Getty Images/iStockphoto
Identity security tool sprawl: Origins and the way forward
From IGA to ITDR, identity teams juggle diverse security functions. Explore how tool proliferation affects operations and consolidation strategies.
Identity security teams face the frequently conflicting goals of stability, agility and improved security. Identity leaders face a complex world in flux, with enterprise systems continually changing, identity-driven threats increasing, compliance regulations becoming more rigorous and AI-driven apps creating new identity security challenges.
Teams managing workforce identity have accumulated a variety of technology tools to do their jobs. This proliferation poses challenges -- and change is in the air.
In my Omdia study, "Identity Security at a Crossroads: Balancing Stability, Agility and Security," I delved into the market dynamics of workforce identity security to understand and quantify the major pain points for leaders managing identity security.
Identity security is a broad space, and the research touched on topics, including identity governance and administration (IGA), identity verification, identity threat detection and response (ITDR), and nonhuman identities (NHIs), with a focus on AI agents.
While the study revealed many things, here I'll focus on the portfolio of workforce identity security tools used today and how teams can address tool sprawl and build effective identity security strategies to meet their organizations' needs.
Workforce identity security tool proliferation
Identity and access management (IAM) has historically been a relatively fragmented cybersecurity sector. Identity teams must manage many discrete activities, including access management -- authentication, authorization, role-based access control with functionality such as single sign-on, identity provider services and MFA -- for users; privileged access management (PAM) for key users; IGA; password management; NHI security; identity security posture management (ISPM); ITDR; and more. This list doesn't even touch the identity stack needed for customer IAM.
The diversity of workforce identity security tasks has contributed to a variety of tools in the identity security team's toolbox. Aside from the variety of different identity functions, the number of tools has increased due to a combination of expanding cybersecurity threats, regulatory pressures, digital transformation, remote and hybrid work, and the complexity of managing identities across a complex environment that includes on-premises, multi-cloud and SaaS environments.
My research found that identity teams use an average of 11 tools for workforce identity security. This includes commercial, open source and homegrown tools. Identity security teams also have to integrate and orchestrate a number of technologies to interoperate between a bunch of different consoles to get their jobs done.
The origins of tool proliferation
I wanted to dig deeper into this study than the gut feelings I often hear about tool sprawl -- I wanted to gather data and learn about the origin of identity tool proliferation.
My research asked a follow-up question to respondents who said they use more than four identity tools to understand the reasons why they accumulated their tool portfolios. The top three responses to this multiselect question were:
- Cloud adoption requiring additional tools (52%).
- Cyber insurance requirements (51%).
- Separate tools needed for different (on-premises, cloud, SaaS) environments (48%).
Additional tools for the cloud infrastructure adoption makes sense when you consider that each IaaS player offers native functionality to help with access management. For example, if you are in AWS and Azure and using native tools specific to each provider, you end up with two cloud infrastructure entitlement management tools.
That cyber insurance requirements response was a bit of a surprise, but it makes sense. Verizon's "2025 Data Breach Investigations Report" found credential abuse is the most common initial access vector, with 31% of breaches involving the use of stolen credentials. Cyber insurers recognize that identity tools are a key factor in mitigating the risk of a breach. An organization's ability to obtain insurance, get the lowest rate and renew coverage improves by adopting key controls such as MFA and PAM.
Accumulating separate tools across different environments occurs for a number of reasons, from business unit autonomy to needing tools with different functionality for each environment. For example, organizations might deploy Microsoft AD on-premises and use Okta or Azure AD for cloud apps. Or they might deploy one IGA tool for a handful of core applications, such as Oracle, SAP and Workday, that are integral to operations, and an additional IGA tool to cover cloud apps.
There are many other reasons organizations have more than four identity security tools. For example, customer contractual obligations, compliance requirements, tools accumulated through M&A activity and decentralized purchasing, along with different teams independently purchasing different tools.
I don't think any identity leader wants a lot of workforce identity security tools. A large portfolio of tools can result in operational complexity, identity silos and inconsistent policies, and can increase the risk of gaps resulting in mistakes, unaddressed issues and security risks.
The existing tool inventory has evolved to get jobs done. Consolidating or rationalizing tools requires a product that solves tasks as well or better than the existing hodgepodge of tools. Identity security platforms are a great concept, but they have to deliver results.
In today's world, identity leaders can seldom embrace a platform approach. I spoke with an identity leader at RSAC Conference who made the point that he had accumulated many tools and would like to consolidate them, but whatever came next had to provide best-in-class functionality.
One surprising insight from the research is that enterprises typically have multiple tools covering the same functions. For example, while 38% have a single tool for password management, 45% use multiple tools. And 36% have a single PAM product, yet 44% have multiple PAM tools. Having multiple tools is the norm rather than the exception. This leaves room for improvement -- vendors can develop products that cover multiple use cases, for example, a cloud-focused vendor covering on-premises use cases or vice versa.
The path forward
Every organization's identity security environment is unique, but there are some common themes to consider as you figure out how to help grow business, manage access and improve the company's identity security profile.
- Inventory existing tools. Audit the portfolio of tools in use today, including existing tool features, scope and user populations. Assess any overlaps, gaps and sources of complexity. This lays the groundwork to reduce risk and improve efficiency.
- Understand what you already have and use it. Have a handle on the capabilities of existing identity security tools and use them to the maximum degree. You might have been preoccupied with a work crisis and not noticed some new functionality that is now available from an existing tool. Vendors improve what they offer over time, and additions to base functionality might enable you to cover new use cases without the expense of a new tool.
- Align capabilities with business and security needs. There is no one-size-fits-all tool for identity security. Your business dynamics and risk tolerance are unique. Platforms are promising, but they are not nirvana. You need to balance the benefits of consolidating tools with specific use cases that might not be met by bigger tool vendors or platforms. For example, emerging business initiatives around agentic AI might require new tooling to meet specific AI agent identity security needs.
Innovation and the future of identity security
When it comes to the platform versus best-of-breed issue, there is an ebb and a flow. Platform players lend themselves to solving more established problems and can provide a compelling risk ROI in terms of risk reduction and efficiency. However, identity security continues to see disruptors displace older technologies and best-of-breed products that solve specific problems with more agility than broader platforms.
Established identity security players -- such as BeyondTrust, CyberArk, Delinea, IBM, Microsoft, Okta, One Identity, Ping, SailPoint, Saviynt and Thales -- continue to expand their technology footprints with converged platforms. Emerging innovators across a range of different areas are among the tools that have come onto the identity security address pain points and fill gaps. Such vendors include P0 Security and Veza, which offer converged platforms including IGA and access control; ConductorOne, Fabrix.ai, Lumos and Oleria, which have an IGA focus; Cerby, Grip Security and Zluri, which offer SaaS app discovery, security and integration with IGA; GetReal Security, Nametag and Reality Defender with deepfake detection tools; Axonius with ITDR and IGA; Apono, Sonrai Security and Xage Security with PAM; and Breez Security, Permiso Security and Verosint, which offer ISPM and ITDR.
Beyond this, a number of identity security players are crafting tools to identify, govern and secure AI agents.
My Omdia research had many intriguing findings -- the above data points are just a few. Stay tuned for upcoming articles with more results.
These are exciting times for identity security. If you are a new technology player solving an interesting new identity problem or an innovative approach to an existing challenge, I would like to hear about it. You can reach me via LinkedIn.
Todd Thiemann is a principal analyst covering identity access management and data security for Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.
Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.
