Sometimes the right opportunity takes decades to materialize. You just have to be patient and prepared to seize it when the moment comes.
This is the moment SailPoint is entering right now.
They've made it to nearly a billion dollars of ARR by managing and governing human identities over the course of 20 years. A nice business, for sure — but only a fraction of what's coming next.
It’s not a “legacy” company. It’s a company that has been patiently preparing for its time to come.
Authorization is about to have a moment. Nobody is in a better position for that than SailPoint.
Let me tell you why.
Authentication is important...but not sufficient
Something I have always found baffling is our industry's fixation on authentication.
There is a perception, especially outside the identity-deep parts of the industry, that SSO and MFA are identity security.
You authenticate, and you're good to go. Security is handled. Simple.
My quick summary of this point of view is oversimplified, of course — but you know what I mean if you've been working in or around enterprise identity programs long enough.
We've worried about authentication for a long time — making it simple and easy for people to log in to apps they need to use. We're still chipping away at other authentication-related things like MFA and passkeys.
That's all great stuff. I've written plenty about this topic.
Authentication is an important first step. But it's not the whole picture.
I don't have to tell you how important identity has become to security. 'Identity is the new perimeter.' 'Attackers aren't breaking in, they're logging in.' All of that. The case has already been made ad nauseam.
The finer point here is what it means to do something about it.
What happens after the credentials you use for authentication are compromised?
Authorization becomes a whole lot more important.
SailPoint CEO Mark McClain uses a physical security analogy that captures this well:
"Go into a New York skyscraper. You check in at the bottom floor, show your license to a security guard. Once you go past that security guard, you're authenticated. You're in the building, which is like logging in. The security guard loses track of you. He doesn't know where you go in the building, what floor you're on, what room you're trying to get into."
That's the difference between authentication and authorization. Authentication gets you into the building. Authorization determines where you can actually go and what you can do once you're inside.
Authorization is where everyone's mind is shifting — from who you are to what you can do. The 'what you can do' part is so, so important.
Here's something you can only learn from hard-won cybersecurity experience, though: managing authorization is really hard.
Managing thousands of identities is a nightmare already. The challenge gets exponentially more difficult when you do the math on how many entitlements every identity has.
The numbers I saw recently from SailPoint were staggering. I intuitively knew they managed a lot of entitlements, but I didn't realize they were at this scale across their customer base:
- 125 million identities in production
- 5 billion entitlements under management
- 35 billion SaaS account changes processed (last twelve months)
And it's going to get even harder when more than just people trying to access apps and data. Wait until it's also a bunch of non-human identities and AI agents trying to access that data, too.
It doesn't really matter if you believe agents are going to be a big deal or not. Things are difficult enough with just the regular threats we're facing.
Authorization is going to matter a lot more with or without AI agents.
That doesn't mean give up on authentication. It means we need to keep working on authentication while doubling down on authorization.
Next, let's get into a few more of the nuances with authorization and why I think this opportunity is so significant for SailPoint.
Breadth: more apps, more entitlements
Fundamentally, SailPoint manages access to apps and infrastructure — which identities get access, and what they can do once they're in there.
There's an important philosophical detail inside of this: for SailPoint's entire existence, its customers have mostly focused on managing static permissions to business applications that matter for regulatory compliance.
The implication is the time, focus, and investment on deploying SailPoint gets directed towards applications that are critical to either compliance, business operations, or both.
There's a long tail of other applications that don't get touched. Implementations historically run out of time, money, and patience by this point.
The shift that's been happening recently is the transition of IGA (broadly) and SailPoint (specifically) from being compliance-driven to being security-driven.¹
Because attacks have shifted so dramatically towards credentials, we've hit a point where visibility into all of the applications, identities, and entitlements across an organization is a must. We can't avoid this anymore.
The highly regulated app isn't always the one that gets compromised. The random SaaS app (which IT may not even know about) that has a random credential breach is just as likely. Those credentials get stolen and used to log into other high-profile systems. You know how the rest of the story goes.
This is why the collective mindset is changing. It's not just a handful of critical systems we need to tightly control. We need deep controls over the entire application portfolio with much more dynamic and granular management of authorization.
Having better coverage of the entire portfolio means you have a better understanding of the access the user has, what the risk might be, and what actions need to be taken if there's a compromise.
Let's talk about the depth part next.
Depth: not all connectivity is the same
Here's the other thing they don't tell you about integrating applications with identity platforms: not all connectivity is the same.
