Book demoEN

After Okta, the work that's just starting

What teams find in the first months after deploying Okta. The gaps Okta leaves by design, the work that needs to happen next, and how to scope the next 90 days of identity work.

6 min read · Last updated June 2026

Six weeks ago you deployed Okta. The login screens are clean. The SSO works for the apps that support it. The team trusts it more than they trusted whatever was happening before. The deployment project is closed. You're done.

Then you start using it. The first thing you notice is the apps Okta doesn't reach. Then you notice that "reach" is doing a lot of work in that sentence. Some apps are SCIM-supported but only on enterprise plans you don't have. Some apps have an Okta SAML connection but no provisioning. Some apps are internal and were never on Okta's catalog to begin with.

By month three you have a list of gaps and a CEO who's asking why governance isn't governed. This is the post-Okta-deployment moment. The work isn't done. It's just starting. The next 90 days are where most companies decide whether to finish it, or to kick the can down to whoever inherits the system in eighteen months.

What Okta gave you

Worth naming explicitly. The deployment delivered four things.

Federated authentication. SAML and OIDC for the apps that support either. SSO across the long catalog of integrations Okta maintains. Users get one set of credentials instead of forty.

MFA enforcement. Centrally configured, applied across all federated apps. The most important security baseline a company gets from SSO.

A directory of users. Okta becomes the system of record for who exists, what groups they belong to, what apps they can authenticate against.

Some provisioning. Where apps expose SCIM at the plan tier you're paying for, Okta creates, modifies, and deactivates users automatically. Plus Lifecycle Workflows for orchestrating multi-step automations across the SCIM-supported set.

These are real. They're the right foundation. The deployment was a good decision.

What Okta doesn't do

The gaps aren't bugs. They're scope decisions Okta made early and shipped consistently. Understanding them isn't disparaging Okta. It's understanding where the identity work stops being Okta's problem.

The 80% of apps Okta can't reach via SCIM. The mid-market SaaS stack is roughly 20% SCIM-supported at standard plan tiers. The remaining 80% includes Notion, Linear, Asana, Miro, most internal admin panels, most legacy systems, every app on a standard plan that gates SCIM behind enterprise. Okta SSO can federate logins to these. Okta lifecycle can't provision them.

Group-level governance only. Okta certifications and access reviews operate at the Okta Group level. Whether someone is in the "Engineers" group, not whether they should have admin on a specific staging environment or write access to a specific repo.

Contractor lifecycle as a Workflows DIY. Okta doesn't model contractors as a first-class identity. You build it with Workflows, or you don't have it.

Non-human identity outside ISPM. Okta's Identity Threat Protection provides observability over Okta-managed assets. It doesn't extend to lifecycle for service accounts, API keys, OAuth grants, or AI agents.

Access review scale. Okta IGA (the add-on) caps at two reviewer levels and 250 apps per certification campaign. The action is remove-only.

Audit evidence assembly. Okta exports CSVs. Pushing continuous evidence into Drata, Vanta, or Secureframe with control mapping is work that lives downstream of Okta.

If you bought Okta, you got the first column. The second column is what teams typically discover in the first 90 days.

The 90-day decision tree

The post-deployment period is where the most consequential identity choices get made or deferred. Three forks.

Fork 1: how to govern the non-SCIM 80%

Three options.

Manual processes. Spreadsheet access reviews, Slack-based access requests, runbook offboarding for the non-SCIM apps. Common for companies under 200 employees. Works until it doesn't, usually around the first compliance audit.

Workflow buildout. Lifecycle Workflows for as many non-SCIM apps as can be cobbled together. Custom code via Workflows API for the rest. High maintenance, high vendor lock-in (Okta-specific work that doesn't move if you change SSO).

Dedicated IGA layer. A tool sits on top of Okta and handles governance for the apps Okta doesn't reach. This is the category Iden lives in.

The choice depends on stack complexity, compliance pressure, and how much engineering bandwidth you can defend for identity work. Most teams between 50 and 500 employees end up at the third option within twelve months of the Okta deployment.

Fork 2: contractor and NHI lifecycle

Decide whether contractors and non-human identities are in scope for identity governance from day one. If yes, neither Okta SSO nor Okta IGA models them as first-class identities. You need a layer that does.

If you defer, the cost is that the contractors and the agents accumulate as ungoverned identities. The remediation later is harder than the prevention now. For AI agents specifically (Claude Code, Cursor, custom agents, MCP servers), the lifecycle problem compounds faster than for service accounts: see the AI agent governance pillar and the deeper Anthropic framework gaps walkthrough.

Fork 3: compliance evidence path

If you have a SOC 2, ISO 27001, or HIPAA program (current or upcoming), decide who owns the evidence pipeline. Drata, Vanta, and Secureframe handle the framework side. Okta exports CSVs that someone has to package for those platforms. Iden and similar tools push continuous evidence with control mapping automatically.

Compliance teams discover this gap at audit prep. Best to make the choice before the gap shows up under deadline pressure.

Common patterns we see in the field

A few configurations of the post-Okta state.

