8 things to consider when acquiring an IAM solution

8 things to consider when acquiring an IAM solution

Procuring an Identity and Access Management (IAM) solution is a strategic decision with implications far beyond the IT department. A misstep can lead to security gaps, frustrated users, and unnecessary complexity. Here are eight considerations to help you make the right choice — both now and in the future.

 

1

 Who are the users — and what do they need access to?

Before choosing an IAM solution, you need to understand who it's meant to support. Employees, customers, partners — or a combination? Each user group has different needs, which influences your choice of functionality and platform. 

B2C users

B2C users — such as private customers, patients, or association members — typically register themselves and are not linked to the IAM system through a shared organization ID. This requires a solution that supports self-service registration, consent management, and easy login — typically provided through a CIAM (Customer IAM) platform.

B2B users

For B2B users like suppliers and partners, flexible access control and strong user lifecycle management are essential. This may involve federated login, multiple identity sources, and the ability to grant and revoke access based on role or affiliation.

Employees

For employees, integration with HR systems and internal business systems is key. The solution should support automated onboarding, self-service access requests, and authorization. Role-based access control is also important to ensure proper governance throughout the employment lifecycle.

Many organizations choose to manage all users in a single platform. This improves cost control, simplifies operations — and is often necessary when different user groups need access to the same applications.

2

Choose the right platform: Cloud, hybrid, or on-Prem

There are different technical approaches – from traditional on-premise solutions to modern SaaS-based services with high scalability and continuous improvement. The choice affects flexibility, costs, and how the solution can be managed over time. 

Public cloud (SaaS)

Offers benefits like high availability, automatic updates, and lower operational costs. You don’t need to manage infrastructure – the vendor handles development, operations, and maintenance.

Private cloud

Provides greater control and flexibility, but typically requires more in-house technical expertise. Suitable for organizations with specific requirements for data handling, security, or integrations.

On-premises

Installed and operated locally. Fits organizations with strict demands for internal control and data security. Offers maximum control but comes with higher operational costs and less flexibility.

With the rise of containers and hybrid architectures, the lines between models are becoming increasingly blurred. Still, it’s essential to choose the model that best supports your organization’s needs – now and in the future. 

3

Secure login, access management – or both?

IAM covers a wide range of capabilities. To choose the right solution, you need to understand what you actually need – and what may not be included. 

Identity and Access Management encompasses both how users log in (authentication) and how access is assigned and governed (authorization). However, not all solutions cover both areas.

If your goal is to simplify and secure login to cloud services, then Access Management (AM) is your primary focus – including features like Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

If you also need control over who gets access to what – and the ability to document and review these rights – you should look into Identity Governance and Administration (IGA). This includes features like automated access management, periodic access reviews, and the ability to generate audit reports.

Several vendors now combine AM and IGA, but it’s still common to choose just one – or integrate two systems. That’s why it’s crucial to clearly understand your needs, so you can select the right IAM platform from the start.
 

4

Which login methods should the solution support?

If external users such as customers, partners, or suppliers need access to your systems, you must consider how they will authenticate – and which identity providers need to be supported. 

Your IAM solution should integrate with identity services relevant to your target audience. In Norway, this often includes BankID, Vipps, or MinID – while internationally, services like Google, Apple, or Facebook are common. These integrations make login more secure, user-friendly, and familiar – and reduce the need for manual user support.

Some identity services can also be used to verify new users during registration, which is especially valuable in B2C solutions and public services. Increasingly, organizations aim to support both personal and professional identities – especially in B2B contexts, where users expect to log in using either their work email or a personal account. This should be part of your requirements specification if you’re targeting multiple user groups.

5

Which processes should be automated?

Automation is key to both enhanced security and efficiency – but what should actually be automated depends on your specific needs. 

 All IAM solutions offer some level of automation, but the capabilities and flexibility vary widely.

At its most basic, automation includes creating and deactivating user accounts. However, many organizations require more advanced scenarios. For example, you might want access rights to be activated just before the employee’s start date – not immediately upon being registered in the HR system. Or you may want Microsoft 365 licenses to be revoked after 180 days of user inactivity.

There may also be a need to tailor user data – such as usernames, display names, or roles based on job title. These types of changes often require advanced logic, which not all platforms support equally well.

The more manual tasks you aim to eliminate, the more important it is to choose a solution that enables effective automation and workflow management.

6

Which systems must the solution integrate with?

For an IAM solution to work in practice, it must be able to communicate with the rest of your IT landscape – from HR and AD to business systems and cloud services. 

IAM solutions retrieve and share data with other systems in the organization, making integrations critical for both functionality and efficiency. A common integration is with the HR system, which often serves as the source of truth for who the user is, where they work, and what access they need. This forms the basis for automated onboarding and access provisioning.

Other important integrations may include:

  • Active Directory or Entra ID (formerly Azure AD) for authentication and group management
  • Business systems and cloud applications where access needs to be managed
  • ITSM tools like ServiceNow or Jira for access requests and approvals
  • Solutions for access reviews or reporting, such as SIEM or GRC systems

The scope and maturity of integrations vary between vendors – some offer APIs and pre-built connectors, while others require more customization. Carefully consider which systems your IAM solution must interact with to meet your needs today – and in the future.

7

How should roles and access be managed?

A well-thought-out access management strategy is essential for security and scalability – and should be a central part of your identity strategy. 

Access management is not only about who gets access to what, but about the rules and principles that govern this access. A structured approach provides better control and enables automation of permissions across roles and systems.

Many organizations start with manual provisioning, but this quickly becomes unscalable. By grouping users into roles based on job title, department, or function, you can simplify processes and reduce the risk of errors.

Common models include:

  • RBAC (Role-Based Access Control): Access based on predefined roles
  • ABAC (Attribute-Based Access Control): Access based on user attributes
  • Policy-based access control: Access defined by rules and conditions

Access management should not be considered in isolation but as part of a comprehensive identity roadmap. This provides a stronger foundation for selecting a model and solution that meets both current needs and future goals.

8

How will you ensure compliance and follow-up?

Audit and control should be built into the solution – not something you do once a year.  

When access is provisioned manually and changes over time, discrepancies often arise between intended access and actual access. This can result in excessive permissions, increased risk of data breaches, and violations of internal policies or regulatory requirements.

That’s why it’s essential to have a solution that provides visibility into who has access to what, why they have it – and who approved it. This is often referred to as Access Governance, and typically includes features such as:

  • Access certification (periodic access reviews)
  • Audit trails and logging
  • Policy-based access control
  • Alerts and handling of anomalies

For organizations subject to ISO 27001, GDPR, NIS2, or similar regulations, these capabilities are not just “nice to have” – they are required.

Next steps

Choosing an IAM solution is not just a technical decision – it’s about making the right choices for security, usability, and control. With the right approach, you build a strong foundation for future-ready identity management.