Skip to main content

SailPoint IdentityIQ & ISC Implementation Checklist

SailPoint implementations stall when role models are over-engineered, connector strategies skip critical integrations, and go-live readiness is assumed instead of validated. These 13 decision points cover the architecture, governance, and go-live choices where first-time teams get it wrong. Check off each item as you complete it to track your implementation readiness.

0 of 13 completed
0%

SailPoint is the market leader in identity governance, but the tool is only as strong as the implementation behind it. A role model that is over-engineered collapses under its own weight. A certification campaign scoped too broadly produces rubber-stamp approvals. A connector strategy that skips standard connectors creates months of custom development. This checklist covers the 13 decision points where GCA's SailPoint practice sees the most friction, the most rework, and the most avoidable risk.

These are not steps in a process. They are decisions that affect each other. A choice you make about role modeling will reshape your certification campaign design. Check off the items you have completed to track your progress. Expand each item for details and common mistakes.

  • 01

    Identity Population Sizing

    Critical 1-2 weeks (depends on scope) Governance
    +

    Count every identity that SailPoint will govern: employees, contractors, service accounts, shared accounts, and non-employee populations. The number drives connector sizing, task scheduling, database capacity, and licensing.

    Common mistake: Counting only employees and discovering mid-project that contractor populations double the scope.
  • 02

    Application Inventory

    Standard 2-4 hours (single workshop) Governance
    +

    Map every application that needs provisioning, deprovisioning, or access certification. Include the authoritative source (HR system, procurement), target systems (directories, SaaS, databases), and any applications with custom connectors.

    Common mistake: Starting with the "top 20" applications and discovering 80 more during connector development.
  • 03

    Regulatory Scope

    Standard 2-4 hours (single workshop) Governance
    +

    Identify which compliance frameworks apply to your identity program: SOX, HIPAA, PCI-DSS, NERC CIP, NIST 800-53. Each framework has specific requirements for access certification cadence, evidence retention, and segregation of duties.

    Common mistake: Designing governance for "general best practice" and retrofitting regulatory alignment after go-live.
  • 04

    Platform Choice: IIQ vs ISC

    Critical 1-2 weeks (depends on scope) Security
    +

    Decide whether SailPoint IdentityIQ (on-premises) or Identity Security Cloud (SaaS) is the right tool. The decision depends on data residency requirements, existing infrastructure, customization depth, and operational model. This is not a reversible choice mid-deployment.

    Common mistake: Choosing ISC for cost reasons without evaluating the connector gaps for on-premises applications that require Virtual Appliances.
  • 05

    Connector Strategy

    Standard 1-2 weeks (depends on scope) Operations
    +

    For each target application, decide: standard SailPoint connector, custom connector via SDK/ECMA, or file-based integration. Standard connectors are faster to deploy but may not support your application's specific attributes. Custom connectors give full control but add maintenance burden.

    Common mistake: Building custom connectors for applications where the standard connector covers 90% of the use case.
  • 06

    Role Model Design

    Critical 1-2 weeks (depends on scope) Governance
    +

    Decide how you will model access: business roles, application roles, permission roles, or a combination. The role model drives certification campaigns, SoD enforcement, and access request workflows. Over-engineered role models collapse under their own weight. Under-engineered ones produce certification fatigue.

    Common mistake: Building a role model that requires 400 roles for a 10,000-person organization. Start with 30-50 roles and expand based on certification feedback.
  • 07

    Certification Campaign Scope

    Standard 2-4 hours (single workshop) Governance
    +

    Decide who reviews what, how often, and under what regulatory framework. Healthcare organizations scope certifications to PHI-handling applications. Financial services scopes to SOX-relevant systems. Not every application needs quarterly certification.

    Common mistake: Certifying every application on the same cadence, producing reviewer fatigue and rubber-stamp approvals.
  • 08

    Integration Mapping

    Standard 1-2 weeks (depends on scope) Governance
    +

    Map the integrations between SailPoint and adjacent platforms: PAM (CyberArk, BeyondTrust), federation (Ping, Okta, Entra), ITSM (ServiceNow), SIEM (Splunk, Sentinel), and HR systems. Each integration has authentication, data flow, and error handling requirements.

    Common mistake: Treating integrations as Phase 2 work and discovering at go-live that provisioning requires a PAM integration that was never scoped.
  • 09

    AI Governance Configuration

    Critical 1-2 weeks (depends on scope) Security
    +

    Decide whether to enable SailPoint's AI-powered governance features: access recommendations, anomaly detection, and policy suggestions. Configure recommendation thresholds, approval workflows, and exception handling. These features are available in Identity Security Cloud and can augment human governance decisions when tuned correctly. Note: AI governance features are not available in IdentityIQ. IIQ implementations rely on rule-based policies and manual certification workflows.

    Common mistake: Enabling AI features with default thresholds and overwhelming reviewers with low-confidence recommendations that erode trust in the system.
  • 10

    Test Evidence Packages

    Standard 1-2 weeks (depends on scope) Governance
    +

    Before go-live, produce test evidence that satisfies audit requirements: provisioning workflow results, certification behavior validation, SoD policy enforcement, and lifecycle event handling. This evidence must be available on day one of production, not built retroactively.

    Common mistake: Testing the happy path only and discovering failure modes (expired certificates, orphaned accounts, rejected provisioning) in production.
  • 11

    Parallel Run Plan

    Standard 1-2 weeks (depends on scope) Governance
    +

    Run SailPoint alongside your existing access management process for a defined period before full cutover. The parallel run validates correlation, attribute authority, and provisioning accuracy against real production patterns.

    Common mistake: Skipping the parallel run to hit a go-live date, then spending months reconciling discrepancies between SailPoint and the legacy process.
  • 12

    Audit Continuity

    Critical 2-4 hours (single workshop) Operations
    +

    If your organization is under regulatory audit, plan how the certification cadence, SoD enforcement, and evidence stream transition from the legacy process to SailPoint. Regulated organizations cannot pause their compliance program for a tool change.

    Common mistake: Migrating mid-certification-cycle and producing evidence gaps that auditors flag as findings.
  • 13

    Managed Operations Handoff

    Standard 1-2 weeks (depends on scope) Operations
    +

    Decide who operates SailPoint after go-live: internal team, GCA managed services, or hybrid. Define SLAs for connector health monitoring, certification campaign execution, access request queue management, and tool upgrades.

    Common mistake: Treating go-live as the finish line and discovering three months later that no one owns connector failures or certification deadlines.

What GCA Does Differently

These 13 decisions are SailPoint-specific in execution. When GCA is involved, here is how we approach them differently.

GCA scopes the architecture against your identity population, application landscape, and regulatory requirements before any configuration begins. GCA holds SailPoint's Delivery Admiral competency and is rated 4.6 / 5.0 on Gartner Peer Insights based on 32 verified reviews (as of 5/1/2026). Our SailPoint practice covers IdentityIQ, Identity Security Cloud, NERM, and the full IIQ-to-ISC migration path. See our full identity governance practice for the broader IGA landscape beyond SailPoint.

Frequently Asked Questions