Difference Between Identity IQ and Identity Now Workflows: A Complete 2026 Guide
Understanding the difference between Identity IQ and Identity Now workflows is essential for SailPoint professionals, administrators, and organizations choosing the right identity governance platform. IdentityIQ workflows are highly customizable, code-driven, and designed for complex on-premises identity processes, while Identity Now workflows are cloud-native, low-code, and focused on faster automation and simplified administration. This complete 2026 guide compares workflow architecture, customization, approvals, integrations, maintenance, and real-world use cases to help you determine which SailPoint workflow solution best fits your business requirements, technical expertise, and long-term identity security strategy.
★★★★★
4.9/5 rated by 1329+ students · Google Verified
Table of Contents
Introduction
In Identity Governance and Administration (IGA), workflows are the quiet engine that keeps an enterprise secure. Every time an employee joins, changes roles, or leaves, a workflow decides who approves their access, what gets provisioned, and which records are logged for audit. Get those workflows right and access is fast, accurate, and compliant. Get them wrong and you end up with orphaned accounts, privilege creep, and failed audits.
SailPoint is the market leader in this space, and it ships two flagship platforms that handle workflows in very different ways. That is exactly why understanding the difference between IdentityIQ and IdentityNow workflows matters so much for architects, developers, and administrators planning a deployment or a career.
This guide breaks down both workflow engines from the ground up: their architecture, how you design and configure them, how approvals and customization work, real-world use cases, and how to decide which one fits your organization. If you are building these skills, our SailPoint Certification Training in Hyderabad covers both platforms hands-on, but this article stands on its own as a deep technical comparison.
Difference Between Identity IQ and Identity Now Workflows: A Complete 2026 Guide
What Are SailPoint Workflows?
A SailPoint workflow is an automated sequence of steps that runs whenever a specific identity event occurs. Think of it as a recipe: an event happens, the system follows a defined set of instructions, and an outcome is produced without manual effort.
Workflows sit at the heart of Identity Security Automation. Instead of an IT helpdesk manually creating accounts or chasing managers for approvals, the workflow engine handles it consistently and at scale. Common things SailPoint workflows automate include
- Provisioning workflows — creating, updating, and disabling accounts across connected applications.
- Access request workflows — routing a user’s request for an application or role to the right approvers.
- Approval workflows — gathering one or more sign-offs before access is granted.
- Certification workflows — periodic access reviews where managers confirm or revoke entitlements.
- Lifecycle management workflows — joiner, mover, and leaver events triggered by HR data.
Both IdentityIQ and IdentityNow can do all of the above. The difference lies in how they execute these processes under the hood, which shapes everything from development effort to long-term maintenance cost.
Overview of Identity IQ Workflow Architecture
SailPoint IdentityIQ (often shortened to IIQ) is the on-premises, software-deployed platform. You install it on your own servers or in your own cloud infrastructure (IaaS), running on a Java application server such as Apache Tomcat with a relational database behind it.
At the core of IdentityIQ workflow architecture is the Business Process Engine. In IIQ, a workflow is literally a “business process” object defined in XML. Each workflow is built from
- Steps — individual units of work (call a rule, send an approval, provision an account).
- Transitions — logic that decides which step runs next, often based on conditions.
- Approvals — built-in step types that route work items to approvers.
- Scripts and rules — BeanShell (a Java-based scripting language) embedded directly in steps for custom logic.
- Workflow libraries — reusable Java methods exposed to workflows.
Because logic lives in XML and BeanShell, IdentityIQ gives you near-unlimited control. You can write custom Java development, call external systems, manipulate identity data, and branch on almost any condition. Standard out-of-the-box processes such as LCM Provisioning, Identity Refresh, and certification generation are themselves workflows you can copy and modify.
The trade-off is complexity. This power demands developers who understand Java, XML, and the IIQ object model, and it means upgrades must account for every customization you have layered on. For a structured walk-through of how these modules fit together, see our explainer on SailPoint IIQ and IdentityNow modules.
Overview of Identity Now Workflow Architecture
SailPoint IdentityNow is the cloud-native, multi-tenant SaaS platform. Importantly, SailPoint has rebranded IdentityNow as Identity Security Cloud (ISC), built on the underlying SailPoint Atlas platform. Many teams still say “IdentityNow,” so we use both names here, but the workflow engine we describe is the modern ISC one.
