Adcyma vs Building Your Own
You've got a capable developer, a weekend, and an AI coding assistant. How hard can identity governance really be? We'll be honest: you'll get surprisingly far in the first 48 hours. It's the next 48 months that'll get you.
Skip the build - start a free trialWe get the appeal
Building your own IGA tool has never felt more tempting. AI coding assistants can scaffold a working app in hours. You know your environment better than any vendor. And you don't want to pay for features you don't need.
The problem isn't building version 1. It's everything after: audit trails that hold up under scrutiny, edge cases that emerge at 3am, compliance evidence that satisfies an actual auditor, and maintaining it all while your team is supposed to be doing their real jobs.
Adcyma was built by people who started exactly where you are - and realized that identity governance is a product, not a weekend project.
Week 1 is going to feel amazing
Let's be real about what happens when a capable developer sits down with Cursor, Claude, or Copilot and starts building an IGA tool:
Day 1-2: It works.
You've got a script that reads users from Entra ID, a basic dashboard showing who has what access, and maybe even some automated provisioning logic. The AI assistant wrote 80% of the Graph API integration. You're feeling great.
Day 3-5: It's actually good.
You've added role templates, some basic offboarding automation, and a simple access review workflow where managers can approve or revoke access via email. Your demo to the team gets genuine excitement. Someone says "why would we ever buy a tool when we can build this?"
Week 2: The first cracks.
You discover that the Graph API has rate limiting that your bulk operations keep hitting. The access review workflow breaks when a manager is on holiday and doesn't respond. Your offboarding script missed a shared mailbox delegation that wasn't in the obvious API endpoint. Someone asks "can it generate a compliance report?" and you realize that's a completely different project.
Week 3+: The real work begins.
And this is where the story gets less fun.
The 90% you don't see coming
The first 10% of an IGA tool - the part that reads data and automates basic workflows - is the easy part. Here's what's underneath:
Audit trails that actually hold up.
Not just logging. Tamper-proof, timestamped records of every action, every change, every approval - tied to specific users, with before-and-after states, exportable in formats your auditor accepts. SOC 2 auditors don't accept "we have logs." They want immutable evidence that proves who approved what, when, and why. Building this properly is a significant engineering effort that most vibe-coded projects skip until audit time.
Edge cases in lifecycle management.
What happens when someone transfers between departments on the same day they get promoted? When a contractor's end date is extended but nobody updates the system? When two people share a role title but need different access because they're in different business units? When an employee goes on parental leave - do you revoke access or suspend it? Every edge case is a potential security gap or a broken workflow. Enterprise IGA vendors have catalogued hundreds of these over decades. You'll discover them one at a time, usually when something goes wrong.
Error handling and recovery.
Your provisioning script failed halfway through because of a transient API error. The user now has half their access. What happens? Does the system retry? Roll back? Alert someone? Leave the user in a broken state until IT notices? Robust error handling, retry logic, and state management are unglamorous but essential - and they typically triple the complexity of any automation code.
Access review governance.
Not just "send an email asking if access is okay." Structured campaigns with deadlines. Escalation when managers don't respond. Delegation when a reviewer is unavailable. Exception tracking. Evidence that every user's access was reviewed, not just the ones whose managers happened to respond. Auditors care about 100% coverage, not 70%.
Ongoing maintenance.
Microsoft changes API endpoints. Graph API permissions shift between preview and GA. New Entra ID features deprecate old ones. Your custom code needs to track all of this. Plus every internal change - new departments, new applications, new compliance requirements - requires development time. You've essentially committed to maintaining a product indefinitely.
Multi-admin support and RBAC.
Your solo-built tool works great when one admin uses it. What happens when three people need different levels of access to the tool itself? When you need an audit trail of who made changes to the governance configuration? You're building a tool that needs its own identity governance.
What "free" actually costs
The most common argument for building is cost. Let's do the actual math.
The "free" tool built in a weekend costs more than the product it was supposed to replace. And that's before you account for the opportunity cost of a developer not working on your actual product.
| Build your own | Adcyma | |
|---|---|---|
| Initial build | 2-4 weeks of developer time (~€5,000-€15,000 in salary) | 1-2 days to deploy |
| Making it audit-ready | 4-8 additional weeks (~€10,000-€30,000) | Built-in |
| Annual maintenance | 15-25% of a developer's time (~€10,000-€20,000/year) | Included in subscription |
| Security updates & API changes | Ongoing developer time | Managed by Adcyma |
| Bus factor | 1 person (the builder) | Vendor-managed |
| Compliance liability | On your team | Shared with vendor |
| Year 1 total cost | €25,000-€65,000 (conservatively) | Fraction of that |
| Year 2+ annual cost | €10,000-€20,000+ | Predictable subscription |
Auditors don't care how clever your code is
This is the part that kills most vibe-coded IGA projects. When your SOC 2 or ISO 27001 auditor asks for evidence of identity governance controls, they want:
A custom-built tool can theoretically meet all of these requirements. In practice, most don't, because building compliance features isn't fun and doesn't make the demo look better. They get deferred, deprioritized, and eventually flagged as audit findings.
