Best Identity Governance for Companies Under 500 Employees
Most IGA content is written for enterprises with thousands of users and dedicated IAM teams. This guide is for the IT manager at a 150-person company who needs governance sorted - maybe for a SOC 2 audit, maybe for NIS2, maybe because offboarding is a mess - but doesn't have a six-figure budget or a year to implement something.
Skip to the recommendationThe mid-market IGA gap
The identity governance market was built top-down. Vendors started with large enterprises and worked their way down - sort of. "Scaling down" an enterprise platform doesn't make it simpler. It just makes it expensive for what you get.
A typical enterprise IGA platform includes role mining algorithms, separation of duties matrices, AI-driven anomaly detection, custom workflow designers, and connectors for hundreds of applications. Impressive when you have 5,000 users across 200 applications. Expensive overhead when you have 200 users on Microsoft 365.
The result: most companies under 500 employees end up choosing one of five paths. Each has real trade-offs.
The Status Quo (Doing Nothing)
Manual management in Entra ID, no governance tool
Best for: Under 50 employees, low turnover, no compliance requirements
Most companies start here. You manage users in the Entra ID portal, handle onboarding and offboarding manually, and keep track of things in spreadsheets or your head. It works - until it doesn't. The question is whether you've hit that point yet.
Where it breaks down as you grow:
- Onboarding varies by admin - different people get different access for the same role
- Offboarding disables accounts but leaves lingering access in groups and shared resources
- Access accumulates as people change roles but nobody removes old permissions
- Compliance evidence doesn't exist until you scramble to assemble it before an audit
- All the knowledge lives in one or two people's heads
Genuinely fine for small, simple organisations. But growing companies hit the limits between 50-150 users - usually when a compliance audit, a security incident, or a key person leaving makes the gaps visible.
Enterprise IGA Platforms
SailPoint, Saviynt, One Identity
Best for: 1,000+ employees, multi-platform environments, dedicated IAM teams
These are genuinely excellent platforms for what they're designed for. SailPoint IdentityNow is a mature, well-regarded cloud IGA. Saviynt offers a converged approach combining IGA with PAM and cloud security. One Identity Manager has the deepest Active Directory expertise in the market.
For companies under 500 employees, the challenges are consistent:
| SailPoint | Saviynt | One Identity | |
|---|---|---|---|
| Typical first-year cost | €50,000–€200,000+ | €60,000–€180,000+ | €80,000–€250,000+ |
| Implementation time | 4–8 months | 3–6 months | 6–12 months |
| Implementation partner needed | Usually | Typically | Almost always |
| Strongest for | Cloud IGA at scale | Multi-cloud + PAM convergence | Complex AD/hybrid environments |
Usually overkill unless you have genuinely complex, multi-platform identity needs. You'll use 20% of the platform and pay 100% of the price.
Microsoft Entra ID Native Tools
Built-in governance features + P2 licensing
Best for: Under 50 employees, simple access needs, no compliance pressure
Microsoft has been improving governance capabilities in Entra ID: lifecycle workflows, access reviews (P2), entitlement management. For small companies with straightforward needs, native tools might be enough.
Where it breaks down:
- Lifecycle workflows have rigid conditions and limited actions
- Access reviews are functional but managing multi-department campaigns is manual
- Compliance evidence requires stitching data from multiple portal blades
- P2 licensing adds ~€8–9 per user per month (~€19,000/year for 200 users)
- Dynamic group rules are limited and break silently
Reasonable starting point. Most growing companies hit the limits between 50–150 users, especially once compliance requirements appear.
PowerShell Scripts + Spreadsheets
Custom automation built by your team
Best for: Very small teams with a skilled scripter, no compliance needs, low turnover
Many IT teams end up here by default. An admin writes an onboarding script, then an offboarding script, then a reporting script. It works until that admin leaves, the scripts break, or an auditor asks for evidence that doesn't exist.
The core problem:
- Scripts automate tasks, not governance
- No audit trails, no access review campaigns, no compliance reports
- Knowledge concentration risk that grows over time
Works until it doesn't. You'll know when it stops working because something will go wrong at the worst possible time - usually right before an audit.
Build Your Own (The Vibe-Coded Approach)
AI-assisted custom development
Best for: Teams with a dedicated developer, zero compliance requirements, and a high tolerance for ongoing maintenance
With AI coding assistants like Cursor, Claude, and Copilot, it's never been easier to scaffold an identity management tool in a weekend. You'll get a working prototype fast. The problem is everything after: audit trails that satisfy auditors, edge cases that emerge in production, compliance evidence, and maintaining the codebase indefinitely while Microsoft changes their APIs underneath you.
