SailPoint Identity Security Cloud Licensing Guide: Pricing, Models, and Negotiation

SailPoint's Product Architecture: IdentityIQ vs Identity Security Cloud

SailPoint has two primary identity governance product lines. IdentityIQ (IIQ) is the legacy on-premise or private cloud deployment platform — the product that established SailPoint's market leadership in identity governance over more than a decade. Identity Security Cloud (ISC) is the multi-tenant SaaS platform — cloud-native, with automatic upgrades, AI-driven governance capabilities, and the architecture that SailPoint's product roadmap is built around.

SailPoint's strategic direction is unambiguous: ISC is the future, and IIQ is the present that will be managed toward end of life over the coming years. SailPoint has not announced an IIQ end-of-life date, and the platform remains supported for current customers. However, new feature development, AI capabilities, and the Navigators pricing innovation are all ISC-first initiatives. For organisations evaluating identity governance platforms for the first time, IIQ is no longer a commercially viable primary choice. For existing IIQ customers, the migration question is not whether to move to ISC but when and on what terms.

ISC Licensing Fundamentals: The Identity-Based Model

Identity Security Cloud is priced per identity, per year. An "identity" in SailPoint's licensing model is a managed identity — a human user (employee, contractor, partner) or a non-human identity (service account, machine identity, bot) that is governed through the ISC platform. This is the primary commercial metric from which all ISC pricing flows.

The identity count drives both tier selection (Standard, Business, or Business Plus) and volume discount positioning. Understanding your identity count accurately — including non-human identities, which many organisations underestimate — is the foundational requirement for any ISC commercial conversation. Organisations that present an inaccurate (typically understated) identity count to SailPoint during initial negotiations regularly encounter identity count true-ups that significantly increase the first-year cost.

What Counts as an Identity

SailPoint's identity definition is broader than most organisations initially assume. Employee identities are straightforward — all permanent and temporary employees with an active directory account. Contractor identities are typically included: extended workforce members with system access managed through ISC. Service accounts are the most frequently underestimated category: privileged and non-privileged service accounts used by applications, integration processes, and automation workflows count as identities and can represent 30 to 60 percent of total identity counts in technology-heavy organisations. Machine identities — certificates, API keys, and similar non-human credentials — are an emerging category that some ISC configurations capture, with pricing implications that should be explicitly negotiated in the ISC agreement.

Before entering commercial discussions with SailPoint, organisations should conduct a formal identity count exercise across all connected systems — active directory, HR system, privileged access management tooling, and API gateway logs — to establish an accurate baseline. This baseline is the foundation for both selecting the correct ISC tier and anchoring the commercial negotiation.

The ISC Tier Structure: Standard, Business, and Business Plus

ISC Standard

ISC Standard provides core identity lifecycle management, access certification, and basic role management capabilities. It is designed for organisations that need foundational identity governance — provisioning, deprovisioning, access review automation — without the advanced analytics and AI features of higher tiers. Standard is appropriate for organisations with relatively straightforward identity governance requirements: primarily employee identities, limited system complexity, and compliance-driven access review needs.

Standard is the entry point for most new ISC deployments, and it provides a functional capability set that exceeds what many organisations were using from IIQ unless they had deployed IIQ's advanced workflow, analytics, or AI capabilities. The upgrade path from Standard to Business or Business Plus is contractually defined and should be negotiated as part of the initial ISC agreement — the per-identity upgrade price negotiated upfront will invariably be more favourable than the price offered when the upgrade request is made from an embedded customer position.

ISC Business

ISC Business adds advanced analytics, SailPoint's identity intelligence capabilities, enhanced automation, and expanded application connectors. For organisations with complex access management requirements — multiple cloud platforms, hybrid environments, large contractor populations, or compliance mandates requiring detailed access analytics — Business provides the depth of capability that Standard lacks.

Business is the most commonly purchased tier for mid-to-large enterprise ISC deployments, because the analytics and automation capabilities it adds represent the primary business case for identity governance beyond basic compliance. Organisations that are migrating from IIQ with Advanced Analytics, IdentityAI, or complex provisioning workflows typically require Business tier to replicate their existing IIQ capability set.

ISC Business Plus

ISC Business Plus adds SailPoint's most advanced capabilities: predictive identity analytics, advanced AI-driven access recommendations, expanded non-human identity governance, and enterprise-grade SLA commitments with premium support. Business Plus is positioned for organisations with the most sophisticated identity security requirements — typically financial services, large healthcare organisations, technology companies managing extensive machine identity populations, and heavily regulated enterprises with complex access governance mandates.

The per-identity premium for Business Plus over Business is significant, and the business case must be built on specific capability requirements rather than a general preference for a higher tier. Organisations should evaluate whether the specific Business Plus capabilities (particularly the AI and non-human identity governance features) deliver sufficient incremental value to justify the price difference before agreeing to Business Plus.

