Understanding the True Cost of IGA Software

IGA vendors use a wide range of pricing models. Per-user fees, tiered feature packages, professional services costs, and integration scope all show up in different places across different proposals.

That variation makes it difficult to compare platforms on an apples-to-apples basis without a clear framework for what goes into the total cost of ownership.

Having a clear view of the total cost of ownership also strengthens your business case internally. IBM's 2024 Cost of a Data Breach Report found that breaches caused by compromised credentials cost organizations $4.81 million on average and took nearly 10 months to detect and contain. Identity governance is a well-justified investment when you scope it properly.

This guide covers every cost category you should account for so you can plan your budget accurately and compare platforms on equal terms.

Common licensing models#

Licensing models vary across the market, and the structure a vendor uses will shape your cost trajectory over time. Here are the most common models you'll encounter:

Per-user pricing#

Per-user pricing charges your organization based on the number of identities the platform manages.

Most vendors count both internal employees and external users like contractors and partners, though some differentiate between the two with separate rate tiers.

How vendors typically apply it: Vendors typically set a per-user rate that scales with volume, so larger organizations may qualify for lower per-identity costs. Some IGA vendors count total identities in your directory, while others only count active users who interact with the platform during a billing period. That difference can change your annual spend considerably, especially if your directory includes dormant or seasonal accounts.

What to watch for:

Some vendors count every identity in your connected directory, including inactive accounts and service accounts, which inflates your billable user count
Per-user costs can spike during periods of rapid hiring, M&A activity, or contractor onboarding if your contract doesn't include a buffer or volume discount tier
Ask whether pricing resets annually based on a headcount snapshot or adjusts dynamically as users are added and removed throughout the year
Check if external identities like vendors and partners are billed at the same rate as full employees or on a separate, lower tier

Example of how this model works → A company with 3,000 identities in its directory pays $6 per user per month. If the vendor charges based on the total directory count, annual licensing comes to $216,000. If the vendor only counts active users and 800 of those identities are dormant, the annual cost drops to $158,400. The billing method matters as much as the per-user rate.

Tiered volume discounts#

With tiered volume pricing, your per-user rate drops as your user count grows. Vendors set pricing bands at specific thresholds, so the cost per identity decreases as you move into higher tiers.

How vendors typically apply it: Most vendors define tiers in bands, such as 1-500 users at one rate, 501-2,000 at a lower rate, and so on. Some apply the discounted rate only to users within the new tier, while others reprice the entire user base once you cross a threshold.

What to watch for:

Clarify whether discounted pricing applies to all users once a threshold is crossed or only to identities within the new band (the two models produce very different totals)
Some vendors need a multi-year commitment to activate lower tiers, which offsets the per-user savings with smoother contract flexibility
Ask whether tier thresholds account for all identity types or only internal employees, since contractors and partners may not count toward the next discount level
If your organization is close to a tier boundary, negotiate to lock in the lower rate upfront rather than waiting until headcount officially crosses the threshold

Example of how this works → Say a vendor charges $9 per user per month for the first 1,000 users and $6 per user for anyone above that. An organization with 1,800 users would pay the higher rate for the first 1,000 and the lower rate for the remaining 800, landing at around $165,600 per year. But if the vendor applies the lower rate across all users once the threshold is crossed, that same organization pays $129,600 instead.

Negotiation tip → If your organization is within 10-15% of a tier boundary, ask the vendor to lock in the lower rate upfront. Most vendors would rather close the deal at a slight discount than risk losing it over a threshold you'll cross within a year anyway.

Usage-based pricing#

Usage-based pricing ties your cost directly to how much of the platform your organization consumes rather than locking you into a flat per-user or per-tier rate.

Many modern cloud-native IGA vendors use this model to keep costs proportional to the size and complexity of your identity environment.

How vendors typically apply it: The specifics vary, but usage-based models typically factor in the number of managed identities, connected applications, or active governance workflows. Some vendors combine these inputs into a single subscription that scales up or down with your environment. Others price by module, so you pay for the capabilities you use rather than a bundled suite.