The core problem:
- The first 10% of an IGA tool is easy - reading users, automating basic provisioning, building a dashboard
- The other 90% - immutable audit trails, structured access reviews, compliance reporting, error recovery, multi-admin support - is where vibe-coded tools stall
- That 90% is exactly what auditors ask about
Tempting, especially for technical teams. But the real cost (development + maintenance + compliance gaps) usually exceeds buying a purpose-built tool within the first year. Build the unique stuff. Buy the governance foundations.
Purpose-Built Mid-Market IGA
Adcyma (this is us)
Best for: 50–1,000 employees on Microsoft Entra ID and Active Directory, especially with SOC 2, ISO 27001, or NIS2 compliance needs
Full transparency: this is our product. We built it because this category barely existed. The market offered enterprise platforms and DIY. Nothing in between.
Automated lifecycle management
Define role-based access once. Provisioning and deprovisioning run consistently every time, connected to your HR system or triggered manually.
Access reviews
Structured campaigns where managers review their team's access. Deadlines, escalation, full audit trails. Not a spreadsheet exercise.
Compliance reporting
Pre-built reports for SOC 2, ISO 27001, and NIS2. Pull what your auditor needs without assembling data from five different sources.
Self-service deployment
Connect to your Entra ID tenant and/or Active Directory. Operational in a day. No implementation partner.
Pricing built for mid-market
Free for up to 25 users. Beyond that, pricing scales with your actual size.
Role mining is already built in. AI-driven access recommendations are next — designed for mid-market scale, not retrofitted from enterprise platforms.
How to choose (it's simpler than vendors want you to think)
Under 50 users, no compliance pressure?
Start with Entra ID native tools. Revisit when you grow or when compliance requirements appear.
50–1,000 users, running on Entra ID and/or AD, need governance for compliance or operations?
This is the space Adcyma is built for. Start a free trial and see if it fits.
1,000+ users, identities across multiple platforms, dedicated IAM team?
Evaluate enterprise platforms (SailPoint, Saviynt, One Identity). You'll use the capabilities and can justify the investment.
Somewhere in between and unsure?
Reach out. We'll tell you straight whether Adcyma fits or whether you should look elsewhere. We'd rather point you in the right direction than sell something that doesn't match.
All options at a glance
| Status Quo | Enterprise IGA | Entra ID Native | PowerShell | Build Your Own | Adcyma | |
|---|---|---|---|---|---|---|
| Target size | Any (until it breaks) | 1,000+ | Under 50 | Under 50 | Any (in theory) | 50–1,000 |
| First-year cost | "Free" (+ your time) | €50,000–€250,000+ | €19,000+ (P2) | Free (+ your time) | €25,000–€65,000 (dev time) | Fraction of enterprise |
| Time to operational | Already there | 3–12 months | Already there | Hours to build, forever to maintain | 2–4 weeks (basic), months (audit-ready) | 1–2 days |
| Access reviews | Manual or none | Advanced | Basic (P2) | Not feasible | If you build it | Structured, audit-ready |
| Compliance reports | Assembled manually | Extensive | Manual assembly | Build your own | If you build them | Pre-built (SOC 2, ISO 27001, NIS2) |
| Bus factor risk | High (1–2 people) | Low (vendor-managed) | Low (Microsoft-managed) | High (1 person) | High (1 person) | Low (SaaS) |
| Multi-platform | Microsoft only | Yes | Microsoft only | Microsoft only | Whatever you build | Microsoft (Entra ID + AD) |
| Implementation partner | No | Usually needed | No | No | No (you are the partner) | No |
Questions from IT managers evaluating IGA
If you're facing a SOC 2, ISO 27001, or NIS2 audit - it's a requirement, not a nice-to-have. If you've had an incident involving former employee access or inconsistent permissions - it's risk mitigation. If neither applies and you have under 50 users, it might genuinely be premature.
Yes. Adcyma is free for up to 25 users - real functionality, not a crippled trial. You can also start with native Entra ID tools and move to Adcyma when the limitations hit. The key is not to start with an enterprise platform "just in case" - that's where budget gets wasted.
Then your identity landscape will probably be more complex, your budget will be larger, and evaluating an enterprise platform at that point makes sense. But choosing a tool based on where you might be in five years means overpaying for where you are today.
Fair question. We're a real company with real customers. We're focused specifically on the mid-market IGA space and we're built to last. That said, Adcyma connects to your Entra ID tenant - your data and identity infrastructure is always yours, in Microsoft's cloud. There's no lock-in.
See if Adcyma fits your situation
Free for up to 25 users. No credit card. No consultants. No six-month project. Connect your Entra ID tenant or Active Directory and see governance in action.