The IdentityNow workflow architecture is fundamentally different from IIQ. There is no application server for you to manage and no XML business process objects to hand-edit. Instead, workflows are a managed cloud service built around three building blocks
- Triggers — the event that starts a workflow, such as Identity Created, Account Aggregation Completed, Access Request Decision, or Source Deleted.
- Actions — the work performed, such as Manage Access, Get Identity, Send Email, Create Campaign, or HTTP Request to an external API.
- Operators — logic steps that branch, compare values, or wait, controlling how data flows through the workflow.
You assemble these visually in the Workflow Builder, a drag-and-drop canvas, as described in SailPoint’s official Identity Security Cloud Workflows documentation. Behind the scenes everything is stored as JSON, which you can also import, export, and edit directly or manage through the Workflows API. This is the essence of cloud workflow automation: SailPoint runs the engine, patches it, and scales it for you. ISC even throttles very high-volume tenants, allowing a large number of executions per day before slowing the rate, so the platform protects itself automatically.
The trade-off here is boundaries. The visual model is fast and low-maintenance, but it works within the actions SailPoint provides. When you need behavior beyond those building blocks, you extend it through APIs and external services rather than dropping arbitrary Java into the engine.
Difference Between Identity IQ and Identity Now Workflows
If you remember one thing about the difference between IdentityIQ and IdentityNow workflows, make it this: IdentityIQ is a code-first, on-premises business process engine, while IdentityNow is a low-code, cloud-native trigger-and-action engine.
That single distinction ripples through every other decision
- Where it runs: IIQ workflows run on infrastructure you own and operate. IdentityNow workflows run as a SaaS service SailPoint manages.
- How you build them: IIQ uses XML plus BeanShell scripting, typically edited in a developer environment. IdentityNow uses a visual Workflow Builder plus JSON.
- Who builds them: IIQ workflows usually require Java-literate developers. IdentityNow workflows can be built by configuration-focused administrators with far less code.
- How they evolve: Customizations in IIQ must be carried forward through every version upgrade. IdentityNow improvements are delivered continuously by SailPoint with no upgrade project on your side.
- How far you can customize: IIQ allows almost any custom logic. IdentityNow keeps you within a curated, extensible set of actions and external API calls.
Neither approach is “better” universally. IIQ trades simplicity for control; IdentityNow trades unlimited control for speed and lower operational overhead. The right choice depends on your environment, your team, and your roadmap.
Identity IQ vs Identity Now Workflow Comparison Table
Feature | Identity IQ Workflows | Identity Now Workflows |
Deployment Model | On-premises or self-managed cloud (IaaS) | Multi-tenant SaaS (Identity Security Cloud) |
Workflow Design | XML business processes with BeanShell scripting | Visual drag-and-drop Workflow Builder backed by JSON |
Customization | Extensive, code-level, near-unlimited | Curated actions extended via APIs and external services |
Development Skills Required | Java, BeanShell, XML, IIQ object model | Low-code; JSON and REST API knowledge for advanced cases |
Approval Processes | Highly configurable multi-stage approvals in the engine | Configured in Access Request policies plus workflow actions |
Scalability | Scales with the infrastructure you provision and tune | Elastic SaaS scaling managed by SailPoint |
Maintenance | Customer-owned: servers, patches, tuning | Vendor-managed: SailPoint runs and updates the service |
Upgrade Impact | Planned upgrade projects; customizations must be retested | Continuous updates with no customer upgrade project |
Cloud Support | Hybrid; cloud-hosted but not natively SaaS | Cloud-native by design |
Integration Flexibility | Deep, code-driven integrations with any system | Connectors plus HTTP Request actions and the Workflows API |
Workflow Design and Development in Identity IQ
Designing workflows in Identity IQ is a development discipline. A typical project follows this pattern
- Model the business process. Map the joiner/mover/leaver or access-request flow, including who approves what and what gets provisioned.
- Build the workflow XML. Define steps, transitions, and variables. Most teams start from a standard SailPoint workflow such as LCM Provisioning and adapt it.
- Add logic with rules. Drop BeanShell scripts or reference reusable rules to handle conditions, data transformation, and custom decisions.
- Wire in approvals. Use approval step types to route work items, set escalations, and define fallback approvers.
- Test and deploy. Validate in a lower environment, then migrate the XML artifacts to production.
This model is why IIQ is famous for handling edge cases. Need an approval to branch based on a custom risk score pulled from an external API and then provision to a legacy mainframe? IIQ can do it. The cost is the specialized skill set and the discipline required to keep customizations clean. Mastering this is a core part of any serious curriculum — our SailPoint course syllabus dedicates significant time to IIQ workflow development.
