Skip to main content

SailPoint Identity Solutions

Managing identity access across thousands of applications while staying audit-ready is the challenge that keeps IAM teams up at night. We help regulated enterprises implement SailPoint across the full product suite - IdentityIQ, Identity Security Cloud, and NERM - so you can close compliance gaps without slowing the business. As a SailPoint Delivery Admiral, we bring deep technical experience across access governance, lifecycle automation, and non-employee risk management.

What Is SailPoint?

SailPoint is an enterprise identity security company that builds identity governance and administration software used by organizations to control who has access to what, and to ensure that access is appropriate, auditable, and compliant. SailPoint software spans on-premises platforms, cloud-native SaaS, and purpose-built modules for non-employee populations.

Organizations deploy SailPoint to manage employee identity lifecycle, run access certification campaigns, enforce segregation of duties, manage role assignments, and generate compliance evidence for SOX, HIPAA, PCI-DSS, NERC CIP, and other regulatory audits. For regulated industries, SailPoint identity governance is often the operational backbone of the compliance program.

GCA is an IAM-specialist partner that helps organizations implement and manage SailPoint across the full product portfolio. While we can assist with software licensing, our primary value is the technical expertise that turns a SailPoint deployment into a functioning, sustainable identity program.

What Happens Without SailPoint Governance

Without identity governance, privileged accounts multiply unchecked, access reviews become checkbox exercises, and audit findings pile up. Organizations without SailPoint IGA spend weeks preparing for SOX or HIPAA audits, manually tracking access across hundreds of applications, and discovering compliance gaps only after regulators point them out. The cost isn't just audit findings - it's the operational drag of an identity program that never matures beyond spreadsheets and tribal knowledge.

What Success Looks Like

With SailPoint implemented by GCA, identity governance becomes the operational backbone of your compliance program. Access reviews run on schedule with evidence packages that auditors can retrieve without a reconstruction effort. Provisioning happens automatically when employees join, change roles, or leave. Segregation of duties policies enforce themselves, and your IAM team spends time optimizing governance rather than firefighting access requests.

SailPoint IdentityIQ (IIQ)

SailPoint IdentityIQ is the on-premises identity governance platform that has served as the backbone of enterprise IGA programs for over a decade. Deployed within a customer's own data center or private cloud, IIQ gives organizations complete control over their identity infrastructure, data residency, and integration topology. For regulated industries that cannot or choose not to move identity data to multi-tenant SaaS, IIQ remains the deployment model of choice.

At its core, IIQ is built on a Java-based architecture with a powerful workflow engine that orchestrates employee identity lifecycle events across the organization. Every access request, certification decision, and provisioning action flows through configurable workflows that enforce business rules, approval chains, and escalation policies. GCA configures these workflows to match each client's operational reality, balancing governance rigor with end-user experience.

IIQ's BeanShell scripting engine provides extensibility for complex business logic that out-of-the-box configuration cannot address. GCA uses BeanShell to build custom correlation rules, transform entitlement data during provisioning, and implement conditional approval logic for high-risk access decisions. Every script is version-controlled, peer-reviewed, and documented to avoid the technical debt that unplanned customization creates.

The connector framework supports integration with directories, databases, HR systems, ERP platforms, and cloud applications through a library of built-in connectors and a configurable provisioning engine. GCA implements connector configurations with production-grade practices: connection pooling, error handling, retry logic, and monitoring hooks that feed into operational dashboards. IIQ's task definition framework allows scheduled aggregation, certification campaign execution, and compliance report generation to run on automated cadences, reducing the operational burden on IAM teams.

SailPoint Identity Security Cloud (ISC)

SailPoint Identity Security Cloud is the cloud-native SaaS identity governance platform that delivers the same core capabilities as IdentityIQ without requiring on-premises infrastructure. ISC is built on a multi-tenant architecture hosted and maintained by SailPoint, freeing internal teams from patch management, infrastructure sizing, and platform upgrades. For cloud-first organizations, a SailPoint ISC implementation is the fastest path to a production identity governance program.

ISC's architecture is API-first, providing a comprehensive REST API that covers every administrative and operational function. GCA uses the API to build automation pipelines, integrate SailPoint with ITSM platforms like ServiceNow, and create custom dashboards that surface governance metrics to executive stakeholders. Event Triggers allow ISC to publish identity events in real time to external systems, enabling downstream processes to react to access changes as they happen.

