8 things to consider when acquiring an IAM solution
Procuring an Identity and Access Management (IAM) solution is a strategic decision with implications far beyond the IT department. A misstep can lead to security gaps, frustrated users, and unnecessary complexity. Here are eight considerations to help you make the right choice — both now and in the future.
Who are the users — and what do they need access to?
B2C users
B2C users — such as private customers, patients, or association members — typically register themselves and are not linked to the IAM system through a shared organization ID. This requires a solution that supports self-service registration, consent management, and easy login — typically provided through a CIAM (Customer IAM) platform.
B2B users
For B2B users like suppliers and partners, flexible access control and strong user lifecycle management are essential. This may involve federated login, multiple identity sources, and the ability to grant and revoke access based on role or affiliation.
Employees
For employees, integration with HR systems and internal business systems is key. The solution should support automated onboarding, self-service access requests, and authorization. Role-based access control is also important to ensure proper governance throughout the employment lifecycle.
Many organizations choose to manage all users in a single platform. This improves cost control, simplifies operations — and is often necessary when different user groups need access to the same applications.
Choose the right platform: Cloud, hybrid, or on-Prem
Public cloud (SaaS)
Offers benefits like high availability, automatic updates, and lower operational costs. You don’t need to manage infrastructure – the vendor handles development, operations, and maintenance.
Private cloud
Provides greater control and flexibility, but typically requires more in-house technical expertise. Suitable for organizations with specific requirements for data handling, security, or integrations.
On-premises
Installed and operated locally. Fits organizations with strict demands for internal control and data security. Offers maximum control but comes with higher operational costs and less flexibility.
With the rise of containers and hybrid architectures, the lines between models are becoming increasingly blurred. Still, it’s essential to choose the model that best supports your organization’s needs – now and in the future.
Secure login, access management – or both?
Identity and Access Management encompasses both how users log in (authentication) and how access is assigned and governed (authorization). However, not all solutions cover both areas.
If your goal is to simplify and secure login to cloud services, then Access Management (AM) is your primary focus – including features like Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
If you also need control over who gets access to what – and the ability to document and review these rights – you should look into Identity Governance and Administration (IGA). This includes features like automated access management, periodic access reviews, and the ability to generate audit reports.
Several vendors now combine AM and IGA, but it’s still common to choose just one – or integrate two systems. That’s why it’s crucial to clearly understand your needs, so you can select the right IAM platform from the start.
Which login methods should the solution support?
Your IAM solution should integrate with identity services relevant to your target audience. In Norway, this often includes BankID, Vipps, or MinID – while internationally, services like Google, Apple, or Facebook are common. These integrations make login more secure, user-friendly, and familiar – and reduce the need for manual user support.
Some identity services can also be used to verify new users during registration, which is especially valuable in B2C solutions and public services. Increasingly, organizations aim to support both personal and professional identities – especially in B2B contexts, where users expect to log in using either their work email or a personal account. This should be part of your requirements specification if you’re targeting multiple user groups.
Which processes should be automated?
All IAM solutions offer some level of automation, but the capabilities and flexibility vary widely.
At its most basic, automation includes creating and deactivating user accounts. However, many organizations require more advanced scenarios. For example, you might want access rights to be activated just before the employee’s start date – not immediately upon being registered in the HR system. Or you may want Microsoft 365 licenses to be revoked after 180 days of user inactivity.
There may also be a need to tailor user data – such as usernames, display names, or roles based on job title. These types of changes often require advanced logic, which not all platforms support equally well.
The more manual tasks you aim to eliminate, the more important it is to choose a solution that enables effective automation and workflow management.
Which systems must the solution integrate with?
IAM solutions retrieve and share data with other systems in the organization, making integrations critical for both functionality and efficiency. A common integration is with the HR system, which often serves as the source of truth for who the user is, where they work, and what access they need. This forms the basis for automated onboarding and access provisioning.
Other important integrations may include:
- Active Directory or Entra ID (formerly Azure AD) for authentication and group management
- Business systems and cloud applications where access needs to be managed
- ITSM tools like ServiceNow or Jira for access requests and approvals
- Solutions for access reviews or reporting, such as SIEM or GRC systems
The scope and maturity of integrations vary between vendors – some offer APIs and pre-built connectors, while others require more customization. Carefully consider which systems your IAM solution must interact with to meet your needs today – and in the future.
How should roles and access be managed?
Access management is not only about who gets access to what, but about the rules and principles that govern this access. A structured approach provides better control and enables automation of permissions across roles and systems.
Many organizations start with manual provisioning, but this quickly becomes unscalable. By grouping users into roles based on job title, department, or function, you can simplify processes and reduce the risk of errors.
Common models include:
- RBAC (Role-Based Access Control): Access based on predefined roles
- ABAC (Attribute-Based Access Control): Access based on user attributes
- Policy-based access control: Access defined by rules and conditions
Access management should not be considered in isolation but as part of a comprehensive identity roadmap. This provides a stronger foundation for selecting a model and solution that meets both current needs and future goals.
How will you ensure compliance and follow-up?
When access is provisioned manually and changes over time, discrepancies often arise between intended access and actual access. This can result in excessive permissions, increased risk of data breaches, and violations of internal policies or regulatory requirements.
That’s why it’s essential to have a solution that provides visibility into who has access to what, why they have it – and who approved it. This is often referred to as Access Governance, and typically includes features such as:
- Access certification (periodic access reviews)
- Audit trails and logging
- Policy-based access control
- Alerts and handling of anomalies
For organizations subject to ISO 27001, GDPR, NIS2, or similar regulations, these capabilities are not just “nice to have” – they are required.
Next steps
Choosing an IAM solution is not just a technical decision – it’s about making the right choices for security, usability, and control. With the right approach, you build a strong foundation for future-ready identity management.