Workflow Configuration in IdentityNow
Configuring workflows in IdentityNow feels more like assembling building blocks than writing software. The flow looks like this
- Pick a trigger. Drag an event such as Identity Created onto the canvas and optionally add a filter so the workflow only fires under specific conditions.
- Add actions. Chain steps such as Get Identity, Manage Access, Send Email, or HTTP Request.
- Insert operators. Use comparison and choice steps to branch, plus Wait steps when you need to pause for an external decision.
- Reference data between steps. Pull attributes from earlier steps into later fields using the variable selector.
- Test and enable. Run test executions, review logs, then switch the workflow on.
This low-code workflow design dramatically shortens the build cycle for common automation. An administrator can stand up a “notify the manager and create a ticket when a privileged account is deleted” workflow in an afternoon. For logic that exceeds the built-in actions, you reach out to external services through HTTP Request actions or orchestrate via the Workflows API — extending the platform rather than rewriting its engine.
Getting hands-on time in a live tenant is the fastest way to internalize this. Our SailPoint online training in Hyderabad walks you through building real IdentityNow workflows step by step.
Approval Process Differences
Approvals are where the two platforms feel most different in day-to-day use.
In IdentityIQ, approvals are first-class workflow steps. You can build complex multi-stage chains, conditional approvers, parallel and serial approvals, escalation timers, and electronic sign-off — all expressed in the workflow definition and tunable in code. This makes IIQ ideal for organizations with intricate governance rules that differ by application, geography, or risk tier.
In IdentityNow, much of the approval logic lives in the Access Request configuration (governance groups, approval schemes per access profile or role), while Workflows handle the surrounding automation and notifications. Because access-request decisions are asynchronous, a common pattern is to end one workflow and start another using the Access Request Decision trigger once a decision is made. It is cleaner and faster to configure, with less flexibility for exotic, deeply conditional approval chains.
The practical takeaway: if your approvals are standard, IdentityNow is faster to set up. If they are highly bespoke, IdentityIQ gives you room to model them precisely.
Customization Capabilities in Identity IQ and Identity Now
Customization is the clearest dividing line in SailPoint workflow customization.
- Identity IQ: You can change almost anything. BeanShell scripting, custom rules, custom workflow libraries, and direct manipulation of the object model mean there are very few “no” answers. This depth is invaluable for regulated industries and legacy-heavy estates.
- Identity Now: Customization is intentionally bounded. You combine SailPoint’s curated triggers, actions, and operators, and extend outward through REST APIs, event triggers, and external automation. The platform stays clean and upgrade-safe, but you respect the guardrails SailPoint sets.
A useful mental model: IIQ lets you customize inside the engine; IdentityNow encourages you to customize around the engine using its APIs and integrations.
Workflow Automation Features Comparison
Both platforms deliver strong SailPoint workflow automation, but the feel is different
- Event-based triggers: IdentityNow exposes a rich catalog of event triggers (identity, account, access request, aggregation, lifecycle state, and more) that you subscribe to. IIQ achieves similar outcomes through lifecycle events, tasks, and rules wired into its engine.
- Provisioning automation: Both automate account creation and removal across connectors; IIQ offers more granular, code-level control over provisioning plans.
- Certification automation: Both generate and route access reviews; IdentityNow adds AI-assisted recommendations to speed decisions.
- External integration: IdentityNow’s HTTP Request action and Workflows API make calling outside systems straightforward; IIQ integrates through custom connectors and Java.
- Scaling behavior: IdentityNow scales elastically as a managed service; IIQ scales according to how you size and tune your infrastructure.
Identity IQ Workflow Use Cases
IdentityIQ workflows shine when requirements are complex, regulated, or tied to legacy systems
- Large banks and insurers with highly conditional, multi-stage approval chains that vary by risk tier.
- Organizations with on-premises mandates for data residency or compliance.
- Estates with legacy or homegrown applications that need custom, code-driven provisioning.
- Complex certification campaigns with bespoke logic and reporting.
- Scenarios requiring deep manipulation of identity data during a lifecycle event.
Identity Now Workflow Use Cases
IdentityNow workflows excel when speed, simplicity, and cloud scale matter most
- Cloud-first organizations standardizing on SaaS applications.
- Fast, repeatable automations such as new-hire notifications, ticket creation, and account-deletion follow-ups.
- Event-driven integrations that push or pull data from external tools like ServiceNow or Slack via APIs.
- Teams that want governance value quickly without staffing a large IIQ development practice.
