A vendor sent you a deck last week. Slide 4 says "comprehensive IAM and IGA platform." Slide 7 also says "comprehensive IAM and IGA platform." You sat through the whole call and you still aren't sure which one you actually need. Or whether you need both. Or whether they're the same thing with a different label.
You're not stupid. The category is just genuinely confusing, and the people selling into it have very little incentive to make it clearer.
What IAM does
IAM is identity and access management. The clue is in the name. It's the layer that knows who someone is and what they can log into.
If you have Entra ID, you have IAM. Microsoft is your IAM. So is Okta if you went that route, or JumpCloud, or Google Workspace if you're a Google shop. IAM handles the basics: user accounts, single sign-on, MFA, conditional access policies.
Your IAM answers the question "is this person allowed to log in right now." That's it. It doesn't care whether they should still have access to the finance share six months after moving from accounting to marketing.
What IGA does
IGA is identity governance and administration. It sits on top of your IAM and answers a different question. "Should this person have the access they have, and how do we prove it?"
That includes the joiner-mover-leaver lifecycle: provisioning when someone starts, updating access when they switch roles, revoking when they leave. Access reviews where managers periodically sign off on who has what. And the audit trail that makes ISO 27001 or NIS2 a quiet conversation instead of a four-month project.
If your IT team is doing any of this manually in spreadsheets, you have IGA processes. They just live in your head instead of in software.
Where the confusion comes from
A lot of vendors blur the two on purpose. "We do IAM and IGA" sounds bigger than "we do IAM." For Microsoft specifically, parts of IGA show up inside premium Entra ID licensing. Entitlement Management, Access Reviews, Lifecycle Workflows. That's fine if you have P2 licenses for everyone and a team to configure them.
Most companies under 500 people don't. They have basic Entra ID, a handful of P1 licenses, and one IT manager. Who is also the Microsoft 365 admin. And the helpdesk. And the procurement person.
If that's you, the cost math on full Entra ID Suite gets ugly fast.
What you actually need
For a 50-person company: probably just IAM. Entra ID with sensible group policies, MFA on everything, and a quarterly manual check of who has admin rights. You can get away with this. Most do.
For a 200-person company: you need IGA, whether you call it that or not. The math gets you there. Roughly 15 to 20 access changes a week. New hires, role changes, contractors rolling on and off, people leaving. That's around 1,000 access events a year, every one of which needs to happen correctly and be documented. Doing that in a ticket queue is how access creep happens.
For a 500-plus person company with a compliance audit on the calendar: you need IGA, and you needed it eighteen months ago. The question is whether you go full enterprise (SailPoint, Saviynt) or something right-sized for your team.
The short version
IAM gets people in. IGA makes sure they only have what they should, and gives you proof when someone asks.
You probably have IAM. Whether you have IGA depends on whether your offboarding process exists outside of Slack messages and one person's memory.
Full transparency: Adcyma is an IGA tool built for Nordic mid-market companies on Entra ID. It deploys in a day. No P2 license required for every user. If you're in that "we definitely need IGA but the enterprise tools are absurd" zone, that's the gap we're built for.