Choosing where your identity governance and administration (IGA) platform should be deployed is not as easy as it might seem. At first glance, choosing between on-premises and cloud IGA may seem like a simple technology preference. In practice, it determines how much control you maintain over identity data, how confidently you pass audits, how you integrate with the rest of your environment, and how well your security controls hold up as your organization grows.
Over the last decade, many organizations moved rapidly toward cloud services under the assumption that the cloud is always simpler, more cost-effective, and modern. Yet recent data from Broadcom’s Private Cloud Outlook 2025 report shows that 69% of organizations are now considering moving workloads back to private infrastructure, with security and control as primary drivers.
This article explores the pros and cons of each model and provides a framework to help you determine what fits your organization’s needs.
Understanding the deployment models
On-premises IGA means the governance platform runs in your data center on infrastructure you control. This doesn’t limit what it can govern, as modern on-premises IGA integrates seamlessly with cloud applications, SaaS platforms, and hybrid environments while keeping the governance layer inside your environment.
Cloud IGA (SaaS or IDaaS) runs entirely on vendor infrastructure. The platform lives in the vendor’s environment while managing identities across your systems. You configure policies while the provider manages servers, availability, and updates.
The advantages of on-prem
Complete control over your identity security
Your IGA platform acts as the “keys to your kingdom,” governing who can access what across your entire digital ecosystem, and why. When the keys are in your pocket, you control security, availability, and custody over your identity data and operations.
Full flexibility for unique workflows
Every organization has unique identity processes. On-premises IGA lets you customize workflows, access approval paths, policy rules, and reporting to match your exact requirements. You can build custom connectors for proprietary systems, create specialized identity governance and administration processes for complex organizational structures, and tailor compliance reporting to your specific regulatory needs.
Straightforward regulatory compliance
Regulations such as HIPAA, NIS2, and GDPR require explicit evidence of data residency, access controls, and auditability. On-premises deployment makes audits easier because data stays inside your infrastructure without relying on vendor certifications. When auditors ask where identity data resides and who can access it, you provide direct evidence rather than interpreting the vendor’s compliance attestations.
Integration with everything you run
Many enterprise applications were not built for the cloud era. On-premises IGA supports these systems without complex workarounds, whether connecting to legacy mainframes, an on-premises Active Directory, or modern cloud applications simultaneously. You control integration architecture without exposing internal systems to external networks.
Offline capability
On-prem IGA does not require internet access to function unless you want to manage SaaS and other cloud applications. It can run fully inside isolated or air-gapped networks, which is a requirement in many government and critical infrastructure environments.
Predictable long-term costs
Capital investment into servers, subscriptions, and support means costs remain stable over five to ten years. You avoid per-user pricing that compounds with growth, usage-based billing, and subscription increases that can double costs over time. For organizations planning long-term budgets, this predictability matters.
Trade-offs of on-prem:
You need specialists for maintenance, upgrades, and patching. Upfront investment typically exceeds cloud alternatives, which can slow initial deployment. Your team owns responsibility for the platform’s uptime and upgrades, which represents essential control for some organizations and overhead for others. Scaling capacity is under your control rather than automatic, but increases in user volume are typically handled with configuration and resource tuning rather than re-architecture.
The advantages of cloud IGA
Minimal infrastructure burden
The vendor handles platform operation, upgrades, and patches. For organizations without deep technical teams or those prioritizing speed, this removes infrastructure management entirely.
Faster deployment
Cloud IGA often reduces the initial implementation timeline by eliminating the need for hardware procurement and internal server configuration. This is helpful for compliance deadlines or audit remediation requiring immediate governance capability.
Easier scalability
Add 500 or 5,000 users through configuration changes without capacity planning, buying new hardware, or physical infrastructure expansion. The platform automatically scales to accommodate growth, acquisitions, and seasonal workforce changes.
Continuous updates
Security patches and features deploy automatically without your team managing version upgrades or testing cycles. This simplifies maintenance and ensures the platform stays up-to-date.
Dynamic pre-built integrations for SaaS
Cloud IGA vendors maintain extensive connector libraries optimized for cloud-to-cloud communication for major SaaS applications like Office 365, Salesforce, Workday, and ServiceNow, which simplifies onboarding cloud systems.
