You've spent three weeks in IGA demos. Every vendor's pricing page says the same thing: "Contact sales for a custom quote." Meanwhile, your CFO wants a budget number by Friday.

This post fills the gap. It won't give you a binding quote - no one can - but it will give you the pricing structure, realistic ranges, the hidden costs that blow budgets, and the questions that separate a real number from a sales-cycle stall.

How IGA Is Actually Priced

IGA pricing models vary, but most vendors use one of four structures - often in combination.

Per-identity / per-user subscription is the dominant model. None of the major IGA vendors publish pricing publicly; all use per-identity subscription or licensing models with module-based additions. The "identity" count matters: managed identities include every entity requiring access governance - employees, contractors, service accounts, RPA bots, and increasingly, AI agents.

Module-based add-ons layer on top of the base license. SoD and non-human identity governance are paid add-ons, not included in the base license - SoD runs through the Access Risk Management (ARM) module, and non-human coverage for service accounts, bots, RPA, and AI agents requires separate modules.

Platform fee + professional services is the legacy model. You pay a base license, then a separate (often larger) engagement for implementation, connector development, and workflow configuration.

Tiered suites bundle features into Standard / Business / Enterprise tiers. SailPoint packages its SaaS platform into progressively tiered commercial suites - Standard, Business, and Business Plus - catering to diverse business maturity levels and compliance needs. The catch: the features you actually need are rarely in the entry tier.

IGA Pricing Models at a Glance
Pricing ModelHow It WorksWatch Out For
Per-identity/userAnnual fee × managed identity countMachine identities can outnumber humans 17:1 to 82:1, inflating counts fast
Module add-onsBase license + SoD, NHI, PAM, analytics modulesFeatures marketed as 'included' often require a paid module
Platform fee + PSLicense + separate professional services engagementPS costs routinely exceed the license in Year 1
Tiered suitesStandard → Business → Enterprise tiersGovernance features typically start at Business tier or above
Per-connectorFee per integrated application or connectorLong-tail SaaS apps trigger upcharges; SCIM-only tools leave gaps

2026 Per-User Ranges: What Buyers Are Actually Paying

These are market ranges drawn from procurement data and published third-party analysis - not list prices, which don't exist.

Legacy enterprise IGA (SailPoint, Saviynt): Based on third-party procurement data and customer reports, expect annual costs starting around $75,000 for smaller deployments, with mid-market enterprises typically paying $100,000-$500,000+ annually. On a per-user basis for a 1,500-person company, that's roughly $50-$333/user/year before professional services.

Okta Identity Governance: Identity Governance runs between $9 and $11 per month per user, depending on the number of included flows. That's $108-$132/user/year - but only covers apps Okta can reach via SCIM or its native integrations.

Microsoft Entra ID Governance: Pricing starts at $6/user/month, though core IGA features require the Entra Suite at $11/user/month with annual commitment. Strong value if you're Microsoft-centric; limited outside that ecosystem.

Modern mid-market IGA (Lumos, Zluri, ConductorOne, Linx): Typically $8-$20/user/month depending on feature tier, with lower PS requirements. Pricing is often more transparent but connector coverage varies.

What drives price up:

  • Identity count (especially if you govern contractors, service accounts, and AI agents)
  • Number of connected applications and whether custom connectors are needed
  • Advanced modules: SoD, PAM integration, non-human identity, AI analytics
  • Multi-year vs. annual contract terms - multi-year commitments of 2-3 years commonly yield 15-30% lower per-identity pricing compared to annual contracts
lightbulb Tip

The identity count trap: Ask every vendor how they count identities. A 1,500-employee company with 300 contractors and 2,000 service accounts may be quoted on 3,800 identities — not 1,500. Get the definition in writing before you benchmark quotes.

The Professional Services Iceberg

The license fee is the visible tip. The iceberg below it is what sinks budgets.

57% of organizations report that the high cost of professional services needed for integration is a major barrier to completing their IGA implementation. [ESG Identity Security Report, July 2025]

For legacy platforms, the numbers are stark. Professional services typically represent 30-60% of first-year total cost, according to Vendr's data from 30 verified purchases. Implementation is notoriously difficult, often taking over a year to reach maturity, with professional service costs that can triple the initial software price.

