Frequently asked questions
Straight answers about Iden: what it is, what it costs, how fast it deploys, and how it governs access across your whole stack. Iden is identity governance for companies of 50 to 2,000 people. It automates onboarding, offboarding, and access reviews across every app, including the ones without SCIM, from $7.50 per user per month.
Identity governance basics
What is identity governance (IGA)?
Identity governance is how you control who has access to what, prove it, and keep it correct over time. It covers provisioning, offboarding, access reviews, and the audit trail behind them. SSO logs people in. IGA decides what they should reach and shows you can back it up.
What's the difference between IGA and IAM?
IAM asks 'can this person log in.' IGA asks 'should this person have this access, and can we prove it.' IAM handles authentication and SSO. IGA handles the lifecycle: provisioning, reviews, deprovisioning, and evidence. Most teams run both. Iden is the governance layer on top of your IAM.
Do we need IGA if we already have Okta or Entra?
Yes, for most of your stack. Okta and Entra handle login and provision the apps that support SCIM. The rest gets governed by hand: tickets, spreadsheets, offboarding checklists. Iden covers those apps and adds the access reviews and audit evidence Okta and Entra don't.
Stay on Okta SSO, add Iden on topAfter Okta, the work that's just starting
When does a company actually need identity governance?
Usually when manual stops holding. The signals: your first SOC 2 or ISO audit, offboarding that misses apps, access reviews run in spreadsheets, or a stack that outgrew what one person can track. Most teams hit this somewhere between 50 and a few hundred people.
Coverage and the SCIM tax
Does Iden work with apps that don't support SCIM?
Yes. That's the whole point. Iden governs apps whether they support SCIM, only have an API, or have neither, using our custom automation framework and custom connectors where SCIM doesn't reach. No enterprise upgrade required. If we don't have a connector for your app yet, we ship it in 48 hours.
Provisioning non-SCIM apps, without the ticketsBrowse connectors
What is the SCIM tax?
The SCIM tax is what vendors charge to turn on provisioning. Most apps gate SCIM behind their enterprise plan, so automating access means upgrading every user to a pricier tier. Iden skips it. We provision apps on any plan, including standard. The SCIM Tax Index has the per-vendor math.
Do I need SCIM if I already have SSO?
SSO logs people in. It doesn't provision or remove their access inside every app. SAML with just-in-time creates an account on first login but never deletes it, so people keep access after they leave. Iden handles the provisioning and offboarding SSO leaves open, SCIM or not.
How many apps does Iden connect to?
200+ connectors today, SCIM by default, and growing. They cover HRIS, developer tools, collaboration, finance, security, and the long tail of internal and legacy systems. Every connector is included in the price. No per-connector fees.
What if you don't have a connector for our app?
We build it, usually in 48 hours, at no extra cost. Iden connects over SCIM, API, or its custom automation framework, so an app with no SCIM and no clean API still gets covered. You never pay per connector.
Does Iden replace Okta or Entra, or run alongside them?
Alongside. Nothing gets replaced. Keep your SSO for login and MFA. Iden sits on top as the governance layer: provisioning across the full stack, access reviews, clean offboarding, and audit evidence. It works with Okta, Entra, Google Workspace, and JumpCloud.
Stay on Okta SSO, add Iden on topIden vs Okta Identity Governance
Pricing and ROI
How much does Iden cost?
Iden starts at $7.50 per user per month, with volume discounts as headcount grows. All 200+ connectors are included. No per-connector fees, no SCIM tax, no professional services bill. Run your numbers on the ROI calculator.
Do I pay extra per connector or for non-SCIM apps?
No. Every connector is included, SCIM or not. Non-SCIM apps cost the same as SCIM ones, and custom connectors ship in 48 hours at no charge. One per-user price covers your whole stack.
Is there a free trial?
Yes. Two-week trial, no commitment. Connect your stack, run a real offboarding, and see it work before you decide anything.
How fast do teams see ROI?
Often within the first month, from reclaimed SaaS licenses alone. Every seat you were still paying for after someone left shows up fast, before you even count the IT hours saved on provisioning, reviews, and audit prep.
Deployment and effort
How long does Iden take to deploy?
Days, not months. Your first 15 apps connect in under an hour. Most teams have their full stack running in a week or two. There's no six-month rollout and no systems integrator.
Do I need a dedicated IAM admin to run Iden?
No. Iden is built for lean IT teams with no dedicated identity hire. Once policies are set, they run on their own, so one IT generalist can own it alongside everything else. That's the design, not a workaround.
What does getting started actually involve?
Connect your HR system as the source of truth, connect your apps, define who gets what by role, and turn on the workflows. First 15 apps in under an hour, the rest over a week or two. Then onboarding, offboarding, and reviews run automatically.
Offboarding and deprovisioning
How do I make sure a leaver loses access everywhere, not just in SSO?
Disabling the SSO account only blocks login for connected apps. It leaves the rest: standalone tools, non-SCIM apps, tokens, and shared logins. Iden revokes across every connected app in seconds, including the ones outside SSO, and flags anything that needs a manual step.
How do I know an offboarding is actually complete?