What to watch for:

Ask exactly which usage metrics drive your bill, whether that's managed identities, connected apps, active users, or some combination of those inputs
Clarify how the vendor handles usage spikes, such as onboarding a large batch of contractors or connecting a new set of applications mid-contract
Check whether usage-based pricing includes all platform capabilities or whether certain key features carry extra costs on top
Compare the total annual cost projection against a traditional per-user model at your current and projected headcount, since usage-based pricing can be more cost-efficient at certain scales and less favorable at others

Example of how this works: Say a cloud-based IGA vendor prices based on managed identities and connected applications. A 2,000-person organization connecting 50 applications pays for what it uses today. If headcount holds steady but the team connects 30 more applications the following year, costs change based on the expanded scope. That means your bill reflects the complexity of your environment, not just your employee count.

Add-on licensing and suites#

Add-on licensing means the vendor sells a base IGA platform and charges separately for additional use cases or modules on top of it.

How vendors typically apply it: Add-on pricing typically applies to features like advanced compliance reporting, automated user access certifications, identity lifecycle management workflows, or integrations with specific application types. Some vendors package these into feature tiers such as Standard, Professional, and Enterprise, while others let you purchase individual modules on top of a base license.

What to watch for:

Check which features your regulatory compliance and audit requirements depend on and whether any of them sit outside the base license
Ask how add-on pricing interacts with your per-user rate (some providers increase the per-user cost across the board, while others charge a flat module fee)
Ask whether enabling an add-on changes your per-user rate across the entire contract or only applies a flat fee on top of your existing pricing
If you're evaluating a suite-based vendor, check whether you're paying for bundled capabilities your organization won't use in the first 12 to 18 months

Example of how this works → A vendor offers its base IGA platform at $5 per user per month, with automated access governance reviews available as an add-on for $2 per user. For a 2,000-person organization, that add-on brings annual licensing from $120,000 to $168,000. A competing vendor includes access reviews in its base package at $8 per user, putting the annual cost at $192,000, but with fewer line items to negotiate or manage at renewal.

The external identity cost factor#

External identities are users outside your organization who need access to your systems, such as contractors, vendors, partners, and temporary workers.

The per-user pricing section above covers how vendors count and bill for different identity types. But external user identities introduce a few cost dynamics that deserve separate attention, especially if non-employees make up a major share of your directory.

How vendors typically apply it: Vendor approaches range from charging a single rate across all identity types to offering discounted tiers for non-employees to billing external users through a completely separate pricing model. Two proposals with identical per-user rates can produce very different totals depending on which approach each vendor uses.

What to watch for:

Ask how the vendor defines an external identity and whether that classification is based on user type, authentication method, or directory source
Model out how costs change during peak periods if your organization relies heavily on contractors or seasonal workers
Check whether external users count toward your volume discount thresholds or are tracked on a separate billing track

Example of how this works → A company with 2,000 employees and 1,000 external contractors evaluates two vendors. Vendor A charges $7 per user per month across all identity types, resulting in annual licensing of $252,000. Vendor B charges $7 per employee and $3 per external identity, bringing the total to $204,000. The $48,000 difference comes entirely from how each vendor prices external users against the same headcount.

Understanding the hidden costs#

Once licensing is accounted for, there are several other cost categories that influence your total IGA investment.

These tend to get less attention during the buying process but can carry just as much weight in your long-term budget:

Implementation fees#

Implementation fees are what you pay to get the IGA platform up and running. This includes configuration, integration with your existing systems, data migration, and any professional services involved in bringing the platform to a production-ready state.

How to plan for it:

Ask each vendor to separate implementation costs from licensing in their proposal so you can compare both line items side by side
Find out what the vendor's implementation package covers and what falls outside it as billable professional services
Ask whether the vendor handles implementation directly or through a third-party integrator, since the two models come with different costs and timelines
Account for your own team's time, too - your IT and security staff will be involved in the project even if the vendor leads the deployment

Typical range: How much you spend on implementation depends largely on the type of platform you choose. Enterprise-grade IGA tools with heavy customization and on-prem integrations can take 12 to 18 months and cost anywhere from a few hundred thousand dollars to over $1 million in professional services.

Modern cloud-native platforms have compressed both the cost and timeline, with some offering deployment in weeks through prebuilt connectors and no-code configuration.

Integration and customization maintenance#

Integration and customization maintenance covers the ongoing cost of keeping your IGA platform's connections and custom workflows functional as your environment changes.

New applications, API updates, and evolving governance policies all create maintenance work after deployment.