68% of enterprises underestimated their total IGA implementation costs by at least 40%, with professional services being the primary cause of budget overruns. [Gartner IGA Implementation Report, 2023]

The timeline problem compounds the cost problem. Legacy platforms like SailPoint IdentityIQ almost always require vendor-led or partner-led professional services, with implementations taking 6 to 12 months and services costs that can match or exceed the software license. And that's just to reach initial deployment - not full app coverage. A tool's time-to-value is decreased drastically if it takes an additional 6-12 months post-implementation to fully integrate with business applications; for larger organizations, it could take years, and queues of over 600 applications with 8+ year timelines have been documented.

What drives PS costs up:

  • Custom connector development for non-standard apps - one mid-size financial institution reported spending over $180,000 on custom connector development alone
  • Workflow customization to translate business processes into the platform's framework
  • Training and change management
  • Upgrade costs when major versions require re-implementation

Where modern platforms differ: Modern cloud-native platforms like Linx, Lumos, and Zluri are designed to reduce or eliminate that dependency on professional services. The trade-off is typically shallower ERP integration and less customization depth - which is fine for SaaS-heavy mid-market companies, but a real constraint for complex regulated enterprises.

The SCIM Tax: The Hidden Surcharge Nobody Quotes

This is the cost that doesn't appear on any vendor's pricing page, but it's real and it compounds.

Most IGA tools provision users via SCIM - the standard protocol for automated user lifecycle management. The problem: many of the apps your team actually uses gate SCIM behind their most expensive enterprise tier. Your IGA vendor can't provision what the app won't expose.

The pattern is consistent across the SaaS stack:

  • Slack restricts full SCIM functionality to Enterprise Grid - its top-tier plan that costs ~$230/user/year - while teams on Business+ ($180/user/year) get SSO but no automated provisioning.
  • Notion creates an artificial barrier between SSO and SCIM, forcing teams already paying $20/user/month for Business to negotiate custom Enterprise pricing just to automate what their identity provider should handle natively.
  • Not one of the "Big Four" PM tools - Monday, Asana, Notion, ClickUp - offers SCIM on standard plans; all require Enterprise upgrades or force an estimated 458 IT hours/year in manual provisioning.

The aggregate cost is significant. For a 100-user team using all four major PM tools, the combined SCIM tax from enterprise-tier upgrades runs $63,000-$126,000/year. [Stitchflow customer data, 2026]

This creates a compounding problem for SCIM-only IGA tools: they automate the apps that already support SCIM, but leave the rest of your stack - often the majority of it - on manual processes. You end up paying for IGA and paying the SCIM tax and still doing manual provisioning for the apps that fall through the cracks.

Only 15% of organizations have integrated more than 80% of their applications into their IGA platform, and 59% cite integration difficulty as a primary reason for incomplete deployment. That's not a governance program - that's a partial automation with a governance-shaped hole in it.

For a deeper look at how the SCIM tax works and which apps are affected, see our full SCIM Tax breakdown.

TCO Worked Example: 1,500-Employee SaaS Company

Let's make this concrete. Here's a realistic Year 1 and Year 3 TCO comparison for a 1,500-employee company with a typical SaaS-heavy stack (60+ apps, mix of SCIM and non-SCIM), a 2-person IT team, and SOC 2 Type II requirements.

Assumptions:

  • 1,500 employees + 200 contractors = 1,700 managed identities
  • 60 apps: ~25 with SCIM support, ~35 without
  • No dedicated IAM team; IT team handles governance alongside other responsibilities

Illustrative snapshot at 1,500 employees, 60 apps:

Cost Component Legacy Enterprise IGA Mid-Market Modern IGA Universal Coverage IGA
Year 1 License ~$180,000 ~$144,000 ~$108,000
Year 1 Prof. Services ~$108,000 ~$29,000 ~$5,000
SCIM Tax (app upgrades) ~$27,840 ~$21,600 $0
Year 1 Total ~$315,840 ~$194,600 ~$113,000
Year 3 Cumulative ~$720,000+ ~$450,000 ~$280,000

Ranges are illustrative based on published market data and procurement benchmarks. Your actual quote will vary based on identity count, app complexity, and negotiated terms.

