SailPoint Identity Solutions
Managing identity access across thousands of applications while staying audit-ready is the challenge that keeps IAM teams up at night. We help regulated enterprises implement SailPoint across the full product suite - IdentityIQ, Identity Security Cloud, and NERM - so you can close compliance gaps without slowing the business. As a SailPoint Delivery Admiral, we bring deep technical experience across access governance, lifecycle automation, and non-employee risk management.
What Is SailPoint?
SailPoint is an enterprise identity security company that builds identity governance and administration software used by organizations to control who has access to what, and to ensure that access is appropriate, auditable, and compliant. SailPoint software spans on-premises platforms, cloud-native SaaS, and purpose-built modules for non-employee populations.
Organizations deploy SailPoint to manage employee identity lifecycle, run access certification campaigns, enforce segregation of duties, manage role assignments, and generate compliance evidence for SOX, HIPAA, PCI-DSS, NERC CIP, and other regulatory audits. For regulated industries, SailPoint identity governance is often the operational backbone of the compliance program.
GCA is an IAM-specialist partner that helps organizations implement and manage SailPoint across the full product portfolio. While we can assist with software licensing, our primary value is the technical expertise that turns a SailPoint deployment into a functioning, sustainable identity program.
What Happens Without SailPoint Governance
Without identity governance, privileged accounts multiply unchecked, access reviews become checkbox exercises, and audit findings pile up. Organizations without SailPoint IGA spend weeks preparing for SOX or HIPAA audits, manually tracking access across hundreds of applications, and discovering compliance gaps only after regulators point them out. The cost isn't just audit findings - it's the operational drag of an identity program that never matures beyond spreadsheets and tribal knowledge.
What Success Looks Like
With SailPoint implemented by GCA, identity governance becomes the operational backbone of your compliance program. Access reviews run on schedule with evidence packages that auditors can retrieve without a reconstruction effort. Provisioning happens automatically when employees join, change roles, or leave. Segregation of duties policies enforce themselves, and your IAM team spends time optimizing governance rather than firefighting access requests.
SailPoint IdentityIQ (IIQ)
SailPoint IdentityIQ is the on-premises identity governance platform that has served as the backbone of enterprise IGA programs for over a decade. Deployed within a customer's own data center or private cloud, IIQ gives organizations complete control over their identity infrastructure, data residency, and integration topology. For regulated industries that cannot or choose not to move identity data to multi-tenant SaaS, IIQ remains the deployment model of choice.
At its core, IIQ is built on a Java-based architecture with a powerful workflow engine that orchestrates employee identity lifecycle events across the organization. Every access request, certification decision, and provisioning action flows through configurable workflows that enforce business rules, approval chains, and escalation policies. GCA configures these workflows to match each client's operational reality, balancing governance rigor with end-user experience.
IIQ's BeanShell scripting engine provides extensibility for complex business logic that out-of-the-box configuration cannot address. GCA uses BeanShell to build custom correlation rules, transform entitlement data during provisioning, and implement conditional approval logic for high-risk access decisions. Every script is version-controlled, peer-reviewed, and documented to avoid the technical debt that unplanned customization creates.
The connector framework supports integration with directories, databases, HR systems, ERP platforms, and cloud applications through a library of built-in connectors and a configurable provisioning engine. GCA implements connector configurations with production-grade practices: connection pooling, error handling, retry logic, and monitoring hooks that feed into operational dashboards. IIQ's task definition framework allows scheduled aggregation, certification campaign execution, and compliance report generation to run on automated cadences, reducing the operational burden on IAM teams.
SailPoint Identity Security Cloud (ISC)
SailPoint Identity Security Cloud is the cloud-native SaaS identity governance platform that delivers the same core capabilities as IdentityIQ without requiring on-premises infrastructure. ISC is built on a multi-tenant architecture hosted and maintained by SailPoint, freeing internal teams from patch management, infrastructure sizing, and platform upgrades. For cloud-first organizations, a SailPoint ISC implementation is the fastest path to a production identity governance program.
ISC's architecture is API-first, providing a comprehensive REST API that covers every administrative and operational function. GCA uses the API to build automation pipelines, integrate SailPoint with ITSM platforms like ServiceNow, and create custom dashboards that surface governance metrics to executive stakeholders. Event Triggers allow ISC to publish identity events in real time to external systems, enabling downstream processes to react to access changes as they happen.
Transforms in ISC are the data manipulation layer that maps, filters, and reshapes identity data as it flows between SailPoint and connected systems. GCA configures transforms to normalize attributes from disparate HR sources, map entitlements to role models, and generate provisioning payloads for target applications. The transform framework replaces the scripting-heavy customization model of IIQ with a declarative, maintainable configuration approach.