How to plan for it:

Ask the vendor how connector updates are handled when a connected application releases a breaking API change (and whether that maintenance falls on you or on them)
Find out whether custom workflows and policy configurations carry forward automatically through platform upgrades or need to be rebuilt after major version changes
Budget for internal or contracted engineering time to maintain integrations with any applications that fall outside the vendor's prebuilt connector library
Check how often the vendor releases platform updates and what the typical effort looks like to validate your environment after each one

Typical range: Annual software maintenance fees typically run between 15% and 25% of the original license cost, and IGA platforms are no exception. The more custom workflows and integrations you've built, the higher that number goes.

Platforms with vendor-managed connectors and automatic updates can keep this cost lower, but you'll want to confirm how many of your applications fall within the vendor's prebuilt connector library before assuming that's the case.

PRO TIP 💡: ConductorOne maintains over 300 connectors and handles updates when connected applications release API changes. For anything outside the prebuilt library, no-code YAML-based custom connectors let your team onboard new applications without engineering resources or third-party integrators.

Infrastructure and administrative overhead#

This is the cost of keeping your IGA platform running on a daily basis. That includes the people managing it, the time they spend on it, and for on-prem deployments, the infrastructure underneath it.

How to plan for it:

Estimate how many hours per week your team will spend administering the platform once it's live, and factor that into your internal cost model
Ask the vendor what day-to-day administration looks like for a team your size and how much of it can be automated versus handled manually
For on-prem or hybrid deployments, account for hosting, patching, backup, and upgrade costs alongside the software license
Check whether the platform offers self-service capabilities for end users and managers, since that directly reduces how much admin work falls on your IT and security team

Typical range: Enterprise IGA platforms that need specialized knowledge to run may need one or two dedicated FTEs for ongoing administration. Modern platforms with no-code configuration and built-in automation can often be managed as part of a broader IT or security role. On-prem deployments bring hosting and infrastructure costs on top of staffing, while SaaS platforms fold most of that into the subscription.

Internal cost tip → Ask each vendor what day-to-day administration looks like for a team your size. Legacy IGA platforms often require one to two dedicated FTEs with specialized knowledge. Modern cloud-native platforms with no-code configuration can typically be managed as part of an existing IT or security role.

Legacy vs. modern IGA: analyzing the cost divide#

The cost categories above apply to every IGA platform, but the numbers look very different depending on whether you're evaluating a legacy enterprise tool or a modern cloud-native IGA solution.

Here's how the two compare across the cost dimensions that typically matter most:

Cost dimension	Legacy IGA	Modern cloud-native IGA
Implementation timeline	Typically 12-18 months to full maturity	Weeks to a few months, depending on the environment complexity
Implementation cost	Often six figures for mid-market and can reach seven figures for large enterprises with complex environments	Considerably lower due to prebuilt connectors and no-code setup, though the scope varies
Licensing model	Tends toward complex, modular pricing with add-ons and quote-based contracts	Typically per-user or usage-based, with more transparent pricing structures
Ongoing maintenance	Generally, 15-25% of the license cost annually, plus internal engineering for custom integrations	Vendor manages most infrastructure, connectors, and platform updates
Staffing	Often needs one or more dedicated administrators with specialized platform knowledge	Can usually be managed within an existing IT or security role
Infrastructure	On-prem hosting, patching, backups, and upgrades fall on your team	The SaaS model absorbs infrastructure costs into the subscription
Migration complexity	Deep customization and legacy integrations make future platform changes expensive and slow	Lighter footprint makes future platform changes less disruptive

Disclaimer ⚠️ → These comparisons are directional and based on publicly available industry benchmarks and vendor data. Actual costs depend on organization size, environment complexity, number of connected applications, and vendor. This is meant to frame the general cost differences between the two models, not serve as a pricing guide.

None of this means legacy platforms are the wrong choice in every scenario. Organizations with complex on-premise environments, heavy regulatory requirements, or deeply embedded identity management infrastructure may still need the depth that enterprise-grade tools provide.

But for teams evaluating IGA with total cost of ownership as a primary lens, the cost gap between legacy and modern platforms is major and worth quantifying early in the process.

The ROI of modern IGA: operational savings#

After walking through the full cost picture, it's worth looking at where modern IGA platforms generate the most tangible operational savings:

Operational efficiency#

What changes: Modern IGA platforms handle provisioning, deprovisioning, access requests, and review cycles automatically. That moves your IT and security team from processing routine access changes manually to managing them by exception.