Transforms in ISC are the data manipulation layer that maps, filters, and reshapes identity data as it flows between SailPoint and connected systems. GCA configures transforms to normalize attributes from disparate HR sources, map entitlements to role models, and generate provisioning payloads for target applications. The transform framework replaces the scripting-heavy customization model of IIQ with a declarative, maintainable configuration approach.

ISC ships with a library of pre-built connectors for SaaS applications including Microsoft 365, Workday, Salesforce, ServiceNow, and hundreds of others. These connectors reduce integration timelines from weeks to days and are maintained by SailPoint as vendors update their APIs. For applications without pre-built connectors, ISC's Connectivity+ framework supports generic REST and SCIM integration patterns that GCA configures per-client.

GCA's SailPoint Implementation Process

GCA follows a structured six-phase implementation methodology that transforms a SailPoint deployment from initial assessment into a sustainable, audit-ready identity governance program. Each phase has defined deliverables, client touchpoints, and quality gates that prevent scope creep and ensure alignment with business objectives.

1

Discovery

GCA maps the current-state identity landscape: identity populations, application inventory, existing access controls, compliance requirements, and organizational stakeholders. This phase produces the foundational data model that drives every downstream decision.

2

Design

Based on discovery findings, GCA designs the target-state architecture including connector strategy, lifecycle workflow logic, role model structure, certification campaign design, and SoD policy framework. Clients review and approve the design before build begins.

3

Build

GCA configures connectors, builds lifecycle rules, implements workflows, models roles, and integrates SailPoint with downstream systems. All configuration is version-controlled and follows the configuration-first principle: configure before customize.

4

Test

GCA validates provisioning workflows, access certification behavior, SoD enforcement, and lifecycle event handling through documented test cases. Test evidence packages satisfy auditor requirements from day one and establish the baseline for ongoing regression testing.

5

Deploy

Production deployment follows a controlled rollout plan with go-live checkpoints, rollback procedures, and stakeholder communication. GCA supports the initial operational period with hands-on monitoring and rapid issue resolution.

6

Optimize

Post-deployment, GCA tunes system performance, refines role models based on certification outcomes, expands application coverage, and establishes ongoing governance cadences. This phase transitions the implementation from a project into a managed program.

SailPoint Use Cases by Industry

SailPoint IGA addresses industry-specific identity governance challenges that generic access management tools cannot solve. GCA implements SailPoint with configurations tailored to each industry's regulatory framework, operational patterns, and audit expectations.

Healthcare: Hospitals and health systems deploy SailPoint to govern clinician access across EHR platforms, clinical applications, and administrative systems. GCA configures access certification campaigns that align with HIPAA minimum necessary requirements, ensuring physicians, nurses, and allied health professionals retain only the access required for their role. Automated provisioning tied to credentialing workflows ensures new clinicians receive appropriate access on day one while former clinicians lose access within hours of separation.

Financial Services: Banks, credit unions, and insurance companies use SailPoint to enforce segregation of duties (SoD) policies across core banking systems, trading platforms, and financial applications. GCA builds SoD policy models that prevent conflicting access combinations while allowing operational flexibility through compensating controls and exception workflows. This approach satisfies OCC, FFIEC, and SOX auditors while keeping business processes moving.

Government: Federal agencies and state governments deploy SailPoint to meet FedRAMP, NIST 800-53, and FISMA identity governance requirements. GCA implements SailPoint in FedRAMP-authorized environments and configures access control models that satisfy continuous monitoring and authority-to-operate requirements. Our government implementations include automated access reviews tied to security control assessments and evidence generation for annual audits.

SailPoint Non-Employee Risk Management

SailPoint NERM (formerly SecZetta) is the purpose-built module for governing contractor, vendor, consultant, and third-party identities that fall outside the HR system of record. Most organizations manage non-employee access through spreadsheets, shared mailboxes, or informal sponsor relationships, creating uncontrolled risk that grows with every new engagement.

NERM establishes a structured system of record for non-employee populations with sponsor-owned, time-bound access that automatically expires when the engagement ends. Contractors onboard through a self-service portal that captures required documentation, assigns a risk score based on role and access scope, and routes through approval chains before provisioning begins. Sponsors receive regular notifications to revalidate access, ensuring that non-employee privileges remain aligned with active engagements.