ISC ships with a library of pre-built connectors for SaaS applications including Microsoft 365, Workday, Salesforce, ServiceNow, and hundreds of others. These connectors reduce integration timelines from weeks to days and are maintained by SailPoint as vendors update their APIs. For applications without pre-built connectors, ISC's Connectivity+ framework supports generic REST and SCIM integration patterns that GCA configures per-client.
GCA's SailPoint Implementation Process
GCA follows a structured six-phase implementation methodology that transforms a SailPoint deployment from initial assessment into a sustainable, audit-ready identity governance program. Each phase has defined deliverables, client touchpoints, and quality gates that prevent scope creep and ensure alignment with business objectives.
Discovery
GCA maps the current-state identity landscape: identity populations, application inventory, existing access controls, compliance requirements, and organizational stakeholders. This phase produces the foundational data model that drives every downstream decision.
Design
Based on discovery findings, GCA designs the target-state architecture including connector strategy, lifecycle workflow logic, role model structure, certification campaign design, and SoD policy framework. Clients review and approve the design before build begins.
Build
GCA configures connectors, builds lifecycle rules, implements workflows, models roles, and integrates SailPoint with downstream systems. All configuration is version-controlled and follows the configuration-first principle: configure before customize.
Test
GCA validates provisioning workflows, access certification behavior, SoD enforcement, and lifecycle event handling through documented test cases. Test evidence packages satisfy auditor requirements from day one and establish the baseline for ongoing regression testing.
Deploy
Production deployment follows a controlled rollout plan with go-live checkpoints, rollback procedures, and stakeholder communication. GCA supports the initial operational period with hands-on monitoring and rapid issue resolution.
Optimize
Post-deployment, GCA tunes system performance, refines role models based on certification outcomes, expands application coverage, and establishes ongoing governance cadences. This phase transitions the implementation from a project into a managed program.
SailPoint Use Cases by Industry
SailPoint IGA addresses industry-specific identity governance challenges that generic access management tools cannot solve. GCA implements SailPoint with configurations tailored to each industry's regulatory framework, operational patterns, and audit expectations.
Healthcare: Hospitals and health systems deploy SailPoint to govern clinician access across EHR platforms, clinical applications, and administrative systems. GCA configures access certification campaigns that align with HIPAA minimum necessary requirements, ensuring physicians, nurses, and allied health professionals retain only the access required for their role. Automated provisioning tied to credentialing workflows ensures new clinicians receive appropriate access on day one while former clinicians lose access within hours of separation.
Financial Services: Banks, credit unions, and insurance companies use SailPoint to enforce segregation of duties (SoD) policies across core banking systems, trading platforms, and financial applications. GCA builds SoD policy models that prevent conflicting access combinations while allowing operational flexibility through compensating controls and exception workflows. This approach satisfies OCC, FFIEC, and SOX auditors while keeping business processes moving.
Government: Federal agencies and state governments deploy SailPoint to meet FedRAMP, NIST 800-53, and FISMA identity governance requirements. GCA implements SailPoint in FedRAMP-authorized environments and configures access control models that satisfy continuous monitoring and authority-to-operate requirements. Our government implementations include automated access reviews tied to security control assessments and evidence generation for annual audits.
SailPoint Non-Employee Risk Management
SailPoint NERM (formerly SecZetta) is the purpose-built module for governing contractor, vendor, consultant, and third-party identities that fall outside the HR system of record. Most organizations manage non-employee access through spreadsheets, shared mailboxes, or informal sponsor relationships, creating uncontrolled risk that grows with every new engagement.
NERM establishes a structured system of record for non-employee populations with sponsor-owned, time-bound access that automatically expires when the engagement ends. Contractors onboard through a self-service portal that captures required documentation, assigns a risk score based on role and access scope, and routes through approval chains before provisioning begins. Sponsors receive regular notifications to revalidate access, ensuring that non-employee privileges remain aligned with active engagements.
GCA implements NERM as either a standalone governance layer for non-employee populations or as an integrated extension of the broader SailPoint IGA platform. When integrated with IIQ or ISC, NERM provides unified visibility across employee and non-employee populations, enabling cross-population SoD enforcement and consolidated access certification campaigns. For organizations subject to supply chain risk management requirements, NERM provides the auditable evidence trail that demonstrates third-party access is governed with the same rigor as internal access.
IIQ to ISC Migration
Organizations running IdentityIQ on-premises increasingly evaluate migration to Identity Security Cloud to reduce infrastructure overhead, use AI-powered governance features, and align with cloud-first strategies. GCA approaches IIQ-to-ISC migration as a phased transition rather than a rip-and-replace, preserving existing governance investments while introducing cloud-native capabilities incrementally.