Every action Iden takes is logged with a timestamp. Because Iden connects to your whole stack, offboarding is clean, complete, and provable. You can show exactly what was revoked and when, per person and per app.
The end of hope-based offboardingSOC 2 CC6 evidence checklist
How do I automatically expire a contractor's access?
Set the end date when you grant access. Iden revokes it automatically when the date hits or the project closes, so contractor access doesn't linger for months. You get a heads-up before it expires, and a record proving it ended on time.
Onboarding, access reviews, and cleanup
How do I give new hires day-one access automatically?
Define access by role once. When your HR system says someone starts, Iden provisions their apps before day one based on that role. No ticket, no waiting, no guessing what a new marketer or engineer should get. This is birthright access.
How do I run a user access review without spreadsheets?
Iden pulls every user and entitlement across your apps, routes each to the right reviewer, captures approve or revoke with a timestamp, and executes the revocations. No CSV exports, no chasing managers, no rubber-stamping. The evidence is ready for the auditor when the cycle closes.
How do I strip old access when someone changes roles?
Role changes are where access piles up. People collect permissions and nobody removes the old ones. Iden compares access to the new role, flags what no longer fits, and revokes it, so an internal transfer doesn't leave someone carrying two jobs' worth of access.
How do I find orphaned accounts and accounts nobody owns?
Iden matches accounts against your HR source and surfaces the ones with no active owner: ex-employees, stale logins, and service accounts nobody claims. You see what's still enabled, then assign an owner or shut it down, before an auditor or an attacker finds it first.
How do I replace access requests living in Slack DMs and tickets?
Iden gives you a real request-and-approval workflow. People request access, the right approver signs off, and Iden grants it with the scope and expiry attached. Every request keeps a record: who asked, who approved, and why. No more DMs and lost tickets.
Compliance, security, and audit
What compliance frameworks does Iden help with?
SOC 2, ISO 27001, and HIPAA, mainly. Iden produces the access-control evidence each one asks for: who had access, who approved it, and proof that leavers were removed. It maps to SOC 2 CC6, ISO 27001 A.5.18, and HIPAA access requirements.
How do I prove an access review to an auditor?
Iden records each review as it happens: the reviewer, the date, the systems covered, the decision, and what got revoked as a result. That's the dated, signed evidence auditors accept, not a cropped screenshot or a spreadsheet they'll pick apart.
Is Iden secure? Do you store our credentials?
Iden's connectors do not store your users' login credentials. Iden connects with scoped access to govern who can reach what, and logs every action it takes. It governs access. It isn't a place your passwords live.
AI agents and agentic IGA
What is agentic IGA?
Agentic IGA has two halves: AI does the governance work, and the AI agents themselves get governed. Iden runs the full lifecycle across your stack, from connecting every app to provisioning, reviews, and revocation, plus the insights and recommendations that tell you what to fix. And it treats agents as real identities, with access, an owner, an expiry, and an audit trail. The whole spectrum, not a feature bolted on.
What makes an IGA tool actually agentic, and not a chatbot with an AI badge?
The full lifecycle is the test. Something agentic acts: it connects every app, provisions and revokes on its own, watches access over time, recommends what to fix, and proves it to an auditor. A chat box that answers an access request and closes a ticket does none of that. Most tools calling themselves agentic stop at the request. That's an AI sticker, not governance.
Can Iden govern AI agent access?
Yes. AI agents get access the way employees do, but with no HR record and no offboarding trigger. Iden governs what an agent can reach, who owns it, and when its access ends, so an agent someone spun up doesn't outlive them in your systems.
Can Iden govern service accounts and non-human identities?
Yes. Service accounts, API keys, and bots are identities too, and they're usually the ones nobody owns. Iden inventories them, assigns an owner, includes them in access reviews, and revokes them when they're no longer needed, the same as human accounts.
What happens to the AI agents and tokens someone created when they leave?
That's the gap most offboarding misses. People spin up agents, API keys, and integrations under their own account, and those keep running after they go. Iden ties non-human identities back to an owner, so when someone leaves, the agents and tokens they created get flagged and revoked with them, not left running headless.
How Iden compares
How is Iden different from legacy IGA like SailPoint or Saviynt?
SailPoint and Saviynt are built for large enterprises: six-figure starts, long rollouts, and a team to run them. Iden does the same governance for companies of 50 to 2,000, at $7.50 a user, live in days, with no dedicated admin. Same job, without the enterprise weight.
How is Iden different from AI help-desk tools like Console or Atomicwork?
Those tools are good at answering IT tickets and granting access fast. But granting access isn't governing it. They don't run certifications, enforce expiry across the full stack, or produce audit evidence. Keep the help desk for tickets, and add Iden for the governance underneath.
How does Iden compare to Lumos or ConductorOne?
They're modern IGA tools like Iden, aimed at similar teams. Iden's difference is coverage and price: full governance across non-SCIM apps with no enterprise upgrade, service accounts and AI agents included, running alongside your SSO, from $7.50 a user. The vs pages compare them directly.
Still have a question?
Email us and a real person answers, or see it run on your own stack.
Last updated July 2026