SailPoint's Cloud Transition Changed Both the Product and the Pricing Model
SailPoint has been the enterprise identity governance and administration (IGA) market leader for over a decade. Its on-premises product, IdentityIQ, became the default platform for large enterprises managing joiners/movers/leavers, access certification campaigns, separation of duties policies, and role-based access control across complex hybrid environments. In 2022–2024, SailPoint executed a full transition to SaaS — the Identity Security Cloud (ISC) platform replaced IdentityIQ as the primary product, and the pricing model changed from a perpetual license plus annual maintenance structure to a subscription model priced on Managed Identities: the number of identities the platform governs, whether employee, contractor, or machine identity.
This transition created a pricing reset for most enterprises. Organisations that had fully amortised their IdentityIQ perpetual licenses were accustomed to paying only annual maintenance (typically 18–22% of original license cost). Moving to Identity Security Cloud subscription pricing — which reflects the full cost of the SaaS platform, not just maintenance — often represents a significant annual cost increase even for equivalent functionality. Understanding the new pricing model, the migration incentives SailPoint offers, and the competitive alternatives (Okta Identity Governance, Microsoft Entra ID Governance, Saviynt) is essential context for any SailPoint agreement in 2026. For the Okta IGA alternative in detail, see our Okta Enterprise Licensing Guide. For SailPoint contract advisory, our cybersecurity advisory team manages SailPoint ISC agreements and IdentityIQ migration negotiations.
Identity Security Cloud Tiers: Business, Business Plus, Business Elite
SailPoint Identity Security Cloud is structured across three primary tiers, with pricing based on the number of Managed Identities — the total population of identities the platform governs:
| ISC Tier | Core Capabilities | List Price (Per Identity/Month) | Best For |
|---|---|---|---|
| ISC Business | Lifecycle management (joiner/mover/leaver automation), provisioning, access requests, basic certifications | $6.00–$9.00 | Organisations needing core lifecycle automation without advanced governance |
| ISC Business Plus | Business + access certifications, separation of duties, role management, risk scoring | $9.00–$13.00 | Standard enterprise IGA — most common deployment tier for compliance-driven organisations |
| ISC Business Elite | Business Plus + AI-powered access recommendations, advanced analytics, predictive identity governance | $13.00–$18.00 | Large enterprises with mature governance programs and AI-driven access intelligence requirements |
For a 10,000-identity enterprise at ISC Business Plus: $9–$13/identity/month = $1,080,000–$1,560,000 annually at list. Negotiated enterprise pricing at this scale typically achieves 25–35% below list, bringing the effective cost to $702,000–$1,014,000 annually. Against an IdentityIQ maintenance cost that may have been $200,000–$400,000/year for a comparable on-premises deployment, the ISC subscription represents a meaningful cost step-up — one that must be evaluated against the reduced infrastructure overhead and enhanced SaaS capabilities.
Add-On Modules: Non-Employee Risk Management and Machine Identity Security
Non-Employee Risk Management (NERM) extends Identity Security Cloud to cover external identity populations — contractors, vendors, partners, and service providers — who are not in the core HR system but need governed access to enterprise systems. NERM is priced separately from the core ISC identity count, typically per non-employee identity per month ($4–$8/non-employee/month at list). For large enterprises with significant contractor populations — common in financial services, pharmaceuticals, and professional services — NERM can add materially to the total SailPoint bill. Organisations with 2,000 contractors at $6/identity/month add $144,000/year to their ISC cost before discounting.
Machine Identity Security covers non-human identities — service accounts, application credentials, API keys, OAuth tokens, and robotic process automation accounts — within the SailPoint governance framework. Machine identity populations in large enterprises frequently exceed human identity counts by 3–5x (10,000 human identities may coexist with 30,000–50,000 machine identities), and bringing machine identities under the same governance program as human identities is increasingly a compliance and audit requirement. Machine Identity Security is priced separately, typically per managed machine identity per month. For organisations with large machine identity populations, this module significantly expands the total ISC cost and should be scoped carefully before contract signature.
