The Field Guide
The Field Guide to Identity Governance
A practitioner's path through identity governance, organized by where your team actually is: from running IT off a spreadsheet to governing AI agents. Free, no fluff, no gates.
Where are you on the curve?
1 / 5
Who owns identity at your company today?
The four stages
Stage 1
Just starting
You are running identity off memory and goodwill. Offboarding is a checklist someone half-finishes, access requests live in Slack, and reviews are a spreadsheet you dread. This is the path out, before something falls through the cracks.
Stage 2
Outgrown SSO
Okta or Entra is live and it covers maybe a fifth of your stack. The rest, the apps without SCIM, the internal tools, the contractors, is still manual. This is where identity work actually concentrates, and where SSO stops helping.
Stage 3
Scaling governance
You are past 800 people, audits are real, and someone has floated SailPoint. The question stops being how do we automate this and becomes how do we prove it, and do we actually need enterprise IGA.
Stage 4
Advanced and agentic
Human identity is handled. Now it is service accounts, API keys, and AI agents acting on their own, identities that do not fit the joiner-mover-leaver model and do not wait for an access review. This is the frontier, and most of the field is improvising.
Or start by who you are
It landed on me
CTO, Head of Ops, or founder running IT on the side.
First IT hire / sysadmin
You own IT now, and identity is mostly manual.
Head of IT
SSO is live, but most of the stack is still ungoverned.
Security or GRC
Audits are real and you need to prove access governance.
IAM / IGA engineer
Human identity is handled. Now it's non-human and agents.
Frequently asked questions
Where should I start?
Take the 5-question maturity check, or pick the stage that sounds like your week. If identity recently landed on you and nobody owns IT yet, start with 'IT landed on you.' If you have SSO but most of your apps are still manual, start with Stage 2.
Is this vendor marketing?
It is education first. The guide is built from real operational playbooks and field notes, and most of it is useful no matter what tool you end up using. Iden shows up as the consequence of the thinking, not the point of it.
Is it free, and is anything gated?
Free, and nothing is gated. Every page is open, no email required. Read it, share it, link to it.
Does this work for a mature identity team?
Yes. Stage 3 covers scaling governance and the enterprise-IGA decision, and Stage 4 covers non-human and AI-agent identity, the frontier most teams are improvising on today.