The migration path typically begins with a coexistence strategy: ISC connects to the same identity sources as IIQ, and GCA migrates application connectors and governance workflows in priority order. This approach allows organizations to prove ISC in production for a subset of applications before committing to full migration. GCA manages the coexistence period to prevent governance gaps, duplicate entitlements, and certification conflicts between tools. For organizations that choose to maintain IIQ indefinitely, GCA provides ongoing managed services for both tools and advises on hybrid architectures that use the strengths of each deployment model.
SailPoint Capabilities
SailPoint Identity Security Cloud (ISC)
SailPoint ISC (formerly IdentityNow) is SailPoint's cloud-native SaaS identity platform. It provides access certifications, lifecycle automation, and compliance automation without on-premise infrastructure. GCA implements ISC for organizations migrating off on-premises governance or standing up governance for the first time in cloud-first environments. Our SailPoint IdentityNow consulting engagements also support organizations still running the platform under its earlier name.
- Cloud-native access certifications and compliance automation
- API-first architecture with Event Triggers, Workflows, and Transforms
- Reduced access risk across SaaS sprawl through role modeling and policy-driven provisioning
SailPoint IdentityIQ (IIQ)
SailPoint IdentityIQ is SailPoint's on-premises identity governance platform. It delivers access certification, provisioning, access request management, role management, policy enforcement, and compliance reporting within a single deployable platform. GCA has implemented IIQ in complex enterprise environments spanning thousands of applications and millions of entitlements.
- Audit-defensible access certifications aligned to SOX, HIPAA, PCI-DSS
- Configuration-first philosophy: configure before customize, minimize technical debt
- Production-grade performance tuning for enterprise identity volumes
SailPoint Non-Employee Risk Management (NERM)
NERM (formerly SecZetta) is the purpose-built module for governing non-employee identities: contractors, vendors, consultants, auditors, and third-party personnel. It provides a self-service onboarding portal with defined lifecycle controls, sponsor accountability, and automatic expiration. GCA implements NERM as the structured system of record for everything non-employee.
- Sponsor-owned, time-bound access with automatic expiration
- Self-service onboarding with risk scoring and approval chains
- Native integration with IIQ and ISC for unified governance
SailPoint Accelerated Application Management (AAM)
AAM - built on SailPoint Atlas with technology from the August 2025 Savvy acquisition - extends governance into the long tail of SaaS applications most programs leave ungoverned. Where connector-led onboarding tops out at dozens of applications, AAM is designed to bring hundreds into governance through identity-led discovery and Express Setup.
- Continuous SaaS discovery of applications, owners, usage, and risky access
- Express Setup onboarding without bespoke connector development
- Native integration with ISC for one governance model, broader coverage
SailPoint AI-Powered Governance
SailPoint integrates AI-powered identity security into Identity Security Cloud, delivering machine learning-driven access recommendations, anomaly detection, and policy suggestions. GCA configures these capabilities to augment human governance decisions, not replace them. AI governance features are available in ISC; IdentityIQ implementations rely on rule-based policies and manual certification workflows.
AI-Driven Access Recommendations
SailPoint analyzes access patterns across the organization to recommend role assignments and entitlement changes. GCA configures recommendation thresholds, approval workflows, and exception handling so that AI suggestions are reviewed before deployment.
Anomaly Detection
SailPoint detects unusual entitlement changes, access requests outside normal patterns, and dormant accounts reactivating. GCA tunes detection sensitivity, integrates alerts with SIEM pipelines, and establishes response playbooks for security teams.
Policy Suggestion Engine
SailPoint's AI suggests policy refinements based on observed access patterns and compliance gaps. GCA reviews suggestions against the organization's regulatory requirements and implements changes through the existing governance framework.
GCA's SailPoint Expertise
GCA holds SailPoint's Delivery Admiral competency, awarded only to partners with certified resources, demonstrated deployment experience, and independently verified customer satisfaction. The practice is rated 4.6 / 5.0 on Gartner Peer Insights based on 32 verified reviews (as of 5/1/2026).
Gartner Peer Insights attribution
GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a trademark and service mark of Gartner, Inc. and/or its affiliates and are used herein with permission. Gartner Peer Insights content consists of the opinions of individual end-users based on their own experiences with the vendors listed on the platform, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
Our SailPoint consulting services span the full implementation lifecycle: IAM assessment, SailPoint implementation, and managed identity services that operate and improve the platform after go-live. GCA also implements SailPoint as part of a cross-pillar program spanning identity management, identity governance, and privileged access management.
