it by hand, every day. The on-prem system finance has been on for a decade. The mainframe terminal nobody wants to upgrade. The vendor portal that hasn't seen an API since 2014. The shadow SaaS someone signed up for last quarter. The agent your AI team spun up last month. The trading platform. The LIMS. The MES on the factory floor. The thing the construction PM signs into from his truck.

A fifth isn't coverage. It's a steam plant with a motor on the spindle.

III. The person at the spindle

Anchit and I spent the better part of a year talking to companies where IT is one person, one team, or an entire department. IT Manager at 50-person startups. Heads of IT at 300-person companies. Sysadmins at companies of 2000. Different industries. Biotech, fintech, robotics, AI, healthcare, manufacturing, construction, crypto exchanges, hospitals. Different stacks. Same conversation, almost word for word, every time.

They'd walk us through their setup. They'd show us what was automated. Then they'd point at most of the screen and say that part's still us. No complaint. Just describing it the way you'd describe the weather.

That conversation was the most important thing I learned building this company. It isn't the workload that's the problem, though the workload is real. It's that an entire industry has quietly accepted that this is what the job is. That identity at a mid-sized company means being the human API for the company's entire technology surface, and that's just life. Nobody had ever offered them anything that actually changed the geometry, so they'd stopped expecting anything to.

I want to talk about the practitioner for a minute, because I don't think this industry talks about them honestly.

The sysadmin or IT manager at a 500-person company is one of the most underestimated jobs in tech. They run laptops, security, the SaaS stack, onboarding, offboarding, compliance, the office wifi, the all-hands A/V, and whatever the CEO broke this morning. They have a team of two, including themselves. They're invisible when everything works and they're the first ones blamed when anything breaks. Most of the budget conversations they're in start with a CFO asking "isn't this what Okta does?"

And the vendors. The vendors treat them as an "influencer" on the way to the real buyer. The deck is for the CIO. The demo is for the CIO. The sysadmin is a "stakeholder," which in vendor language means a person you tolerate while trying to reach someone more important. I have watched this happen in rooms.

The sysadmin is not on the way to the real buyer.

The sysadmin is the real buyer. Or the real user. Or the real implementer. Most of the time all three. And every product decision an IGA company makes either respects that fact or doesn't. You can usually tell which within thirty seconds of opening the product.

That's the realization that started Iden. The work has been routing through people who were never given tools that fit the work. We're not building a better tool for the spindle. We're trying to remove the spindle.

IV. The new floor plan

Eight principles we build on.

1. We treat the connector layer as the product. Coverage is binary. Eighty percent isn't most of the value, it's none of it, because the ungoverned twenty percent is where every audit finding hides. What makes coverage real is the connector layer. How many systems you reach, how deep into each, how reliably the connection holds when the upstream API shifts. The dashboard is interchangeable. The connectors aren't.

2. We operate at the resource level, not the group level. SCIM stops at group membership. Every meaningful access decision happens below it. This channel. This repo. This dataset. This module. Group-level provisioning solves the easy fifth of the problem with a standard built fifteen years ago. We provision, govern, and review at the resource level. Until the industry catches up, we built our own protocol for it.

3. JIT is the default. Standing access is the exception. Least privilege has been industry consensus for twenty years, and almost nobody runs it. Real least privilege needs just-in-time access at the resource level, granted in seconds, expiring on its own. None of that was possible when access tickets meant Slack messages. It is now. We default everything to time-bound and scoped. Standing permissions take a deliberate choice and a recorded reason.

4. We detect drift continuously, not at audit time. Identity programs don't usually fail at once. They erode. Exceptions accumulate. Contractors leave. Roles shift. Permissions diverge from policy. Six months later the surface the company thinks it has and the one it actually has don't match. We instrument for drift as a first-class concern. Every change is detected when it happens. The audit isn't where you find out. It's where you confirm.

5. Strong controls make compliance automatic. Compliance isn't a workstream. It's what happens downstream of good access controls. If JIT is the default, if drift is detected continuously, if every entitlement carries a justification and an expiration, then SOC 2, ISO 27001, HIPAA, and every other framework that asks "who had access to what, and why" answers itself. Build the controls right and compliance becomes a button. Build them weakly and you'll spend every quarter rebuilding evidence the night before the audit.

6. The business participates in governance directly. IT knows how to grant access. The business knows what each role actually needs. Every identity program fails in the gap between them, where IT provisions what was requested and the business doesn't review what was granted. The fix isn't a better ticket queue. It's the business doing approvals, reviews, and certifications inside the tools they already use, on their schedule, with the context they need. Not as stakeholders IT chases. As actual operators.

7. Human and machine identity are one model. Service accounts. Bots. AI agents. Contractors. Vendor-managed identities. All of them need provisioning, deprovisioning, review, and audit. All of them leak when the system handling them only handles employees. The industry still treats them as separate products because the categories predate the convergence. We don't. Every identity in your environment, human or not, lives in the same model with the same lifecycle.

8. AI agents get ephemeral, intent-scoped access. Not credentials. An agent isn't a service account on a schedule. It's a process that spawns sub-processes, requests access based on the task, and persists for the length of the work. Static credentials don't fit that shape. Agents get access at the moment of intent, scoped to the operation, revoked when the work is done, auditable per call. Standing permissions for agents are a breach waiting to happen. We won't ship them.

V. A different building

So what does the new geometry look like?

The IT team is no longer the spindle. Identity work routes around itself. A new hire's access is provisioned before they sit down on Monday, across every system they'll touch. An offboarding completes the moment HR fires the trigger. Access reviews run themselves. Audits stop being a season.

Service accounts and AI agents are governed in the same place and the same way as people, because that's what reality looks like now. Compliance evidence assembles itself as a side effect of the system being used.

The mid-sized company stops being treated like a small enterprise. The pricing stops punishing you for being mid-market. The implementation stops requiring a consulting engagement. The tool stops requiring a dedicated admin to run it.

The IT team gets its afternoons back. The Head of IT walks into the budget conversation with leverage instead of an apology. The sysadmin gets credit for the work that used to be invisible. The audit becomes a confirmation, not a confession.

That's the floor we're redesigning around. Not better dynamos. A different building.

A modern factory floor: machines arranged for the work, each with its own motor, no central spindle, no overhead shafts and belts. The geometry of the building reorganized around what electricity actually was.
A factory floor under the new floor plan.

VI. Forty years

The reason identity has stayed broken this long isn't that the people working on it weren't smart, or weren't trying. The imagination has been stuck in the old floor plan. Every wave has assumed that the work happens through a person in the middle. Every wave has just made that person's tools nicer.

We're not making the tools nicer.

If we get it right, in five years the way mid-sized companies handle identity will look nothing like it does today. The work will route around itself. The audit will be the consequence of the system working. The practitioner will get back the afternoons this industry has been quietly taking from them for two decades.

If we get it wrong, someone else will get it right eventually. The technology is here. It's been here for a while, waiting for someone to stop dropping dynamos on the old floor.

We'd rather be the ones who didn't wait.

Pranay Yadav

Co-Founder and CEO, Iden
Back to home