The Workflows-as-bandage path. Team uses Lifecycle Workflows extensively to compensate for missing SCIM coverage. By month six, the Workflows team has fifty flows in production and a queue of bugs. By month twelve they've quietly started looking for what Iden does.

The "we'll get to it" path. Manual processes for the non-SCIM apps, with the team assuming the gap will close naturally. It doesn't. The audit findings or the headcount-growth wall forces the decision twelve months later, often during a quarter that needed to be quiet.

The early-IGA path. Team adds an IGA layer within 60 days of the Okta deployment. Usually because someone on the team has been through this before. The Okta deployment doesn't get celebrated as the finish line. It gets celebrated as Phase 1 of 2.

The hybrid Okta IGA + dedicated tool path. Some teams add Okta IGA for the SCIM-supported certifications and a dedicated layer for the rest. Common when the team is already comfortable in Okta's UI and wants the consolidation in one vendor for the parts Okta covers well.

Where Iden fits

Iden is the layer most teams need but didn't know to scope at deployment time. It plugs into Okta as the IdP, reads the HRIS, and runs governance across the apps Okta can't reach via SCIM. The Workflows you built for actual business logic stay. The Workflows you built to compensate for missing connectors retire.

If you're past the Okta deployment and looking at the gap list, the work isn't to redo authentication. It's to add the governance layer Okta wasn't designed to be. The next 90 days is when most teams make that call.

Frequently asked questions

We just deployed Okta. How long do we have before the gaps become a problem?

It depends on stack complexity and compliance timeline. For 200+ employee companies with 30+ SaaS apps and SOC 2 within 12 months, the gaps become operational pain within 6 to 8 weeks. For smaller, less compliance-pressured teams, the runway is longer. Most teams notice the friction in the first quarter post-deployment.

Should we have known about these gaps before deploying Okta?

Some of them, yes. Okta's coverage limits and the SCIM tax are widely documented. But most teams discover the depth of the gap only after the deployment, because that's when the actual provisioning work hits the long tail of non-SCIM apps. The gap exists at deployment. The felt gap shows up after.

Can we just use Lifecycle Workflows to fill the gap?

For some apps, yes. Workflows handles cross-app orchestration for SCIM-supported apps and can fire Jira tickets for the rest. Where it breaks: the Jira ticket is a notification, not provisioning. Someone still has to do the work by hand. Workflows scales to maybe 10-20 custom flows before the maintenance burden compounds.

Is Okta IGA the answer for the gap?

Partially. Okta IGA adds certification workflows for SCIM-supported apps. It doesn't extend coverage to non-SCIM apps. It still operates at group level. For teams where the gap is primarily certifications (not coverage), Okta IGA is a real option. For teams where the gap is coverage, Okta IGA is a partial solution at a premium price.

We're a small team (under 50 people). Is this still relevant?

Less urgently. Under 50 employees with fewer than 20 SaaS apps, manual processes are usually fine. The gap becomes acute around 50 to 100 employees, or 20+ apps, whichever comes first.

What's the typical timeline from Okta deployment to adding an IGA layer?

Most teams that end up adding an IGA layer do so within 6 to 18 months of the Okta deployment. The trigger is usually a compliance event, a near-miss, or a headcount milestone (200, 300, 500 employees).

We're choosing between Okta and Entra. Does this change the post-deployment story?

Not materially. Entra has similar SCIM-coverage limits and similar group-level governance limits. The IGA gap exists with both SSOs. Choose between Okta and Entra on authentication strength, ecosystem fit, and bundling. The governance question is separate.

What if we never plan to govern non-SCIM apps?

Most companies do plan to, even if they don't articulate it yet. The first compliance audit or the first near-miss involving access usually forces the decision. The companies that genuinely don't need IGA are usually under 50 employees or in industries without compliance pressure.

How much does adding an IGA layer cost compared to the Okta deployment?

For Iden specifically, $7.50 per user per month flat, all connectors included, no add-ons. For most mid-market companies, the cost is comparable to or less than the upgrade math on getting SCIM unlocked across 10 to 15 apps that gate it behind enterprise plans. Often the SaaS spend reclamation from license cleanup covers the cost.

We just deployed Entra, not Okta. Same advice?

Same advice. The gaps Entra leaves (non-Microsoft apps, fine-grained governance, contractors, NHIs) are similar to Okta's. The works-with/entra-id and migrate paths differ, but the post-deployment decision tree is the same.

Related

Provisioning non-SCIM apps, without the tickets

Most identity tools stop at the apps with SCIM. That's about 20% of the average stack. How to provision the other 80%, end to end, without the manual queue.

Jun 2026

The end of hope-based offboarding

Most offboarding fails because tools were never built to reach the apps that matter. What zero-touch offboarding actually means, why most automation breaks, and what a working flow looks like on the day someone leaves.

May 2026

User access reviews, finally with teeth

Why most access reviews fail audit, what a working quarterly cycle looks like, and how to get continuous evidence for SOC 2, ISO 27001, and HIPAA.

Jun 2026