Hidden IAM Costs in New Software: An Insider's Journey

The Hidden Costs

When organizations invest in new software or SaaS applications, attention tends to center around features, functionality, and return on investment. However, one critical dimension often escapes early scrutiny: Identity and Access Management (IAM). Poor IAM alignment can quietly inflate costs, delay value realization, and expose the organization to governance and security risks.

This lesson came into sharp focus early in my career during a conversation with a CISO at a large healthcare organization. With a tight budget, they were looking to onboard several new applications into their identity management ecosystem. The goals were to streamline provisioning and de-provisioning, and centralize user access through their Identity Provider (IdP) for Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

Unfortunately, many of the target applications lacked APIs and standard methods for automating provisioning, and failed to support standardized SSO protocols. The projected costs to integrate applications like these - to shoehorn them into a centrally managed IAM framework - were substantial. When I asked whether these integration costs had been factored into the initial assessment of the applications, the answer, at the time, was no. That single question led to a broader, more strategic shift.

We initiated a discussion around the creation of a questionnaire, a sort of IAM readiness checklist, that the security team could include in their vendor assessment process before a purchase decision was made. The goal was to embed security into procurement with clear, identity-centric criteria. By asking targeted questions early, they could evaluate and estimate the very real costs associated with the ongoing identity and access management processes required to maintain the application. For instance, if an application did not support any standardized SSO or provisioning - as was the case with several applications under review - it signaled tangible downstream costs. Manual account management would increase the operational workload, while compliance teams would face heightened challenges managing controls for regulatory compliance and security.

The "IAM Burden": When New Software Creates Lasting Headaches & Inflates TCO

That early experience with the healthcare organization was a stark illustration of what I now call the "IAM Burden". When IAM is an afterthought in software acquisition, organizations inevitably face challenges that inflate Total Cost of Ownership (TCO) and diminish ROI:

• Skyrocketing Provisioning Costs: Without standardized integration (like SCIM for IGA platforms), IT teams are forced into manual user account creation, modification and de-provisioning for each new, disconnected application. These efforts are not only time-consuming and error-prone - they also divert valuable resources from more strategic initiatives.
• Governance Nightmares: Ensuring "least privilege" and conducting regular access certifications (a core IGA function) becomes a Herculean task. Manually tracking entitlements across disparate systems makes audits painful, increases the risk of compliance failures, and leaves security gaps wide open - especially when users change roles or leave the company.
• User Access Friction & SSO Platform Incompatibility: If a new application doesn't natively support modern authentication standards (like SAML/OIDC) for integration with an existing SSO platform, users face yet another set of credentials, leading to password fatigue and insecure practices. This kind of incompatibility can also stall broader initiatives—like transitioning to passwordless authentication—by requiring teams to maintain outdated, less secure login methods for that application.
• Hindered MFA Enforcement: Without proper SSO integration, it becomes difficult to consistently enforce MFA policies—introducing weak points in security posture and slowing progress toward a passwordless future.
• Custom Integration Headaches: In an attempt to bridge these gaps – a costly route the healthcare CISO was trying to avoid – organizations might resort to building custom integrations. These are often expensive to develop, brittle to maintain, and can break with software updates, creating long-term technical debt.
• Delayed Time-to-Value: Manual IAM processes extend the time it takes for users to gain secure access, delaying adoption and slowing the realization of the software’s intended value.

Essentially, the operational overhead and security risks associated with poorly integrated IAM can significantly diminish, or even negate, the expected ROI - turning what seemed strategic into a persistent operational "IAM burden".

The Solution: Strategic Vendor Evaluation for Seamless IAM Integration

The conversation with the healthcare CISO made it clear: the vendor assessment process presents a strategic opportunity to prevent these IAM burdens. When standardized IAM integration becomes a core criterion during evaluation, vendors are more likely to deliver solutions that align with the organization’s existing identity infrastructure. This level of foresight is crucial because the costs associated with manual IAM processes and custom integrations for non-compliant software directly inflate the TCO.

