Is SaaS losing its shine? Rethinking IAM for security, flexibility, and control

by Bill Brenner

The evolving problem space of identity and access management

Identity and access management (IAM) sits at the core of cybersecurity. Enterprises face increasingly complex challenges as they shift from traditional, on-premises models toward cloud-based and SaaS (Software as a Service) solutions.

The conversation highlighted several persistent problems: balancing security, flexibility, and regulatory compliance.

IAM is no longer just about managing user accounts—it now spans identity administration, access management, and privileged access management. A growing problem is the need to juggle multiple systems, each with unique requirements, spanning from legacy hardware to cloud assets. Organizations must also stay ahead of a continuously evolving threat landscape, where attackers target not only individual organizations but also service providers who can grant access to thousands of downstream customers when compromised.

Moreover, regulatory compliance such as GDPR and emerging country-specific rules around data residency and sovereignty have forced organizations to rethink their IAM strategies. Certain sectors—like military, government, or critical infrastructure—cannot rely on SaaS alone due to operational or legal requirements that mandate local control and robust auditability.

This has led to a hybrid reality: pure SaaS solutions aren’t always viable, and the pendulum is swinging back toward on-premises or mixed models that give organizations more direct oversight and flexibility.

Toward resilient, hybrid solutions

Addressing these IAM challenges requires a flexible and holistic approach that goes beyond a single vendor or technology stack, the panelists said. Forward-thinking organizations recognize that identity is the new perimeter and must be both highly secure and resilient.

Hybrid IAM architectures—combining SaaS for scalability and innovation with on-premises or private cloud components for critical needs—are becoming the best practice. Robust IAM involves several core pillars: having a centralized directory that can act as a unified source of identity truth, implementing consistent administrative workflows across environments, and building policy engines that adapt to changing regulatory demands.

Solutions must also accommodate intermittent connectivity and support reliable synchronization of identity data across distributed sites, ensuring operational continuity in disconnected or remote locations.

Crucially, organizations should embrace infrastructure-as-code and declarative identity models to enable rapid deployment, backup, and recovery of IAM environments. This minimizes downtime during incidents like ransomware attacks and accelerates compliance audits.

Tagging sensitive data with residency and regulatory metadata, and employing fine-grained policy controls, enable companies to maintain compliance even as environments become more distributed.

The future of IAM is not about one-size-fits-all products—it is about creating an adaptable, resilient infrastructure that meets today’s security, compliance, and operational demands. By focusing on foundational problems and adopting hybrid, policy-driven, and infrastructure-as-code solutions, enterprises can secure their digital identities in a complex and fragmented landscape.