SailPoint’s formal announcement of its intent to acquire Entro Security marks a pivotal moment for identity governance and administration programmes worldwide. The deal is not merely a product acquisition — it is a statement about the future scope of IGA. The discipline that was defined by human user provisioning, access certification, and role management is formally expanding its remit to include the governance of secrets, machine credentials, and the non-human identities that now constitute the majority of enterprise access transactions.
For IGA practitioners, the strategic logic of the acquisition is clear. Access governance programmes that govern human users while leaving non-human identities ungoverned are incomplete — and increasingly, demonstrably incomplete in ways that regulators, auditors, and boards are beginning to notice. Entro’s technology gives SailPoint the capability to extend IGA governance coverage to machine identities, closing the gap between what IGA programmes claim to govern and what they actually govern.
The practical implications are significant for access certification programmes in particular. Today, most access review processes focus exclusively on human user entitlements — reviewing who has access to what and whether that access remains appropriate. Entro’s technology enables a parallel process for non-human identities: reviewing which machine credentials exist, what permissions they carry, and whether those permissions are still justified by current operational requirements. This is access governance in its truest sense, extended to the full identity estate.
The acquisition also has implications for IGA programme metrics and reporting. CISOs and compliance teams that currently report on governance coverage statistics — percentage of users covered by access reviews, number of orphaned accounts remediated — will need to develop equivalent metrics for machine identity governance. How many service accounts have defined owners? What percentage of API credentials have been rotated within policy? How many machine identities have been provisioned without going through a formal governance workflow? These are the IGA metrics that the Entro acquisition makes it possible for SailPoint customers to begin tracking.
The market signal is unambiguous: IGA vendors that cannot govern machine identities will increasingly be positioned as partial-coverage platforms in a market that demands full-spectrum identity governance. SailPoint’s acquisition of Entro is its answer to that challenge.
Source: SailPoint