Where Identity Atlas Fits¶
How to place Identity Atlas against the tools buyers already know — and the through-line for "why this, and not the thing we already have?"
The short version: Identity Atlas sits in an empty seat between two mature categories. Governance suites know what access exists but keep their scoring closed. Attack-path and posture tools reason about why an identity is dangerous but aren't built for governance work. Identity Atlas does both — visible, explainable authorization intelligence with an open, extensible risk layer — and it's open source.
The two neighbouring categories¶
Identity Governance (IGA) suites — SailPoint, Saviynt, Omada, Microsoft Entra ID Governance. These provision and certify access: access requests, reviews, lifecycle. They increasingly include risk scoring and analytics, and they're strong at governance workflow. What they don't offer: an open model you can read and extend. The scoring is proprietary, and you consume a number rather than authoring the logic behind it.
Attack-path & posture tools — BloodHound / AzureHound, ROADtools, Cartography, ScoutSuite. These are excellent at collecting the graph and revealing why a principal is reachable or dangerous. They're often open source. But they're built for red teams and posture snapshots, not for the day-to-day governance question of "who has what, is it right, and has anyone reviewed it?"
Identity Atlas borrows the best instinct from each: the governance surfaces of the first (a role-mining matrix, IST-vs-SOLL, entity history) and the "explain the why" instinct of the second — then makes the why a queryable segment you can cross against access.
What's genuinely differentiated¶
Risk scoring itself is table stakes now — every serious platform has some. Two things are rarer, and they're where the story lives:
-
An open, explainable, extensible risk layer. Risk factors carry a human-readable reason, allow an analyst override with an audit trail, and — on the roadmap — can be extended with new scoring plugins rather than waiting on a vendor. Commercial suites keep this closed because it's their moat.
-
The reason a user is risky becomes a filter. "Admins who consented to a risky app" or "users with access to a critical system" aren't buried inside a score — they're segments you can scope the matrix to. That bridges the attack-path world's why with the governance world's what access, which no single product — open or closed — packages together today.
Is there anything open source like it?¶
Not squarely. The closest open-source neighbours solve a different job:
| Project | What it does | Why it isn't the same job |
|---|---|---|
| midPoint, Apache Syncope, OpenIAM | Open-source IGA — provisioning, reconciliation, policy | Change access; not built for authorization visibility & mining |
| BloodHound / AzureHound, ROADtools, Cartography | Graph & attack-path across Entra/cloud | Red-team / posture focus; no governance UX or matrix |
| Keycloak, Zitadel, Authentik | Login / SSO / token issuance | Access management, not governance analytics at all |
Identity Atlas occupies the seat between the first two rows — governance-grade understanding of access, open source, with an explainable risk layer that widens the gap rather than closing it.
Using this in conversation¶
- Against an IGA suite: "It complements what you have — we make the access visible and explainable, and our risk model is open, not a black-box score." Don't position as a rip-and-replace for provisioning; that's not the job.
- Against attack-path tooling: "Same why-is-this-risky instinct, but built for governance — a matrix, IST-vs-SOLL, history — not just a red-team snapshot."
- On open source: lean on it. Very few tools in this niche are open source at all, and none combine the matrix, mining, governance, and an extensible risk layer.
Guardrails¶
- Don't disparage. Name categories and honest trade-offs, not vendor put-downs. "Complementary," "different job," "closed vs. open" — never "worse."
- Complement, don't rip-and-replace. Identity Atlas reads and reasons about authorization; it doesn't provision. Positioning it as an IGA-suite replacement invites a comparison it isn't trying to win.
- The extensible risk-plugin layer is roadmap, not shipped. Describe it as a direction; the risk scoring that ships today is the LLM-assisted engine (key messages, proof points).
- It's a fast-moving space. Vendor marketing outpaces reality. Keep "no one else does this" as "we're not aware of a product that combines…" — accurate and still strong.
Sources: Product Brief, Key Messages, Proof Points, awesome-entra (ecosystem index), BloodHound, midPoint.