Trade-offs of cloud deployment:
Your governance data is in a multi-tenant infrastructure alongside other organizations. You trust vendor security practices for the system controlling everything else. Customization is limited to vendor-provided features – you cannot modify core workflows or build custom integration logic. Outages stop your governance operations regardless of whether managed systems remain available. Internet connectivity is mandatory; you cannot operate during network disruptions. Per-user pricing, premium features, and API charges compound as you scale, with costs potentially doubling initial projections.
The cloud repatriation reality check
According to Broadcom’s Private Cloud Outlook 2025 report surveying 1,800 IT leaders, 69% of organizations are considering moving workloads from the public cloud back to private infrastructure. One-third have already done so, with 66% expressing serious concerns about public cloud compliance. Nearly half believe more than 25% of their cloud spending delivers no value.
This trend extends to identity governance. Organizations are recognizing that the platform governing access to everything shouldn’t itself be governed by anyone else, but remain the anchor point under their control.
At Evolveum, we’ve built midPoint around the principle that critical governance infrastructure deserves direct control, even when the applications being governed are deployed across hybrid or cloud environments.
Making your decision: 8 critical questions to consider
Start with regulations
Questions to consider:
- What do your specific regulations mandate about identity governance data storage?
- Are there jurisdictional restrictions on where access policies and audit logs can reside?
For healthcare, critical infrastructure like the energy sector, and government, these requirements often make on-premises the clearest compliance path, regardless of where managed applications run.
Evaluate your customization needs
Questions to consider:
- Do you have unique identity workflows that don’t fit standard patterns?
- Do you need specialized approval logic, custom reporting, or integration with proprietary systems?
If your processes are highly specialized, on-premises provides flexibility that cloud vendors cannot match. If you can work within standardized workflows, cloud simplicity may be adequate.
Assess workforce distribution
Questions to consider:
- Where do your identity administrators, security teams, and approvers work?
If they’re highly distributed or remote, cloud IGA can provide easier access with its native internet accessibility. If they’re centralized or work primarily on-premises, the accessibility advantage diminishes.
Map your integration landscape
Questions to consider:
- What percentage is on-premises versus cloud?
- How many require direct database connections or are on isolated networks?
List the systems your IGA must govern. If most are on-premises using traditional protocols, cloud IGA forces architectural compromises. If most are modern SaaS applications, cloud integration may be simpler.
Consider connectivity requirements
Questions to consider:
- Can you tolerate governance operations stopping during internet outages?
- Do you operate air-gapped or isolated environments?
If continuous operation without the internet is critical, on-premises is the only viable option.
Assess operational capabilities
Questions to consider:
- Can your team operate the governance platform infrastructure?
- Do you have skills for maintenance, backup, and security?
If these capabilities don’t exist and building them doesn’t align with core competencies, the cloud removes platform complexity. You’ll still need expertise for policy configuration regardless of the deployment model.
Calculate the true five-year cost
On-premises includes hardware for the governance platform, licenses, subscriptions, personnel, and operational costs. Cloud includes subscriptions, licensing fees per user, premium support, and potential price increases. Consider that per-user pricing in SaaS models means your governance costs scale directly with organizational growth.
Evaluate risk tolerance
Questions to consider:
- If your cloud provider experiences an extended outage, can you function without provisioning users, reviewing access, or running compliance reports?
- What if they suffer a breach exposing your governance data?
Critical infrastructure, financial institutions, and healthcare typically cannot absorb these risks because the governance layer is too fundamental to outsource.
When to choose each model
Choosing what fits your organization
Identity governance sits at the foundation of your security architecture. The location of the IGA platform determines who controls the system that manages access across your environment. Cloud IGA offers speed and operational simplicity. On-premises IGA provides control, compliance clarity, customization, and stability.
Your Identity Governance and Administration platform protects the keys to your digital ecosystem. The question is: would you rather have the keys in your pocket or in a shared vault?
About Evolveum:
Evolveum is the EU-based company behind midPoint, the leading open source complete IGA suite recognized by Gartner and KuppingerCole. MidPoint gives organizations control, visibility, and efficiency to reduce identity risk, simplify compliance, and modernize identity operations.