GCA implements NERM as either a standalone governance layer for non-employee populations or as an integrated extension of the broader SailPoint IGA platform. When integrated with IIQ or ISC, NERM provides unified visibility across employee and non-employee populations, enabling cross-population SoD enforcement and consolidated access certification campaigns. For organizations subject to supply chain risk management requirements, NERM provides the auditable evidence trail that demonstrates third-party access is governed with the same rigor as internal access.

IIQ to ISC Migration

Organizations running IdentityIQ on-premises increasingly evaluate migration to Identity Security Cloud to reduce infrastructure overhead, use AI-powered governance features, and align with cloud-first strategies. GCA approaches IIQ-to-ISC migration as a phased transition rather than a rip-and-replace, preserving existing governance investments while introducing cloud-native capabilities incrementally.

The migration path typically begins with a coexistence strategy: ISC connects to the same identity sources as IIQ, and GCA migrates application connectors and governance workflows in priority order. This approach allows organizations to prove ISC in production for a subset of applications before committing to full migration. GCA manages the coexistence period to prevent governance gaps, duplicate entitlements, and certification conflicts between tools. For organizations that choose to maintain IIQ indefinitely, GCA provides ongoing managed services for both tools and advises on hybrid architectures that use the strengths of each deployment model.

IIQ to ISC Migration Deep Dive →

SailPoint Capabilities

1

SailPoint Identity Security Cloud (ISC)

SailPoint ISC (formerly IdentityNow) is SailPoint's cloud-native SaaS identity platform. It provides access certifications, lifecycle automation, and compliance automation without on-premise infrastructure. GCA implements ISC for organizations migrating off on-premises governance or standing up governance for the first time in cloud-first environments. Our SailPoint IdentityNow consulting engagements also support organizations still running the platform under its earlier name.

  • Cloud-native access certifications and compliance automation
  • API-first architecture with Event Triggers, Workflows, and Transforms
  • Reduced access risk across SaaS sprawl through role modeling and policy-driven provisioning

ISC Deep Dive →

2

SailPoint IdentityIQ (IIQ)

SailPoint IdentityIQ is SailPoint's on-premises identity governance platform. It delivers access certification, provisioning, access request management, role management, policy enforcement, and compliance reporting within a single deployable platform. GCA has implemented IIQ in complex enterprise environments spanning thousands of applications and millions of entitlements.

  • Audit-defensible access certifications aligned to SOX, HIPAA, PCI-DSS
  • Configuration-first philosophy: configure before customize, minimize technical debt
  • Production-grade performance tuning for enterprise identity volumes

IIQ Deep Dive →

3

SailPoint Non-Employee Risk Management (NERM)

NERM (formerly SecZetta) is the purpose-built module for governing non-employee identities: contractors, vendors, consultants, auditors, and third-party personnel. It provides a self-service onboarding portal with defined lifecycle controls, sponsor accountability, and automatic expiration. GCA implements NERM as the structured system of record for everything non-employee.

  • Sponsor-owned, time-bound access with automatic expiration
  • Self-service onboarding with risk scoring and approval chains
  • Native integration with IIQ and ISC for unified governance

NERM Deep Dive →

4

SailPoint Accelerated Application Management (AAM)

AAM - built on SailPoint Atlas with technology from the August 2025 Savvy acquisition - extends governance into the long tail of SaaS applications most programs leave ungoverned. Where connector-led onboarding tops out at dozens of applications, AAM is designed to bring hundreds into governance through identity-led discovery and Express Setup.

  • Continuous SaaS discovery of applications, owners, usage, and risky access
  • Express Setup onboarding without bespoke connector development
  • Native integration with ISC for one governance model, broader coverage

AAM Deep Dive →

SailPoint AI-Powered Governance

SailPoint integrates AI-powered identity security into Identity Security Cloud, delivering machine learning-driven access recommendations, anomaly detection, and policy suggestions. GCA configures these capabilities to augment human governance decisions, not replace them. AI governance features are available in ISC; IdentityIQ implementations rely on rule-based policies and manual certification workflows.