An auditor is also going to ask harder questions about a custom-built governance tool than a purpose-built product: Who validates the tool? Who tests it? What's the change management process? Where's the documentation? These are reasonable questions, and the answers for a vibe-coded tool are usually uncomfortable.
- Documented, repeatable processes - not "our developer runs a script"
- Immutable audit trails - not application logs that the admin can edit
- Evidence of periodic access reviews - not "we check things when we remember"
- Segregation of duties - the person who provisions access shouldn't be the only person who reviews it
- Change management - governance tool changes should be tracked and approved, not pushed via git commit -m "fixed thing"
We'll be honest - sometimes you should build
There are situations where custom tooling is the right call:
If none of these apply - if you're a mid-market company with 50-500 users, a small IT team, and compliance audits coming - building your own is almost certainly the wrong choice.
- Highly specialized workflow that no product covers. If your identity lifecycle involves genuinely unique business logic that can't be configured in any product, a custom integration layer makes sense.
- You have a dedicated platform team. If you already have engineers maintaining internal tools and this fits naturally into their portfolio, the maintenance burden is distributed.
- You're building something else. If identity management is a feature of a larger internal platform you're already building, adding it in-house might be more efficient than integrating a third-party tool.
- You're under 30 users with zero compliance requirements. At this scale, a well-documented script genuinely might be enough. But be honest about whether that's where you'll stay.
Build vs buy - the full picture
| Vibe-coded IGA | Adcyma | |
|---|---|---|
| Time to "it works" | 1-2 weeks | 1-2 days |
| Time to "audit-ready" | 2-4 months (if ever) | Day 1 |
| Audit trail | Whatever you built (if you built it) | Built-in, immutable |
| Access reviews | Basic (email-based, manual tracking) | Structured campaigns with deadlines and escalation |
| Compliance reports | Build your own (per framework, per audit) | Pre-built for SOC 2, ISO 27001, NIS2 |
| Edge case handling | Discovered in production, one at a time | Catalogued and handled |
| Error handling & recovery | As good as your developer's foresight | Built-in retry, rollback, alerting |
| Bus factor | 1 person | Vendor-managed |
| Microsoft API change tracking | Your responsibility | Adcyma's responsibility |
| Entra ID support | Yes (you built it) | Yes |
| Active Directory support | If you built it | Yes |
| Role mining | If you built it | Yes |
| AI-driven recommendations | If you built it (and it's accurate) | On the roadmap |
| Multi-admin RBAC | If you built it | Built-in |
| Vendor accountability | You are the vendor | Shared responsibility |
When to build vs when to buy
Consider building if:
- You have a genuinely unique identity workflow no product covers
- You have a dedicated platform team to maintain it
- Identity management is part of a larger internal platform
- You're under 30 users with zero compliance requirements
Buy Adcyma if:
- You have 50-500 users on Entra ID and/or Active Directory
- You need audit-ready governance, not just automation
- Compliance audits (SOC 2, ISO 27001, NIS2) are on the horizon
- Your IT team is small and can't maintain a custom tool indefinitely
- You'd rather spend development time on your actual product
Questions from teams considering building their own
The prototype is the easy part. Ask your developer how long it would take to make it audit-ready - with immutable logs, structured access reviews, compliance reporting, full error handling, and multi-admin support. If the answer is "a few more weeks," they're underestimating. If the answer is "a few more months," that's honest - and that's the real cost you should be comparing.
AI assistants are great at generating code. They're not great at understanding your compliance requirements, anticipating edge cases in your specific environment, or maintaining a codebase when Microsoft changes their APIs. The hard part of building an IGA tool was never the code - it's the governance model, the audit trail design, and the ongoing maintenance commitment.
Understandable. Adcyma connects to your Entra ID tenant and Active Directory using delegated permissions. Your identity data stays in Microsoft's cloud - we don't replicate your directory or store credentials. The security model is designed for exactly this concern.
Infrastructure-as-code tools are excellent for provisioning cloud resources. Identity governance is a different problem - it involves human workflows (access reviews), temporal logic (employee lifecycle events), compliance evidence, and audit trails. These don't map cleanly to infrastructure patterns. Trying to force them in usually creates something that's hard to maintain and doesn't satisfy auditors.
There are some open-source options (MidPoint is the most notable). They're real products with real capabilities. They're also complex to deploy and maintain - often requiring similar effort to enterprise platforms. If you're evaluating open-source, evaluate it as a "cheaper enterprise platform" rather than a "free tool," because the implementation and maintenance costs are real.
Respect that. Building tools is genuinely fun, especially with AI assistants. Consider building the custom integrations that sit alongside Adcyma - connecting your specific HR system, building custom alerts, creating internal dashboards. Build the unique parts. Buy the governance foundations.
Skip the build. Start governing.
Free for up to 25 users. No credit card. No consultants. No months of development. Connect your Entra ID tenant or Active Directory and see what governance looks like when it's built right.