There's lightweight connectivity, and then there's real, in-depth connectivity. One "integration" might be worlds apart from another in terms of features and sophistication.
I've integrated thousands of different applications and...let me tell you: they come in all different shapes and sizes.
Why? Authorization and entitlements are a very slippery concept from a technical standpoint. They're difficult to integrate with because apps make it difficult.
The potential variations of how apps implement authorization are endless:
- Entitlements in APIs with varying levels of detail
- SCIM endpoints that expose some attributes but not others
- Active Directory groups that map to application permissions
- Custom authorization tables buried in proprietary databases
- Role-based access control models with nested hierarchies
- Attribute-based policies that require context to evaluate
- Mainframe security systems that predate modern standards
It's not even the variety of authorization models alone that makes this tricky — it's literally the representation of what an entitlement really is.
If you're lucky, you get details about the entitlements represented as data or fields in a database, so you have data to pull and tell what they are.
Other times, the entitlement-level details are obfuscated. You may have information about the application roles in the database, but the detailed entitlements are written in the code.
Worst case, authorization is entirely written in code, and none of it's available in the database or an API. You have limited visibility and limited ability to manage authorization.
Miraculously, SailPoint has been able to address a lot of this chaos. They wouldn't claim to have it all covered (and you shouldn't believe anyone who does).
SailPoint has been in the business of managing authorization longer than anybody. They've seen every variation you could imagine of the variety and complexity I just described.
Historically, SailPoint was selective about what level of integration they were willing to natively provide (largely based on what an application was capable of).
Their preference is very deep integration that allows customers to manage the full identity lifecycle (down to the entitlement level) and access reviews. In other words, the full treatment an enterprise IGA platform is capable of giving.
SailPoint's mindset is evolving, though. They're now taking a three-tier approach to application integration:
- Tier 1: Basic visibility – Discover all applications across the environment, even shadow IT
- Tier 2: Quick compliance connectors – Lightweight integrations for basic provisioning and access reviews
- Tier 3: Deep governance connectors – Full lifecycle management with entitlement-level control, business logic embedded in the integration, and rich context from logs and usage analytics
The combination of SailPoint's existing deep governance connectors, the progress they've made on their Atlas (SaaS) platform, and the Savvy acquisition (which brought broad, quick app discovery capabilities) has them on the path to covering the full spectrum of apps, from breadth to depth.
Authorization is always going to be difficult. What matters here is that SailPoint already manages more authorization than anybody. Now, they have the breadth of integration capabilities to handle more.
Here's the gotcha, though: everything we've talked about so far only describes the past and current state of authorization.
When you factor in persistent identity-related threats and more productive use cases like AI agents, the needs and capabilities customers require from identity platforms start to go way beyond what we've been talking about here.
These future needs are a big part of SailPoint's opportunity. Let me tell you about that next.
Beyond today's identity challenges
Once you've climbed the mountain of integrating all of your applications and deepening the level of integration you have with them, you're only at the starting line for the brave new world we're entering.
What matters next is what you do to secure all the identities and entitlements your identity platform now knows about.
To be clear, what we're about to talk about here is beyond what most enterprises have implemented, SailPoint customers or not.
But many of the specific features are already here, and they're going to become more relevant quickly.
1. Privileged access, redefined
SailPoint has a well-grounded and insightful point of view about its role in managing privileged access: the definition of privileged access is moving from developer and engineering-focused admin access to a broader realization that many other kinds of users' access is privileged, at least some of the time.
This could be access like:
- Admin access to a non-regulated application
- Business-critical access within a regulated application
- HR, payroll, and benefits access
- New vendor creation in the ERP accounts payable module
- Treasury access within the banking application
- Customer data access in the CRM
Historically, a challenging part for enterprise identity programs has been the separation of privileged access management and identity governance. It isn't as easy as it should be to identify, request, or manage privileged entitlements.
SailPoint's platform already manages a lot of privileged entitlements. The part that was missing was simply the classification of whether an entitlement was privileged or not.
Some implementations took care of this on their own through relatively trivial things like noting access as privileged in the description of an entitlement that would show up when a user was requesting that access. That's not really a feature though — it's more like a workaround.
Where we're heading (and what SailPoint announced at their Navigate conference) is that privileged access is going to have a specific meaning within SailPoint going forward.
This means being able to classify entitlements as privileged, formally request and review them, and all kinds of other details. Bigger picture, the strategy is helping to bring a paradigm that was already happening into reality.