Where the savings come from: Most of the savings come from the joiner-mover-leaver lifecycle. Automated workflows replace manual ticket queues for onboarding, role changes, and offboarding, and self-service requests with policy-driven approvals reduce the load on IT even further.

ConductorOne's customer Zscaler saw this firsthand after they integrated roughly 250 applications into the platform:

Provisioning time for new hires drops from weeks to 10 minutes
156 hours saved in engineering provisioning time
A 60% reduction in help desk access tickets

"With a ConductorOne workflow, approvals, training assignments, and provisioning were automated. New hires got access within minutes after they joined." — Rashmi Bilgundi, Director of Identity and Access Management, Zscaler

What to measure:

Average time to provision access for new hires and role changes before and after implementation
Number of access-related help desk tickets per month
The hours your IT and security team spend on manual provisioning and deprovisioning each quarter
Access review completion rate and average time per review cycle
Percentage of provisioning and deprovisioning actions handled through automation versus manual intervention

Software rationalization#

What changes: Most organizations manage access through a mix of ticketing systems, spreadsheets, email threads, and standalone review tools. A modern IGA platform consolidates those functions into one place. This means fewer licenses, fewer vendor contracts, and less time spent keeping disconnected tools in sync.

Where the savings come from: Each redundant tool you retire removes a license fee, a renewal cycle, and the integration work that kept it connected to everything else. Those savings compound as your environment grows, since every new application or user you add is already covered by the same platform.

What to measure:

Number of separate tools your team currently uses to manage access requests, approvals, reviews, and provisioning
Total annual licensing cost across those tools before and after consolidation
Hours spent maintaining integrations between disconnected identity and access management solutions
Number of vendor relationships and contracts tied to identity-related tooling

Quick audit → Count how many separate tools your team currently uses to manage access requests, approvals, reviews, and user provisioning. Each one carries a license fee, a renewal cycle, and integration maintenance. That total is your consolidation opportunity.

Audit and compliance reduction#

What changes: Your team stays audit-ready year-round. The platform captures every access decision, review outcome, and policy change automatically, so the evidence is already there when auditors ask for it.

Where the savings come from: Without a centralized IGA platform, audit preparation means weeks of collecting screenshots, exporting spreadsheets, and chasing managers for review confirmations across multiple systems. That drill repeats every quarter. With automated access reviews, time-stamped logs, and one-click reporting, most of that manual work goes away.

ConductorOne customer System1 saw this firsthand after the company went public and needed to pass SOX audits. Their Director of IT estimated the team would have spent several weeks per quarter on audit prep. With ConductorOne, access reviews launch within a day, and auditors pull what they need from a single console with time-stamped, immutable reports.

What to measure:

The hours your compliance and IT teams spend on audit prep each quarter, before and after implementation
The number of systems your team has to pull evidence from manually versus through a single platform
Time from launching an access review campaign to completion
Number of audit findings related to access controls, orphaned accounts, or incomplete reviews
Reduction in back-and-forth between your team and auditors during the review process

The cost of inaction#

The cost categories in this guide are what you pay when you invest in IGA. Here's what you pay when you don't:

Credential-based breaches are costly and slow to catch: IBM's 2024 data (referenced earlier in this guide) shows these breaches cost $4.81 million on average and take 292 days to detect and contain. That risk is open for as long as your organization lacks automated governance over who has access to what.
Stale accounts accumulate faster than most teams realize: Research shows that 26% of all user accounts haven't logged in for 90+ days but still carry active permissions. These accounts don't generate alerts, which makes them easy targets for attackers.
Former employees keep access longer than they should: Veza's 2026 State of Identity & Access Report found that 38% of accounts flagged as inactive in HR systems still held live entitlements in core business apps. Every one of those accounts is a valid credential that an attacker can use without tripping any anomaly detection.
Permissions accumulate faster than anyone can review them: The same Veza report found that the average worker holds 96,000 permissions across applications, data stores, and infrastructure. Years of role changes, temporary access grants, and inherited group memberships build up, and without automation, no one is cleaning it up.
Manual processes can't keep up: CyberArk reports that 87% of organizations still run IGA processes manually. Every new hire, role change, and application adds more work to a process that was already stretched thin.
Legacy tools eat budget without moving the needle: Some research estimates that 60-80% of IT budgets go to maintaining existing systems. At those levels, teams have very little room to invest in modern governance, automation, or the kind of platform consolidation that reduces costs long term.