Navigators: SailPoint's Flexible Pricing Innovation

In December 2025, SailPoint introduced the Navigators pricing model — a significant commercial innovation that creates a new purchasing pathway alongside the existing Standard/Business/Business Plus tier structure. Navigators is positioned as a flexible pricing model that gives customers greater choice in how they purchase and consume identity security.

The Navigators model is specifically designed to address two buyer groups: organisations that want to start with a narrower feature set and expand incrementally as their identity security maturity develops, and IdentityIQ customers transitioning to ISC who want to combine suite licensing with the specific capabilities needed to support migration without committing to a full ISC tier from day one.

Navigators - Modernization Flex

SailPoint has introduced a specific Navigators variant — Modernization Flex — that is purpose-built for IIQ-to-ISC migrations. Modernization Flex combines suite licensing (access to ISC's core capabilities) with flexible add-on capability purchasing that enables organisations to incrementally adopt ISC functionality in parallel with their existing IIQ deployment during the migration period.

For IIQ customers, Modernization Flex addresses a genuine commercial challenge: most migration programmes run IIQ and ISC in parallel for an extended period — sometimes twelve to twenty-four months — while business units are migrated and integrations are rebuilt on the ISC platform. Paying for both IIQ support and full ISC licensing during this parallel-run period is commercially inefficient. Modernization Flex is structured to provide ISC access during the migration period at a cost that reflects the transitional nature of the deployment, with the expectation that the customer transitions to a full ISC tier commitment upon migration completion.

The commercial terms of Modernization Flex — particularly the pricing relative to full ISC tiers, the duration of the migration period pricing, and the upgrade pricing on completion — are negotiable. Organisations should obtain detailed commercial modelling of the Modernization Flex terms versus a direct ISC tier commitment before choosing the migration commercial path.

IdentityIQ to ISC Migration: The Commercial Considerations

For the substantial installed base of IdentityIQ customers, the migration to ISC is the most significant SailPoint commercial decision they will make in the near term. SailPoint has designed its migration programme to be commercially attractive, including a free ISC upgrade programme that provides migration assessment, cost analysis, and TCO review at no charge. However, the commercial implications of the migration extend well beyond the initial assessment, and independent analysis is warranted before any commitment is made.

The IIQ Support Cost Trajectory

SailPoint's approach to IIQ support pricing over the coming years will be the primary commercial driver that moves IIQ customers toward ISC. SailPoint has not yet announced specific IIQ support price increases or an explicit end-of-life date, but the pattern observed across the enterprise software industry — where on-premise products receive reduced investment and increasing support costs as the vendor's strategic focus shifts to cloud — is the expected trajectory for IIQ. Organisations that do not migrate will likely face a combination of increased IIQ support costs, reduced feature development, and eventually a formal end-of-life announcement.

The timing of migration should therefore be governed by a combination of commercial factors (the IIQ support cost trajectory relative to ISC pricing) and operational readiness (the organisation's ability to migrate its IIQ integrations, customisations, and workflows to the ISC platform). Waiting for a crisis — a forced migration driven by IIQ end-of-life or an unacceptable support fee increase — is the least commercially advantageous position, because crisis-driven migrations compress the negotiation timeline and reduce leverage.

Migration Cost Components

The total cost of an IIQ to ISC migration includes several components beyond the first-year ISC subscription. Implementation and migration services — provided by SailPoint Professional Services, authorised SailPoint partners, or internal resources — are the largest variable cost component. For large, complex IIQ deployments (multiple business units, extensive custom connector development, complex workflow automation), migration services costs can range from $200,000 to $1 million or more depending on scope and complexity.

Data migration requires mapping IIQ's identity data model to ISC's data structures and migrating policy rules, access certification history, and application connectors. Not all IIQ connectors have direct ISC equivalents, and custom connector rebuild represents a significant effort for organisations with bespoke integrations. Training costs for the platform shift — IIQ and ISC have different administrative interfaces and workflow paradigms — and should be included in the migration budget alongside the licence and services components.

A complete migration TCO model should calculate the net present value of remaining on IIQ versus migrating to ISC at different timeline scenarios — migration now, migration in twelve months, migration in twenty-four months — incorporating assumptions about IIQ support fee trajectory, ISC subscription pricing, implementation costs, and the productivity and capability benefits of the ISC platform. This model is the quantitative foundation for the migration timing decision and the ISC commercial negotiation.

Competitive Alternatives: Where SailPoint's Position Is Challenged

SailPoint's ISC faces meaningful competition from Saviynt, One Identity (now Quest), Omada, and Microsoft's identity governance capabilities within Entra ID Governance. For organisations evaluating ISC as a new platform, understanding the competitive landscape is essential both for making the right platform choice and for creating the negotiation leverage that comes from having credible alternatives.