Leverage Standards for Clean Integration:

• SCIM for Identity Governance& Administration (IGA) Platforms: Prioritize vendors who support System for Cross-domain Identity Management (SCIM). SCIM is an open standard that allows for the automation of user provisioning (creation, updates, deactivation) directly from an IGA solution to the target application. 
  • Benefit: Drastically reduces manual effort for user lifecycle management, ensures consistency with IGA policies, speeds up onboarding/offboarding, and streamlines access certification processes. This "clean integration" means governance processes aren't compromised by new software.
• Just-in-Time (JIT) Provisioning: Look for applications that support JIT provisioning, often facilitated through SAML assertions during the SSO process. With JIT, a user account is automatically created in the application the first time a user attempts to log in via SSO.
  • Benefit: Simplifies initial onboarding by creating accounts on-demand, reduces the need for pre-provisioning all potential users, and can work in tandem with, or as an alternative to, full SCIM integration for certain use cases.
• Active Directory (AD) Integrated Authorizations: For applications that manage roles and permissions internally, inquire if they can leverage existing Active Directory group memberships to control authorizations. 
  • Benefit: Allows management of application-level permissions using familiar AD groups and tools, centralizing authorization management and reducing the need to manage entitlements separately within each application. This ensures consistency with established AD-based role structures.
• SAML/OIDC for your SSO Platform: Mandate support for Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) for Single Sign-On. These standards enable seamless integration with an organization's existing SSO platform and Identity Provider (IdP). 
  • Benefit: Can offer a straightforward authentication path for users without requiring federation for every internal tool. However, for SaaS and cloud applications, SAML/OIDC is generally preferred for better security posture, centralized control, and scalability. Assess this based on the application's deployment model and the organization's overall IAM strategy.

Proof in Practice: The Long-Term Dividends

That engagement with the healthcare CISO marked the first time I’d been directly involved in creating such a process, and at the time, it felt somewhat novel. Today, I’m glad to say that once-uncommon approach is now increasingly considered an industry best practice. It’s gratifying to see so many organizations embedding security and IAM considerations into the vendor evalution phase. I regularly interface with security leaders who are included early in application evaluation and vendor onboarding prior to acquisition. 

I recently sat down with the CISO of another organization whose approach to IAM evaluation was both rigorous and deeply embedded. For years, their team has taken a firm stance on requiring industry-standard SSO protocols (such as SAML or OIDC) and standardized provisioning methods like SCIM - or, at minimum, robust API support for integration with their IGA tools. The impact of those long-standing practices was clear. The majority of their application portfolio integrates cleanly with their IGA and Identity Provider systems. Operational efficiency for user lifecycle management is high and compliance controls are executed with very little difficulty. 

It was refreshing and validating to see such clear proof that these proactive IAM practices do, indeed, pay significant dividends over time. The initial effort to assess and demand standards had translated into years of reduced operational friction, lower TCO for their applications, and a stronger, more consistent security posture. These results aren’t coincidental. They reflect the benefits of embedding IAM strategy into procurement from the outset. Fortunately, security teams are now more frequently included in procurement discussions, equipped with standards-based evaluation tools that spotlight hidden IAM costs before they become long-term liabilities.

Maximizing ROI by Removing IAM Roadblocks

The success story above powerfully illustrates what happens when IAM is treated as a forethought, rather than an afterthought. By embedding IAM standards into your vendor selection criteria, you ensure that new software solutions:

• Integrate Smoothly: Reduce the need for costly, custom, and manual workarounds, positively impacting Total Cost of Ownership (TCO).
• Enhance Security & Compliance: Leverage your existing IGA and SSO platform investments to maintain a consistent security posture and simplify audits.
• Improve User Productivity: Deliver seamless SSO experiences so users gain access quickly and securely.
• Reduce IT Operational Costs: Automate provisioning and de-provisioning, freeing up IT staff.
• Accelerate Time-to-Value: Minimize onboarding delays so new applications start delivering value faster.

This proactive approach does more than avoid common IAM pitfalls—it enhances the long-term value of your software investments by ensuring security, compliance, and operational efficiency are built in from the start.

While SCIM is a powerful tool for IGA integration, it's important to recognize that not all vendors will support it natively. Other effective methods—such as Active Directory integration and Just-in-Time (JIT) provisioning via SAML/OIDC—can still deliver strong results. IAM integration exists on a sliding scale, and while SCIM, AD integration, and JIT are generally the most effective, alternatives do exist, though they may not be as efficient.

By thoroughly assessing a vendor's IAM capabilities, including their support for SSO standards like SAML/OIDC and their provisioning methods, you can make informed decisions that protect your investment and minimize future integration complexity. A well-integrated software solution is a strategic asset, while a poorly integrated one can quickly become a costly liability.

Navigating IAM decisions can be complex and challenging, but you don't have to do it alone. As your partner, GCA can help you understand your specific needs and recommend the best approach by helping to asses your environment, identify optimal integration methods, and build a plan that maximizes ROI while keeping TCO in check. Let's work together to find the right balance on that sliding scale of integration options.