The three-letter problem
A vendor sends you a deck. Slide 4: "We do IAM, IGA, and PAM." Slide 7: same words, different order. You ask which one solves your offboarding problem. The salesperson says "all of them." You leave the call slightly more confused than before.
We've already covered IAM vs IGA at length. This post adds the third letter, PAM, and explains how the three actually relate to each other in a normal mid-market environment.
IAM, briefly
IAM is identity and access management. Who can log in, with what credentials, into what systems. Entra ID is your IAM if you run Microsoft 365. Okta and JumpCloud are alternatives.
IAM handles authentication (proving who you are) and the basics of authorization (group-based access, app assignment). It's the foundation. Without IAM, the other two letters don't have anything to govern.
IGA, briefly
IGA is identity governance and administration. It sits on top of IAM. The questions IGA answers are different from IAM. "Should this person have this access?" "Can we prove it?" "Did the right things happen when they joined, moved, or left?"
IGA gives you the joiner-mover-leaver workflow, the periodic access reviews, the audit trail, and the compliance reporting. Manual processes count too. If you have a spreadsheet where managers review their team's access every quarter, that's IGA. It's just IGA done painfully.
PAM, briefly
PAM is privileged access management. It's specifically about the high-risk accounts. Global Admins. Domain Admins. The service account that owns the production database. The break-glass account that bypasses your Conditional Access policies.
PAM tools do three things native IAM doesn't. First, just-in-time elevation. Instead of a permanent Global Admin, a user requests admin rights for the next hour. Second, credential vaulting. Privileged credentials live in a vault, get checked out on demand, and rotate automatically. Third, session monitoring. Every action a privileged user takes is logged or recorded.
For mid-market companies, Microsoft's Privileged Identity Management (PIM) in Entra ID P2 covers most of this. Dedicated PAM platforms like CyberArk and BeyondTrust exist for larger environments. Useful when privileged accounts are spread across many systems.
How they fit together
Picture the three as nested concerns.
IAM is the outer layer. Everyone has an identity. Everyone authenticates. Everyone has some access.
IGA is the middle layer. Some subset of identities (employees, contractors, guests) need their access governed. Reviewed. Documented. Provisioned and deprovisioned through a tracked process.
PAM is the inner layer. A smaller subset (admins, sensitive role holders) need tighter controls on top. Just-in-time access. Vaulted credentials. Session recording.
A 200-person company has 200 IAM identities. Maybe 180 of those need IGA governance. Employees, active contractors, guests with real access. Maybe 10 of those need PAM controls. Admins and high-risk service accounts.
You don't pick one or the other. You stack them.
What this means in practice
If your tooling story is "we have Entra ID," here's where each piece lives:
IAM: handled. Entra ID is doing it.
IGA: partial. Entra ID has some IGA capability built into the P2 tier and the Governance add-on. Most mid-market companies don't have it licensed or configured. The work happens manually, or it doesn't happen at all.
PAM: partial. Entra ID P2 includes PIM, which does just-in-time elevation for Entra ID roles. It doesn't do credential vaulting for on-prem service accounts or session recording for Linux SSH sessions. If you're a Microsoft shop with mostly cloud admin work, PIM is enough. With a complex on-prem footprint, you'll need a dedicated PAM tool.
The mistake mid-market companies make is buying an enterprise IGA platform that includes light PAM features, paying for both, and then using neither properly. Or worse, ignoring all three and hoping the audit goes well. We wrote about that pattern in why most IGA solutions are overkill for sub-500-person companies.
The order of operations
For most companies under 1,000 employees, the priority order is:
- Lock down IAM. MFA on everyone, Conditional Access policies, no shared accounts. This is table stakes.
- Build IGA. Joiner-mover-leaver automation, quarterly access reviews, audit reporting. This solves the "where did this access come from" question.
- Layer PAM where it matters. Privileged Identity Management for admin roles. Vaulting and session monitoring only if you have a real on-prem footprint that demands it.
Don't skip step two for step three. Most breaches don't start with a sophisticated attack on an admin account. They start with a forgotten employee account that still had access. PAM protects the admins. IGA protects everyone else. That's where most of the risk lives.
Where Adcyma fits
Adcyma is an IGA tool. We don't pretend to be PAM. We don't pretend to replace Entra ID's IAM. We sit in the IGA gap that Microsoft's tools cover unevenly at mid-market sizes. Joiner-mover-leaver workflows, access reviews, audit reporting for SOC 2, ISO 27001, and NIS2. If that's the gap you're trying to fill, Adcyma is free for up to 25 users.