What to Expect from a GCA SailPoint Engagement
Our engagement follows the 13 decision points outlined in our SailPoint implementation checklist.
Architecture & Scoping
GCA assesses your identity population, application inventory, existing directory infrastructure, and compliance requirements before recommending a deployment architecture. We size the implementation correctly from the start.
Configuration & Integration
GCA builds connector configurations, lifecycle rules, certification workflows, and role models using production-grade practices: version-controlled configuration, change-controlled deployment, and documented customization.
Testing & Validation
Before go-live, GCA validates provisioning workflows, access certification behavior, SoD policy enforcement, and lifecycle event handling against documented test cases. We produce test evidence packages that satisfy audit requirements on day one.
Managed Operations
Post-implementation, GCA provides SailPoint managed services: connector health monitoring, certification campaign execution, access request queue management, platform upgrades, and quarterly governance reviews.
For CISOs
Risk Reduction
Automate access certifications to ensure every entitlement is reviewed on schedule. Eliminate orphaned accounts and excessive privileges that create compliance exposure and breach risk.
Compliance
Enforce segregation of duties policies that prevent conflicting access combinations across financial, healthcare, and government systems. Generate audit-ready evidence packages for SOX, HIPAA, and NERC CIP.
ROI
Replace manual, spreadsheet-driven access reviews with automated governance campaigns. Reduce audit preparation time from weeks to days with built-in evidence generation and compliance reporting.
For IT Directors
Efficiency
Connect 300+ applications through pre-built connectors and reduce manual provisioning effort. Automate joiner, mover, and leaver lifecycle events across your entire application portfolio.
Integration
Integrate with existing HR systems, directories, and ITSM platforms to drive identity lifecycle events from a single source of truth. Unified governance across employee and non-employee populations.
Deployment
Deploy IdentityIQ on-premises for full data control, or Identity Security Cloud for cloud-native governance without infrastructure overhead. GCA advises on the right platform for your environment.
Why GCA for SailPoint?
Vendor-Neutral Expertise
We're not tied to one platform. GCA evaluates the best fit for your environment across all major identity vendors.
4-Pillar Approach
IDM + WAM + IGA + PAM = complete identity security. We don't silo services - we deliver unified governance.
Proven Methodology
20+ years, 100+ implementations. Our Assess-Design-Implement-Manage framework reduces risk and accelerates time-to-value.
Related Solutions
Identity Governance
Access certification, access review, and segregation of duties across IGA platforms.
IAM Implementation
End-to-end identity and access management implementation services.
SailPoint Checklist
The 13 decisions that determine SailPoint implementation success.
The GCA Difference
- Compliance achieved ahead of audit. Access certifications and evidence packages are ready before auditors ask, because SailPoint governance produces the record continuously instead of on demand.
- Access provisioning in minutes, not days. Joiner, mover, and leaver events flow through automated workflows instead of manual tickets, so employees get the access they need without a help-desk queue.
- Clean audit findings every time. Segregation-of-duties policies and scheduled certifications catch the access issues that would otherwise surface as findings during a SOX, HIPAA, or NERC CIP review.
The Cost of Inaction
- Compliance penalties and fines. Regulators and auditors treat an unmanaged access review process as a control failure, and the resulting findings carry real financial and reputational consequences.
- Data breach exposure. Orphaned accounts and excessive privileges that accumulate without governance are exactly the access paths threat actors look for once they gain a foothold.
- Operational risk and inefficiency. Manual, spreadsheet-driven access reviews consume IT and compliance staff time that automated governance would otherwise free up for higher-value work.
Frequently Asked Questions
-
What is the difference between SailPoint IdentityIQ and Identity Security Cloud?
SailPoint IdentityIQ (IIQ) is the on-premises identity governance platform, deployed and operated within the customer's own infrastructure. SailPoint Identity Security Cloud (ISC) is the cloud-native SaaS equivalent, delivering the same governance capabilities without on-premise infrastructure. GCA implements both and can advise on which platform fits your environment.
-
What is SailPoint NERM?
SailPoint NERM (Non-Employee Risk Management, formerly SecZetta) is a purpose-built module for governing contractor, vendor, and third-party identities. It provides sponsor-owned, time-bound access with self-service onboarding and automatic expiration, integrated with SailPoint IIQ or ISC.
-
What does SailPoint Delivery Admiral mean?
Delivery Admiral is SailPoint's highest delivery competency, awarded only to partners with certified resources, demonstrated deployment experience, and independently verified customer satisfaction. GCA holds this competency in the Americas region.
Get Started with SailPoint
Read our SailPoint implementation checklist, or book a consultation to discuss your identity governance program.