1

AI-Driven Access Recommendations

SailPoint analyzes access patterns across the organization to recommend role assignments and entitlement changes. GCA configures recommendation thresholds, approval workflows, and exception handling so that AI suggestions are reviewed before deployment.

2

Anomaly Detection

SailPoint detects unusual entitlement changes, access requests outside normal patterns, and dormant accounts reactivating. GCA tunes detection sensitivity, integrates alerts with SIEM pipelines, and establishes response playbooks for security teams.

3

Policy Suggestion Engine

SailPoint's AI suggests policy refinements based on observed access patterns and compliance gaps. GCA reviews suggestions against the organization's regulatory requirements and implements changes through the existing governance framework.

GCA's SailPoint Expertise

GCA holds SailPoint's Delivery Admiral competency, awarded only to partners with certified resources, demonstrated deployment experience, and independently verified customer satisfaction. The practice is rated 4.6 / 5.0 on Gartner Peer Insights based on 32 verified reviews (as of 5/1/2026).

GCA Technology Services rated 4.6 out of 5 stars on Gartner Peer Insights based on 32 reviews
Gartner Peer Insights attribution

GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a trademark and service mark of Gartner, Inc. and/or its affiliates and are used herein with permission. Gartner Peer Insights content consists of the opinions of individual end-users based on their own experiences with the vendors listed on the platform, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Our SailPoint consulting services span the full implementation lifecycle: IAM assessment, SailPoint implementation, and managed identity services that operate and improve the platform after go-live. GCA also implements SailPoint as part of a cross-pillar program spanning identity management, identity governance, and privileged access management.

What to Expect from a GCA SailPoint Engagement

Our engagement follows the 13 decision points outlined in our SailPoint implementation checklist.

1

Architecture & Scoping

GCA assesses your identity population, application inventory, existing directory infrastructure, and compliance requirements before recommending a deployment architecture. We size the implementation correctly from the start.

2

Configuration & Integration

GCA builds connector configurations, lifecycle rules, certification workflows, and role models using production-grade practices: version-controlled configuration, change-controlled deployment, and documented customization.

3

Testing & Validation

Before go-live, GCA validates provisioning workflows, access certification behavior, SoD policy enforcement, and lifecycle event handling against documented test cases. We produce test evidence packages that satisfy audit requirements on day one.

4

Managed Operations

Post-implementation, GCA provides SailPoint managed services: connector health monitoring, certification campaign execution, access request queue management, platform upgrades, and quarterly governance reviews.

For CISOs

Risk Reduction

Automate access certifications to ensure every entitlement is reviewed on schedule. Eliminate orphaned accounts and excessive privileges that create compliance exposure and breach risk.

Compliance

Enforce segregation of duties policies that prevent conflicting access combinations across financial, healthcare, and government systems. Generate audit-ready evidence packages for SOX, HIPAA, and NERC CIP.

ROI

Replace manual, spreadsheet-driven access reviews with automated governance campaigns. Reduce audit preparation time from weeks to days with built-in evidence generation and compliance reporting.

For IT Directors

Efficiency

Connect 300+ applications through pre-built connectors and reduce manual provisioning effort. Automate joiner, mover, and leaver lifecycle events across your entire application portfolio.

Integration

Integrate with existing HR systems, directories, and ITSM platforms to drive identity lifecycle events from a single source of truth. Unified governance across employee and non-employee populations.

Deployment

Deploy IdentityIQ on-premises for full data control, or Identity Security Cloud for cloud-native governance without infrastructure overhead. GCA advises on the right platform for your environment.

Why GCA for SailPoint?

Vendor-Neutral Expertise

We're not tied to one platform. GCA evaluates the best fit for your environment across all major identity vendors.

4-Pillar Approach

IDM + WAM + IGA + PAM = complete identity security. We don't silo services - we deliver unified governance.

Proven Methodology

20+ years, 100+ implementations. Our Assess-Design-Implement-Manage framework reduces risk and accelerates time-to-value.

Related Solutions

Identity Governance

Access certification, access review, and segregation of duties across IGA platforms.

IAM Implementation

End-to-end identity and access management implementation services.

SailPoint Checklist

The 13 decisions that determine SailPoint implementation success.

The GCA Difference

The Cost of Inaction

Frequently Asked Questions

Get Started with SailPoint

Read our SailPoint implementation checklist, or book a consultation to discuss your identity governance program.