Saviynt is the closest functional competitor to ISC at the enterprise level, with a comparable cloud-native multi-tenant architecture, AI-driven analytics, and strong cloud infrastructure entitlement management (CIEM) capabilities. Saviynt competes aggressively on price with SailPoint and is particularly strong in heavily regulated industries (financial services, healthcare) that value its compliance automation capabilities. Organisations that include Saviynt in a formal evaluation — even without a firm intent to select it — demonstrate to SailPoint that the competitive risk is real, which materially affects SailPoint's commercial flexibility.

Microsoft Entra ID Governance (previously Azure AD Identity Governance) is the most significant competitive threat in Microsoft-centric environments. For organisations that have deployed Microsoft 365 at scale and are managing primarily Microsoft-native identities (Entra ID users, M365 groups, Azure RBAC roles), Entra ID Governance provides access lifecycle management, Privileged Identity Management (PIM), access reviews, and entitlement management at a significantly lower total cost than ISC — particularly when the Entra ID P2 licence is already in the estate. Organisations should evaluate whether their identity governance requirements extend beyond the Microsoft ecosystem before purchasing ISC, and ISC should be positioned against Entra ID Governance capabilities as part of any commercial negotiation with SailPoint.

ISC Negotiation Strategy: Key Principles

SailPoint is a sophisticated commercial organisation, and ISC negotiations require preparation equivalent to any major enterprise software commercial engagement. The primary negotiation principles that we apply in SailPoint advisory work reflect the dynamics of the platform, the competitive landscape, and the specific leverage points available to buyers.

Identity Count Accuracy as a Negotiation Asset

An accurate, independently prepared identity count is both a commercial protection mechanism (preventing future true-up costs) and a negotiation asset. When a buyer presents a precise identity count — broken down by category (employees, contractors, service accounts) — it demonstrates commercial sophistication and reduces the information asymmetry that SailPoint's sales team typically exploits. Buyers who present vague or estimated identity counts invite SailPoint to insert conservative (high) estimates that inflate the contract value.

Tier Selection as a Negotiation Lever

SailPoint's commercial teams are incentivised to sell Business and Business Plus over Standard. The tier selection conversation is therefore a commercial negotiation as much as a functional assessment. Buyers should conduct an explicit functional analysis of which tier capabilities they actually need — building the specific use case requirements against each tier's feature set — rather than allowing SailPoint to anchor the conversation on Business tier as the default. Starting the negotiation at Standard and moving up with justification is consistently more commercially effective than starting at Business and negotiating down.

Multi-Year Terms and Expansion Rights

SailPoint, like most enterprise SaaS vendors, offers meaningful commercial incentives for multi-year commitments. Three-year agreements typically carry 10 to 20 percent better per-identity pricing than annual agreements, and the annual price escalation provisions (typically 3 to 5 percent CPI-linked) are locked in at the multi-year agreement's starting rate rather than subject to annual renegotiation. For organisations that are confident in their ISC deployment trajectory, multi-year terms are generally the more cost-effective commercial structure.

Expansion rights — the pricing at which additional identities can be added during the contract term — should be negotiated as part of the initial ISC agreement. Identity counts in growing organisations expand over the contract term, and the incremental identity pricing agreed upfront is invariably better than the expansion pricing offered post-commitment. Similarly, the upgrade pricing from Standard to Business, or Business to Business Plus, should be established contractually at the time of initial purchase.

Professional Services Separation

SailPoint bundles professional services — implementation, integration, configuration — with some ISC proposals, presenting them as a packaged offering at a combined price. Independent negotiation of the licence and services components is almost always more cost-effective than accepting the bundled price. SailPoint's professional services rates are negotiable, and buyers should evaluate authorised SailPoint implementation partners (Accenture, Deloitte, specialised identity integrators) alongside SailPoint's own professional services team to establish competitive pricing for the implementation component.

Contractual Protections and Audit Rights

ISC agreements should contain explicit provisions governing identity count verification, audit procedures, and the mechanism for resolving disputes about whether a given account type constitutes a licensable identity. Service accounts, in particular, are a recurring area of ambiguity: SailPoint's definition of licensable identities can include service accounts that manage themselves or require no human intervention, and the contractual language on this point is often imprecise. Buyers should insist on clear definitional language in the agreement — specifying exactly which account types count against the licensed identity pool — before signature.

Price escalation caps are a further contractual protection that SailPoint agreements sometimes omit or express vaguely. The Navigators model introduced in December 2025 creates a degree of flexibility, but multi-year agreements should still carry explicit, contractually bound annual escalation caps (typically 3 to 5 percent) rather than language that allows SailPoint to escalate at its discretion at renewal. Organisations that have renewed ISC contracts without explicit caps have encountered renewal uplifts of 8 to 12 percent in the current SaaS inflation environment — materially higher than the CPI-linked increases they expected from the initial sales process.