- Scaling enterprises that prefer SailPoint to own maintenance and upgrades.
Benefits of Identity IQ Workflows
- Unmatched flexibility to model any business process or approval logic.
- Full control over data, infrastructure, and security boundaries.
- Deep integration with legacy and custom applications.
- Mature ecosystem of standard workflows you can adapt rather than build from scratch.
High demand for specialists — IIQ developers remain among the best-paid SailPoint professionals.
Benefits of Identity Now Workflows
- Faster time to value with low-code, visual building.
- Minimal maintenance — no servers, patches, or upgrade projects.
- Continuous innovation delivered automatically, including AI features.
- Elastic scalability handled by SailPoint.
- Lower barrier to entry, so administrators (not just developers) can automate.
Why This Difference Matters
The contrast between these two workflow models is not academic — it changes the economics and risk profile of your whole identity program.
- Implementation projects: IIQ projects are development-heavy and longer; IdentityNow projects are configuration-led and typically faster.
- Development effort: IIQ needs Java and BeanShell expertise; IdentityNow needs configuration skill plus API knowledge for advanced cases.
- Maintenance costs: With IIQ you carry infrastructure and patching costs; with IdentityNow those shift to the SaaS subscription.
- Upgrade considerations: Every IIQ customization is a future upgrade liability you must retest; IdentityNow removes the upgrade project entirely.
- Scalability and business agility: IdentityNow flexes with demand automatically, while IIQ scalability depends on how well you architect and tune your environment.
Choosing without understanding this difference is how organizations end up over-engineering simple automations in IIQ, or hitting customization ceilings in IdentityNow that their requirements actually exceed.
Which Workflow Platform Should You Choose?
There is no universal winner, so match the platform to your reality
- Choose IdentityIQ if you have complex, highly conditional governance, on-premises or data-residency requirements, heavy legacy integration, and the developer talent to build and maintain it.
- Choose IdentityNow (Identity Security Cloud) if you are cloud-first, want fast time to value, prefer SailPoint to handle maintenance, and your processes fit a low-code model.
Many enterprises run a hybrid path — keeping IIQ for entrenched legacy governance while adopting IdentityNow for new cloud workloads, often migrating over time. That is precisely why employers value professionals fluent in both, a point we explore further in our look at SailPoint for cybersecurity careers.
If you want guided help mapping both platforms to your own environment, a structured program from a focused SailPoint training institute in Hyderabad shortens the learning curve considerably.
Identity IQ vs IdentityNow for Developers
For developers, the two platforms demand different toolkits.
Identity IQ rewards strong Java and BeanShell skills, comfort with XML configuration, and an understanding of the IIQ object model, rules, and workflow libraries. This is classic SailPoint development — powerful, deep, and in steady demand for enterprise SailPoint implementation projects.
Identity Now shifts developers toward REST APIs, JSON, event triggers, and integration engineering. Instead of editing the engine, you build services and automations that connect to it through the Workflows API. The official SailPoint Developer Community workflow documentation is the canonical reference for this approach.
If you are planning your learning path, our SailPoint course for beginners starts with fundamentals, while the SailPoint training for working professionals track focuses on production-grade development across both platforms.
Identity IQ vs IdentityNow for Administrators
Administrators experience the platforms differently too.
IIQ administrators manage servers, databases, application tuning, and the lifecycle of XML configurations. They work closely with developers because so much behavior is code-driven, and they own upgrade planning.
IdentityNow administrators spend their time in the cloud console — configuring sources, access profiles, roles, certifications, and workflows through the UI. With SailPoint handling the platform itself, admins focus on governance outcomes rather than infrastructure. This lower operational burden is a major reason organizations adopt the SaaS model. To see how this plays out in real classrooms, compare delivery formats in our guide to online vs classroom SailPoint training.
Future of Workflow Automation in SailPoint
The direction of travel is unmistakable: identity is moving to the cloud and becoming a security discipline, not just an administrative one.
The broader market backs this up. The global identity governance and administration market was valued at roughly USD 7.95 billion in 2024 and is projected to reach about USD 27 billion by 2033, with cloud deployments leading new adoption. SailPoint itself reflects the shift — in its public filings the company reported total annual recurring revenue of around USD 925 million with SaaS ARR growing far faster than legacy software, as detailed in its SEC registration filing.
Three trends will shape SailPoint workflow automation going forward
- AI-driven decisions: recommendations for access approvals and certifications, reducing reviewer fatigue and rubber-stamping.