The identity count scoping problem: SailPoint's per-managed-identity pricing makes the initial identity count — the baseline from which the contract is priced — the most important commercial variable in any ISC agreement. Organisations that agree to a managed identity count based on their current known identity population frequently discover additional identities (unmanaged service accounts, legacy application credentials, contractor accounts outside the primary HR system) as the ISC deployment matures. Each additional identity above the contracted count triggers overage pricing. Conducting a comprehensive identity inventory — using SailPoint's discovery tooling or a third-party identity scanner — before contract signature is the most effective way to avoid mid-term true-ups. For scoping advisory prior to contract signature, book a call with our team.
IdentityIQ to Identity Security Cloud Migration: The Commercial Negotiation
Organisations on IdentityIQ maintenance contracts face a specific commercial situation: SailPoint's maintenance revenues are declining as the product approaches end-of-mainstream-support, and SailPoint's account teams are under significant internal pressure to migrate customers to ISC subscriptions. This creates negotiation leverage for IdentityIQ customers that ISC-native customers do not have.
Migration incentives SailPoint has made available to IdentityIQ customers in recent deals: migration credits applied against the first ISC contract term (offsetting some of the cost step-up from maintenance pricing to full subscription pricing); extended IdentityIQ maintenance at reduced rates for a defined transition period while ISC is configured and deployed in parallel; bundled professional services for the migration included in the ISC contract at reduced cost; and enhanced discounts on ISC Business Plus vs standard enterprise rates. These incentives are not uniformly offered — they are negotiated outcomes available to customers who actively manage the migration conversation rather than passively accepting SailPoint's standard ISC proposal. The window for the most favourable migration terms is before SailPoint announces end-of-support dates for IdentityIQ, which concentrates customer urgency and reduces SailPoint's commercial incentive to offer migration credits.
Competitive Alternatives and How to Use Them
Okta Identity Governance (OIG) is the most directly comparable enterprise IGA alternative for organisations already using Okta Workforce Identity. For Okta customers, OIG provides access certifications, separation of duties, and governance workflows within the existing Okta platform — eliminating the need for a separate SailPoint deployment. The commercial comparison is: Okta WIC Enterprise plus OIG vs SailPoint ISC Business Plus plus Okta WIC for authentication. For organisations with 5,000–15,000 identities where Okta is already deployed, OIG is frequently cheaper than SailPoint ISC for equivalent governance scope. See our Okta licensing guide for the OIG pricing detail.
Microsoft Entra ID Governance (the identity governance capability within Microsoft Entra ID Premium P2, included in Microsoft 365 E5) covers access reviews, entitlement management, and privileged identity management at zero marginal cost for E5-licensed organisations. For organisations already at M365 E5, Entra ID Governance substantially reduces the governance gap that previously required a SailPoint deployment, and a documented Entra ID Governance evaluation is effective competitive leverage in SailPoint negotiations. Saviynt competes with SailPoint on cloud-native IGA architecture and has been particularly competitive in mid-market accounts ($5M–$50M IT security budget), with aggressive pricing to gain market share from SailPoint. A formally documented Saviynt evaluation generates pricing movement from SailPoint's account team in both new and renewal negotiations. For SailPoint advisory support, our cybersecurity advisory team manages ISC scoping, migration negotiations, and competitive evaluations. Book a call to discuss your SailPoint engagement.
Get Expert SailPoint Identity Security Cloud Advisory
Our cybersecurity advisory team scopes ISC identity counts to prevent true-up exposure, negotiates IdentityIQ migration credits and ISC contract terms, models Okta IGA and Entra ID Governance alternatives, and manages Saviynt competitive evaluations that generate pricing movement for SailPoint renewals and new agreements.
Book a SailPoint Licensing Review →