What Is Identity Governance — And Why I'm Learning SailPoint
A practical introduction to Identity Governance and Administration (IGA), why enterprises need SailPoint, and why I chose this as my entry into cybersecurity.
The Problem Nobody Talks About
Every large organisation has thousands of employees. Each employee needs access to dozens of systems — email, databases, HR portals, finance applications, cloud services. Managing who has access to what, why they have it, and whether they should still have it is one of the most underestimated problems in enterprise security.
Get it wrong and you get breaches like the MGM Casino attack in 2023 — where attackers exploited identity and access management failures to take down a billion-dollar operation. Get it right and you have a provable, auditable, compliant identity programme that keeps regulators happy and attackers out.
This is the problem I am learning to solve. And SailPoint is how.
What Is Identity Governance and Administration (IGA)?
Identity Governance and Administration is the discipline of managing digital identities across an organisation — who they are, what they can access, and whether that access is appropriate.
It answers four fundamental questions:
- Who has access to what?
- How did they get that access?
- Should they still have it?
- Can you prove all of this to an auditor?
IGA goes beyond basic Identity and Access Management (IAM). Where IAM handles authentication and basic access control, IGA adds governance — policies, compliance, audit trails, and lifecycle automation.
The Three Problems IGA Solves
1. The Joiner Problem
A new employee joins the company. They need access to fifteen systems before their first day. Without IGA — IT manually creates accounts across every system. It takes days. Some systems get missed. The new employee sits idle waiting for access.
With SailPoint — the moment HR creates the employee record, SailPoint detects the new identity, evaluates their role and department, and automatically provisions the correct access across all connected systems. Done before they walk in the door.
2. The Mover Problem
An employee moves from Finance to Marketing. Their Finance access should be removed. Their Marketing access should be granted. Without IGA — this rarely happens cleanly. Old access accumulates over time. This is called privilege creep — and it is a massive security risk.
With SailPoint — attribute change detected, old role removed, new role assigned, access adjusted automatically. Clean every time.
3. The Leaver Problem
An employee resigns or is terminated. Every single account across every single system must be disabled immediately. Without IGA — IT tries to remember every system the person had access to. Accounts get missed. Orphaned accounts sit active for months. A former disgruntled employee — or an attacker who found their credentials — can still log in.
With SailPoint — termination detected, all access revoked across all systems simultaneously. Complete in seconds. Provable to auditors.
What Is SailPoint?
SailPoint is the market leader in enterprise Identity Governance and Administration. Founded in 2005, it is used by Fortune 500 companies, banks, hospitals, and government agencies globally.
It has two main products:
SailPoint Identity Security Cloud (ISC) — formerly called IdentityNow. Cloud-based SaaS platform. API-first architecture. This is what I am learning and working with.
SailPoint IdentityIQ (IIQ) — on-premise solution. Highly customisable. Still widely deployed in large complex enterprises.
Why I Am Learning SailPoint
I am currently interning at a security consultancy that implements SailPoint ISC for enterprise clients. My mentor — an IITian with years of SailPoint implementation experience — is guiding me through real client work.
This puts me in a position most people entering cybersecurity never reach this early — working on real enterprise security implementations rather than simulated lab environments.
The IAM/IGA space is genuinely undersupplied with skilled professionals. Companies like Deloitte, Accenture, IBM Security, and TCS Digital Security actively hire SailPoint engineers. The demand globally is strong and growing.
But more importantly — identity is at the centre of every serious security incident. Understanding how identities are managed, governed, and attacked is foundational knowledge for any serious security professional.
What’s Next
Over the coming months I will document everything I learn about SailPoint ISC — the architecture, the implementation patterns, the API integrations, and the real-world challenges of enterprise IAM.
Alongside that I am building skills in web application security, penetration testing, and Active Directory security — the technical foundation that makes identity security meaningful.
This blog is where I document all of it. Honestly. Technically. Without the fluff.
If you are also learning SailPoint or entering the IAM space — follow along. We are probably on similar paths.
Resources to Start Learning
- SailPoint University — university.sailpoint.com (free official courses)
- SailPoint Developer Portal — developer.sailpoint.com (API docs + free tenant)
- SailPoint Compass Community — community.sailpoint.com
This is my first post. I am just getting started. Expect it to get more technical from here.