- Identity security as a platform: SailPoint’s evolution from governance product to a unified identity security platform (Atlas) extends workflows beyond humans to machine and AI-agent identities.
- Standards alignment: stronger mapping to frameworks such as the NIST Digital Identity Guidelines (SP 800-63), which increasingly inform how enterprises design identity controls.
For professionals, demand for both IdentityIQ and IdentityNow skills remains strong. Legacy IIQ estates are not disappearing overnight, while IdentityNow adoption accelerates — so the most valuable engineers understand both. You can get a sense of earning potential in our breakdown of SailPoint salary in Hyderabad, and the full product context is covered by the official SailPoint Identity Security Cloud overview.
Conclusion
The difference between Identity IQ and Identity Now workflows comes down to a clear choice between control and convenience. IdentityIQ gives you a deeply customizable, on-premises business process engine for complex, regulated environments. IdentityNow gives you a fast, low-code, cloud-native automation service that SailPoint maintains and scales for you. One is code-first and powerful; the other is configuration-first and agile.
For organizations, the right answer depends on complexity, compliance, cloud strategy, and in-house talent — and increasingly, the smartest path is a hybrid that uses each platform where it fits best. For professionals, the conclusion is even simpler: learning both makes you genuinely future-proof in a fast-growing identity security market.
If you want hands-on mastery of both engines — from IIQ workflow development to IdentityNow’s Workflow Builder — explore our instructor-led SailPoint training in Hyderabad and build the skills employers are actively hiring for.
FAQ
1. What is the main difference between IdentityIQ and IdentityNow workflows?
The main difference is architecture: IdentityIQ workflows run on-premises as XML business processes with BeanShell scripting and allow deep customization, while IdentityNow workflows run in the cloud as a low-code, trigger-and-action service that SailPoint manages.
2. Is IdentityNow the same as Identity Security Cloud?
Yes. SailPoint rebranded IdentityNow as Identity Security Cloud (ISC), built on the SailPoint Atlas platform. Many practitioners still call it IdentityNow, but the workflow engine is the modern ISC Workflow Builder.
3. Which platform is easier to build workflows in?
IdentityNow is easier for most teams because its visual Workflow Builder uses drag-and-drop triggers and actions with minimal code. IdentityIQ is more powerful but requires Java, BeanShell, and XML skills.
4. Can IdentityNow workflows be customized like IdentityIQ?
Not in the same way. IdentityIQ allows code-level customization inside the engine. IdentityNow customization is bounded to its curated actions and is extended outward through REST APIs, event triggers, and external services rather than arbitrary code.
5. How do approvals differ between IdentityIQ and IdentityNow?
IdentityIQ models approvals as configurable workflow steps supporting complex, conditional, multi-stage chains. IdentityNow handles much approval logic in Access Request configuration, with workflows automating the surrounding notifications and follow-up actions.
6. Do IdentityIQ skills still matter if everything is moving to the cloud?
Yes. Large regulated enterprises continue to run IdentityIQ for complex, on-premises governance. IIQ developers remain in demand, and hybrid estates make dual fluency the most valuable skill set.
7. What programming knowledge do I need for SailPoint workflows?
For IdentityIQ you need Java and BeanShell plus XML. For IdentityNow you need configuration skills and, for advanced automation, JSON and REST API knowledge to work with the Workflows API and HTTP Request actions.
8. Can I migrate workflows from IdentityIQ to IdentityNow?
There is no automatic one-to-one conversion because the engines differ fundamentally. Migration means re-designing processes using IdentityNow triggers, actions, and Access Request configuration, and rebuilding complex custom logic as API-driven automation.
9. Which platform scales better?
IdentityNow scales elastically as a managed SaaS service. IdentityIQ can scale to large volumes too, but scalability depends on how well you provision and tune your own infrastructure.
10. Should I learn IdentityIQ or IdentityNow first?
Many learners start with IdentityNow because its low-code model is approachable, then add IdentityIQ for deep development skills. A structured program teaches both; explore common doubts in our SailPoint interview questions and answers and plan your next step with what to do after SailPoint certification.
SailPoint Trainer
SailPoint Masters Editorial Team | 15+ Articles Published
We specialize in SailPoint Certification Training in Hyderabad, helping aspiring professionals and IT experts develop in-demand Identity and Access Management (IAM) skills. Our training covers SailPoint IdentityIQ, Identity Security Cloud, certification preparation, real-world projects, and career guidance to support success in cybersecurity and identity governance careers.
Share