The PS delta is the biggest lever. Legacy platforms require extensive implementation work; modern platforms with pre-built connectors and faster deployment dramatically compress that line. The SCIM tax is the second lever - and it only applies to tools that stop at SCIM.

Where legacy enterprise IGA is still worth it: If you're a 10,000+ employee regulated enterprise with SAP, Oracle, or mainframe integrations, complex SoD requirements, and a dedicated IAM team, the depth of SailPoint or Saviynt may genuinely justify the cost. For large enterprises in regulated industries - finance, healthcare, government - SailPoint's combination of governance depth, compliance automation, AI-powered analytics, and connector breadth makes it the strongest choice; the investment is significant, but so is the compliance risk it mitigates. That's an honest assessment, not a sales pitch.

For a full vendor comparison across all major IGA platforms, see our 12 Best IGA Vendors in 2026 guide.

10 Questions to Get a Real Quote

Most IGA sales cycles are designed to delay the number until you're emotionally committed. These questions force specificity earlier.

1
How do you define a 'managed identity'?

Does it include contractors, service accounts, bots, and AI agents? Get the definition in writing. A 1,500-employee company can easily have 3,000+ billable identities once non-human accounts are counted.

2
What's included in the base license vs. add-on modules?

Ask specifically about SoD enforcement, non-human identity governance, access analytics, and workflow automation. These are commonly gated behind paid modules.

3
What is the all-in Year 1 cost including professional services?

Request a binding not-to-exceed estimate for implementation, not just a 'typical range.' PS costs routinely run 30–60% of the license fee for legacy platforms.

4
How many of our specific apps are covered out of the box?

Give them your actual app list. Ask which apps require custom connector development, and what that costs. A connector library number means nothing without knowing if your apps are in it.

5
Which apps require SCIM — and what happens to the ones that don't support it?

If the answer is 'manual process' or 'custom development,' you've found your coverage gap. Ask how non-SCIM apps are governed.

6
What is the typical time-to-first-value for a company our size?

Not 'full deployment' — first value. If the answer is 6+ months, factor that into your compliance timeline and budget for the manual work that continues in the meantime.

7
What does renewal pricing look like after Year 1?

Ask for the maximum annual increase cap. Standard contracts often allow significant year-over-year increases. Get a 3-year cost projection, not just Year 1.

8
What internal headcount is required to run this platform?

Some platforms require a dedicated IAM engineer or admin. If you're a lean team, that's a hidden cost that doesn't appear on any invoice.

9
Can you provide references from companies our size and stack complexity?

Ask specifically for companies with similar employee counts, SaaS-heavy environments, and lean IT teams — not Fortune 500 references if you're a 1,500-person company.

10
What is the offboarding process if we switch vendors in Year 2 or 3?

Data portability, contract exit terms, and migration support are rarely discussed in the sales cycle. Ask before you sign.

The Honest Takeaway

IGA pricing is deliberately opaque because the total cost - license + PS + SCIM tax + internal overhead - is often 3-5× the headline number. The vendors who benefit most from that opacity are the ones with the highest PS ratios and the narrowest app coverage.

87% of organizations still depend on manual efforts for core IGA tasks despite having automation tools in place. [ESG Identity Security Report, July 2025] That's not a technology failure - it's a coverage failure. Tools that only automate SCIM-enabled apps leave the majority of the stack on manual processes, and the SCIM tax makes closing that gap expensive.

The questions to ask yourself before signing:

  • Does the platform cover your full app stack - including apps without SCIM or APIs - or just the easy ones?
  • Is the PS estimate binding, or is it a "typical range" that will expand once the SOW is signed?
  • Have you counted all your identities - contractors, service accounts, bots - not just headcount?
  • What's the Year 3 number, not just Year 1?
  • What does your lean IT team actually have capacity to run?

The right IGA platform for a 1,500-person SaaS company is not the same as the right platform for a 50,000-person bank. Match the tool to your actual complexity - and pressure-test every quote against the full TCO math before you commit.