Identity pillar cost: SSO, MFA, PAM and governance pricing

The NIST SP 800-207 zero trust architecture defines identity as one of three primary inputs to the Policy Engine, alongside device posture and asset state. Identity in that spec includes the user identity itself, the authentication strength, the session context, and any behavioural risk signals attached to the user. The CISA Zero Trust Maturity Model v2.0 (April 2023 final) formalises identity as the first of five pillars and grades it across four maturity tiers from Traditional through Initial, Advanced, and Optimal. The Optimal tier requires phishing-resistant MFA on every authentication and continuous risk evaluation rather than point-in-time access decisions.

In budget terms, identity consistently lands at 30 to 40 percent of total zero trust spend. The reason it dominates is structural: every other pillar depends on identity to make a meaningful access decision. A microsegmentation control without identity context is just IP-based firewalling under a new name. A device-trust signal without identity context cannot authorise the user behind the device. A data-classification rule cannot enforce role-based access without an identity to evaluate against. Under-investing in identity in Phase 1 makes every later pillar more expensive and less effective.

The pillar has seven cost-bearing components in practice. Single sign-on consolidates application access behind one identity provider. Multi-factor authentication proves possession of a second factor (a device, a hardware key, or in modern variants a phishing-resistant cryptographic challenge). Conditional access evaluates risk and context to decide whether to allow, challenge, or deny each request. Privileged access management contains the blast radius of compromised privileged accounts. Identity governance ensures access stays correct over time through reviews and attestations. Identity-aware proxies extend modern identity to legacy applications that cannot speak SAML or OIDC.Machine and workload identity applies the same access discipline to service accounts, APIs, and workload-to-workload calls. The seven components have wildly different price points and adoption sequences.

Identity has a strict ordering for zero trust that experienced CISOs converge on. Skipping the sequence is the most expensive identity mistake. The order is: SSO consolidation, MFA on privileged accounts, MFA universal, then PAM, then IGA, then machine identity and legacy-app extension. Each step has a distinct cost profile and adoption pattern.

Step 1: SSO consolidation. Cost: $40K to $200K depending on application count. Timeline: 60 to 180 days. The most common SSO migration is fifteen to forty SaaS applications federated to a single IdP, with the line-of-business application owner doing the SAML or OIDC setup with vendor support from the IdP team. The cost is mostly internal engineering time, not licensing. The risk is that some applications charge an SSO surcharge (the so-called "SSO tax") that can add $5K to $25K per year per application. Audit application contracts before assuming SSO migration is free.

Step 2: MFA on privileged accounts. Cost: $5K to $40K, mostly hardware-key procurement and admin training. Timeline: 30 to 60 days. This is the highest-leverage zero trust control measured against cost. Microsoft published analysis in 2022 showing that MFA blocks more than 99.9 percent of automated identity attacks. Phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business) blocks the residual 0.1 percent that adversary-in-the-middle phishing tools like Evilginx defeat. For privileged accounts (admins, finance, executive), phishing-resistant MFA is no longer optional in any zero trust framework.

Step 3: MFA universal. Cost: $80K to $400K for a 500-user organisation, including per-user identity license uplift and end-user training. Timeline: 90 to 180 days. The training cost is real: every help-desk team reports a spike in MFA tickets in the first eight weeks after rollout, which subsides as user fluency builds. Plan for a 30 to 50 percent ticket volume increase during the rollout window.

Step 4: PAM. Cost: $200K to $800K year-one for a mid-market deployment, including license, implementation, and privileged-account inventory work. Timeline: 60 to 180 days. PAM cost is dominated by professional services in year one, then by per-privileged-user license in years two and onward. Discovery of the privileged-account population is the most common cost overrun: most organisations find 30 to 60 percent more privileged accounts than they initially scoped.

Step 5: IGA. Cost: $150K to $600K year-one for a 500-user organisation. Timeline: 90 to 240 days. Identity governance benefits massively from being deployed onto a stable identity foundation. Without universal MFA and a clean SSO inventory underneath, IGA produces certificate-rich reports against weak underlying enforcement, which is theatre rather than governance.

Step 6: Machine and workload identity. Cost: variable, typically $100K to $500K per year for tooling plus a six to eighteen month engineering programme to rotate service-account credentials into short-lived tokens. Timeline: 12 to 36 months. This is the longest single workstream in identity zero trust and is routinely the gap that prevents organisations from reaching CISA Optimal-tier maturity.

The hard case in identity zero trust is the long tail of applications and accounts that do not fit the modern identity pattern. Legacy applications often use form-based authentication or proprietary protocols and cannot speak SAML or OIDC. Service accounts authenticate with static long-lived credentials that cannot perform MFA. Both are excluded from the obvious zero trust controls, and both are routinely the highest-risk population in an environment. Verizon's 2024 Data Breach Investigations Report found that 38 percent of breaches involve the use of stolen credentials, with service-account credentials and legacy-app credentials disproportionately represented in the lateral-movement phase.

For legacy applications, three patterns work. Identity-aware proxy places a reverse proxy in front of the app that handles authentication before traffic reaches the legacy back-end. Microsoft Entra Application Proxy, Google Identity-Aware Proxy and Cloudflare Access all do this. Cost: roughly $5 to $10 per user per month for users accessing the legacy app, plus a small per-app deployment effort (one to three days of engineering per app). Legacy modernisation rewrites or wraps the legacy app to speak modern identity protocols. This is the cleanest long-term answer but the highest-cost short-term path; budget for $50K to $500K per legacy app depending on its complexity. Compensating network controls wraps the legacy app in microsegmentation and ZTNA so that only authenticated identity-aware traffic ever reaches it, accepting that the app itself remains identity-blind. The compensating-control path is the cheapest in year one but the weakest in audit posture.

For service accounts, the dominant pattern is migration to short-lived tokens issued from a secrets vault. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault and CyberArk Conjur all offer this. The cost is mostly engineering time, not licensing: every service account is a discrete migration task with its own owner, its own consuming applications, and its own credential-rotation gotchas. A typical mid-market environment has 200 to 600 service accounts; allocating two to four hours of engineering per account works out to roughly 400 to 2,400 hours of effort, or $80K to $400K loaded. That is the budget line that does not appear on the licensing quote.

Mature programmes use all three approaches in combination: identity-aware proxy for the simple legacy apps, modernisation for the strategic ones, compensating controls for the doomed ones, plus a secrets-vault rollout for service accounts. Sequencing matters here too: do the secrets vault rollout in parallel with universal MFA in Step 3 above, not as a separate Phase 3 workstream, because the two share most of the same engineering team and benefit from the same change-management runway.

The identity pillar produces the single largest risk-reduction effect in zero trust on a dollar-of-spend basis. The IBM 2024 Cost of a Data Breach report found that organisations with mature identity-and-access management controls paid $1.51 million less per breach on average and contained incidents 28 days faster than peers. The dominant initial-access vector in 2024 breaches was credential compromise, which MFA addresses directly. Phishing was the second most common initial-access vector, which phishing-resistant MFA addresses where regular MFA falls short.

A useful back-of-envelope: for a mid-market organisation with a 2 to 4 percent annual breach probability, the expected breach-cost reduction from mature identity controls is $30K to $60K per year. Set against a year-one identity-pillar cost of $280K to $520K and ongoing of $160K to $320K, the identity pillar pays back in two to four years against breach risk alone. The other benefits (productivity from SSO, help-desk reduction from self-service password reset, audit posture from IGA) are real but harder to quantify.