Lowering your TCO with ConductorOne#

Every cost category in this guide points to the same conclusion. The longer your IGA platform takes to deploy, the more manual work it creates, and the more tools it needs alongside it, the higher your total cost of ownership climbs.

ConductorOne compresses costs across every one of those dimensions. The platform brings identity governance, access management, and privileged access management controls into a single cloud-native solution that goes live in weeks and automates the work that legacy tools leave on your team's plate.

These are the capabilities that have the most direct impact on your TCO:

300+ prebuilt connectors and no-code custom integrations: ConductorOne offers over 300 out-of-the-box connectors for SaaS, cloud infrastructure, on-prem systems, and directories. For anything outside that library, no-code YAML-based custom connectors and the open-source Baton SDK let your team onboard any application without professional services or specialized engineering resources.
Compressed implementation timelines: Legacy IGA platforms can take 12 to 18 months and hundreds of thousands of dollars in professional services before a single access review runs. ConductorOne deploys in weeks through prebuilt connectors, guided setup, and no-code configuration.
No-code lifecycle automation: ConductorOne automates the full joiner-mover-leaver lifecycle with no-code workflows that trigger automatically based on role and attribute changes. That takes care of the manual provisioning, deprovisioning, and role-change work that quietly consume IT hours every week.
Self-service access requests and just-in-time provisioning: Employees can request access through a self-service portal, Slack, Microsoft Teams, or CLI, with requests routed through policy-driven approval workflows and provisioned automatically. Just-in-time access grants temporary, scoped permissions that self-revoke when no longer needed, so your team spends less time managing standing privileges.
AI-powered automation for identity operations: Thomas, the platform's helpdesk agent, processes access requests through Jira and ServiceNow without human involvement. AI Copilot gives reviewers the risk and security policy context they need to approve or deny in seconds. The platform has driven up to a 95% reduction in IT effort on access requests for customers.
Non-human identity governance: Non-human identities like service accounts, API keys, tokens, and AI agents now outnumber human users by as much as 20 to 1 in many environments. ConductorOne governs both from the same platform with built-in discovery, inventory, ownership mapping, and risk management alerts, so you don't need a separate point solution as your identity footprint scales.

If the total cost of ownership is a deciding factor in your IGA evaluation (and it should be), ConductorOne gives you a way to reduce spend across every category covered in this guide.

Faster deployment, fewer tools, less manual work, and a platform that scales with your identity footprint.

Book a demo to see how it works in your environment.

FAQs#

How does IGA fit into a broader identity security and zero trust strategy?#

IGA platforms work alongside other IAM tools to enforce zero trust principles across your environment. Single sign-on (SSO) and multi-factor authentication (MFA) handle how users prove who they are.

IGA handles what they can do once they're in. A modern IGA platform connects to your identity provider, enforces role-based access control policies, and governs access rights across every application in your stack. That end-to-end visibility is what makes zero trust enforceable at scale.

What platform capabilities have the biggest impact on long-term IGA costs?#

The features that reduce your TCO the most are the ones that streamline daily operations and cut down on manual work.

Look for real-time provisioning and deprovisioning, machine learning that points out risky access patterns, and a user-friendly dashboard that gives your team full visibility without specialized training.

A scalable platform that handles growth without spiking your per-user costs or forcing expensive reconfigurations also keeps your cost curve predictable over time. The better the user experience for both admins and end users, the less support overhead you carry.

Should I evaluate legacy IGA vendors like SailPoint and Okta differently when calculating TCO?#

Yes. Enterprise IGA platforms like SailPoint were built for large, complex on-premises environments and offer deep customization, but that depth comes with longer deployments, higher professional services costs, and dedicated staffing needs.

Okta approaches identity from the access management side and may need additional tooling to cover full IGA use cases like separation of duties (SoD) and compliance management.

When you compare vendors, map each platform's capabilities against the full cost framework in this guide so you're evaluating the total cost of ownership accurately.

Does the IGA platform need to support my specific infrastructure environment?#

It should. Most organizations run a mix of cloud and on-premises systems, so your IGA platform needs connectors that cover Active Directory, Azure AD, AWS, and whatever SaaS applications your teams depend on.

If the platform can't integrate with your core infrastructure natively, you'll pay for custom integration work upfront and maintain it indefinitely.