SailPoint IdentityIQ (IIQ)
Running on-premise identity governance without expert support means complex deployments that drift from best practices, technical debt that compounds with every upgrade, and audit findings that could have been prevented. We help regulated enterprises implement, modernize, and operate SailPoint IdentityIQ so your on-premise governance program delivers the compliance and security outcomes it was built for.
What Is SailPoint IdentityIQ?
SailPoint IdentityIQ is SailPoint's on-premises identity governance system and the longest-running product in the SailPoint portfolio. It delivers access certification, provisioning, access request handling, role management, policy enforcement, and compliance reporting within a single deployable system that organizations operate inside their own infrastructure.
For enterprises with data residency, regulatory, or operational reasons to keep governance on-premise, or with deeply customized IIQ deployments built over years, IIQ remains the right answer. We help organizations implement, modernize, and operate SailPoint IdentityIQ across complex enterprise environments spanning thousands of applications and millions of entitlements.
IIQ Capabilities
IIQ Architecture
IdentityIQ runs on a Java application server (typically Tomcat or WebLogic) backed by a relational database (SQL Server, Oracle, or MySQL). The system's customization surface is Java and BeanShell, executed inside the IIQ container and reaching the SailPoint API directly.
Architectural decisions made up front determine whether IIQ operates predictably at the enterprise scale it was built for or accumulates technical debt and runtime instability:
- Database sizing and index strategy
- Partition counts and thread budgets for Identity Refresh and Aggregation
- Extended and searchable attribute model
- Connector deployment topology
Configuration First, Customization Last
SailPoint has hundreds of engineers improving IdentityIQ on a continuous release cadence. The fastest way to turn an IIQ deployment into a multi-year quagmire is to out-engineer them with custom code, workflows, forms, and rules that only a handful of consultants understand - all of which must be re-validated on every system upgrade.
GCA's discipline is the opposite: configure first, customize only when configuration genuinely cannot meet the requirement, and keep customization small, isolated, and upgrade-safe. Out-of-the-box IIQ features - Lifecycle Events, Certifications, Policies, standard connectors - are exhausted before any rule is written.
Rules that genuinely are unavoidable are idempotent, defensively coded, version-controlled, documented, and aligned to SailPoint's published patterns. The result is an IIQ implementation your internal team can operate, audit can trace, and that survives quarterly patches and major upgrades without months-long rewrite projects.
Performance and Task Tuning
IIQ task definitions (Identity Refresh, Aggregation, Certification Generation) operate on full identity cubes and degrade quickly without explicit tuning. GCA scopes every IIQ implementation against population size and database capacity.
GCA's approach to IIQ performance includes:
- Partition tasks for populations above ten thousand identities
- Set thread counts explicitly rather than accepting defaults
- Declare filtering scope so tasks do not unnecessarily scan the entire tenant
- Validate expected runtime in a non-production environment before production cutover
- Aggregate throughput and per-identity refresh time budgeted up front, not discovered in production
Regulated Verticals
IIQ has historically been the system of choice for regulated enterprises (healthcare, financial services, energy/utilities, and federal supply-chain organizations) precisely because the on-premise model preserves data residency, the customization surface accommodates legacy and bespoke applications, and the system produces the audit-evidence depth that the major regulatory frameworks expect.
GCA's IIQ engagements in regulated verticals map certification campaigns, SoD policies, and provisioning audit trails directly to the relevant control families:
- SOX Section 404: Access certification for financial systems, SoD enforcement, quarterly evidence packages
- HIPAA Security Rule: PHI-handling application scoping, audit controls, unique user identification
- PCI-DSS: Cardholder data environment access reviews, requirement 7 and 8 compliance
- NERC CIP: Personnel access governance for Critical Cyber Assets, CIP-004-7 evidence
- NIST SP 800-53: AC family access control mappings, continuous monitoring evidence
What Happens Without Expert IIQ Support
IIQ deployments without expert architecture and configuration accumulate technical debt that compounds with every upgrade. Custom scripts break during system patches, certification campaigns produce incomplete evidence, and performance degrades as identity volumes grow. Organizations stuck in this pattern find their IIQ investment delivering a fraction of its governance value - while the internal team spends more time firefighting the system than using it for compliance.
What Success Looks Like
With GCA's IIQ implementation, on-premise identity governance runs reliably at enterprise scale. Access certifications produce audit-ready evidence on the first cycle. Provisioning workflows handle complex entitlement logic without custom code. Platform upgrades happen cleanly because configuration follows SailPoint's upgrade-safe patterns. Your IIQ deployment becomes an asset that the internal team can operate, audit can trace, and the organization can build on.
IIQ Implementation Process
GCA follows a structured methodology that transforms IIQ from initial architecture into a sustainable, audit-ready identity governance program.
Discovery & Architecture
GCA maps the current-state identity environment: identity populations, application inventory, existing access controls, and compliance requirements. This phase produces the foundational data model and IIQ architecture design - database sizing, partition strategy, connector topology, and customization boundaries - that drives every downstream decision.
Configuration & Build
GCA configures connectors, builds lifecycle rules, implements certification workflows, models roles, and integrates IIQ with downstream systems. All configuration follows the configuration-first principle: out-of-the-box features are exhausted before any rule is written. Customization is minimized, version-controlled, and upgrade-safe.
Testing & Validation
GCA validates provisioning workflows, access certification behavior, SoD enforcement, and task scheduling against documented test cases. Performance tuning is validated in non-production before production cutover. Test evidence packages satisfy auditor requirements from day one.
Deploy & Operate
Production deployment follows a controlled rollout with go-live checkpoints and rollback procedures. Post-deployment, GCA provides managed operations: connector health monitoring, certification campaign execution, system upgrades, and quarterly governance reviews that keep the IIQ deployment sustainable.
GCA's IIQ Expertise
GCA holds SailPoint's Delivery Admiral competency and is rated 4.6 / 5.0 on Gartner Peer Insights based on 32 verified reviews (as of 5/1/2026). Our IIQ practice covers initial architecture and sizing through production cutover and post-go-live stabilization, plus ongoing managed operations.
For organizations evaluating whether IIQ or ISC is the right system, GCA provides an environment assessment that maps your identity population, application landscape, and regulatory requirements against each system's strengths. See our ISC page for the cloud-native alternative, or our migration guide for organizations moving from IIQ to ISC.
For the 13 decision points that determine IIQ implementation success, see our SailPoint implementation checklist.
Frequently Asked Questions
What is SailPoint IIQ (IdentityIQ)?
SailPoint IdentityIQ is an on-premises identity governance platform that automates access certifications, provisioning, and compliance reporting for enterprise environments.
How long does an IIQ implementation take?
Typical implementations run 12-16 weeks depending on scope, number of applications, and existing infrastructure. GCA delivers in phases so you see value early.
Should we migrate from IIQ to ISC?
It depends on your environment. GCA evaluates your current IIQ deployment and provides an honest assessment of whether migration to ISC makes sense for your organization.
What is the difference between IdentityIQ and Identity Security Cloud?
IdentityIQ is SailPoint's on-premises platform, deployed and operated within the customer's own infrastructure. Identity Security Cloud (ISC) is the cloud-native SaaS equivalent. IIQ offers deeper customization via Java and BeanShell, while ISC provides API-first architecture with Event Triggers and Workflows. GCA implements both and can advise on which platform fits your environment.
Deploy IdentityIQ With Confidence
GCA's IIQ practice delivers production-ready, compliance-mapped, and operationally sustainable deployments. Start with a scoped architecture review.