2. Just-in-time access and the end of static privileges
SailPoint now believes static privilege is dead. Color me surprised. I never thought I'd hear a well-known identity company utter these words.
They're, right though — and credit to them for being brave enough to say it.
The typical workflow is for authorization to be given in advance and stay there. That's what "static privilege" means. The process goes something like this...
When a person starts working at a company, they're granted access to several applications based on other people similar to their job function.
Any access that's not granted right away is requested later as needed. An access request gets made, reviewed, approved or denied, and (if approved), provisioned — which sometimes takes a few days because managers have to approve.
The just-in-time access model flips this. It's our industry's solution to eliminating standing privileges.
Access is granted dynamically, right when it's needed, then revoked immediately after. No one has standing access sitting around indefinitely, which lowers the risk of access being exploited if an identity is compromised.
3. Adaptive identity
The most exciting (and, empathetically, most ambitious – but hear me out) direction we're being pulled towards is adaptive identity.
The nature of the identity lifecycle has traditionally been asynchronous:
- "We'll set your access up within a day or two."
- "We'll eventually disable your access if you leave."
- "Let's validate access is correct quarterly or annually."
A lot of this work was manual or semi-manual. SailPoint has already helped make processes more automated and efficient, especially for enterprise customers who do all of this at scale.
Things are about to move a lot faster, though.
We're heading for a world where waiting days to get access and reviewing it once a year is borderline ridiculous. We need to have much more real-time understanding of the environment.
Mark McClain explains the shift this way:
"On the positive side, you want to have identities that are very responsive and rapid so that you can quickly do things that you want to do and do them safely. On the other side, you want to just as quickly take away things or stop them or block them if they appear to be problems or anomalous or dangerous."
That's the core concept behind adaptive identity: very rapid and dynamic changes are happening with identities all the time. You can't declare an identity "secure" or access "approved" at one point in time and expect it to stay that way.
Instead, authorization decisions need to be made at runtime (when the authorization needs to be used) with context about why the access is needed and what the status of the identity is at the time. It goes from being a one-time decision to a continuous set of decisions.
If access is truly granted and revoked between uses, it means that the volume of provisioning and deprovisioning actions customers need SailPoint to manage is going to go up exponentially.
Are we really ready for this?!
Mark McClain's take on this is both nuanced and practical. He told me he's never seen a situation where customers have their foot on both the gas and the brake at the same time:
"They're trying to press the gas and go faster. 'We've got to adopt these new technologies. They're going to change everything. It's going to make us more effective, more efficient, competitive in our business.' And then the brake is just as heavy right now with people going, 'Whoa, whoa, whoa, this is risky. We don't understand it. We don't know what this is going to expose.'"
This tension is visible in the industry right now. There's a reason for it — especially with AI agents.
If you've used any of the really powerful agents, you know how they pull you into putting your foot on the gas. There's this different level of inertia you're not used to with a regular app.
They're innocent and they're addicting. They want you to do more. And their sole purpose in life is to complete work on your behalf. That's the part that makes you want to get on the gas.
But the flip side is that even the best agents go off the rails once in a while. Whenever that happens, you quickly get pulled back into reality and realize why we need guardrails on them.
SailPoint was early to market with its Agent Identity Security solution and first among the major identity companies to hit general availability. There’s even more to come, though.
This tension between wanting to move fast and not quite trusting new technology like AI yet is exactly where privileged access, just-in-time access, and adaptive identity become critical.
We may have no other choice, even if we don't feel ready yet.
Welcome to the authorization era
Authorization was always going to matter eventually. The question was when and who would be ready when the time came.
The 'when' is now.
Credential-based attacks have made it impossible to ignore what happens after authentication. AI agents are creating pressure from business and engineering counterparts to enable rapid access while maintaining control.
The old model of annual access reviews and static privileges isn't going to cut it.
The shift from compliance-driven to security-driven identity governance is happening. The shift from static privileges to adaptive authorization is coming. The shift from annual reviews to real-time decision-making is inevitable.
The 'who' is SailPoint.
Head starts matter in this business.
Customer trust at enterprise scale can't be manufactured overnight. Integration depth takes years to build. The data estate they already manage (those 5 billion entitlements) is a level of data gravity that's hard to replicate.
They've been patiently building this moat for two decades while authentication got all the attention and funding.
Authorization is about to have its moment. SailPoint has been waiting for this all along.
Footnotes
¹Compliance is always going to matter, of course. The imminent demise of access reviews, flawed or not, is greatly overstated. We're still going to be doing access reviews when I retire.
