Does IAM have to be that hard?
Legacy identity management tools filled a real gap, but at a cost most organizations are still paying. Here is why we decided to build something new from scratch, and how we are doing it.
The gap no one talks about
HR systems know who works where. Entra ID knows who has access to what. But somewhere between those two truths, most organizations lose control of their identities. A new hire gets added in the HR system on Monday. By Wednesday, IT is still chasing provisioning tickets. By Friday, someone has manually copied attributes from a spreadsheet into Entra ID and hoped for the best.
The identity exists in both systems. It just does not connect.
This is the problem that Identity and Access Management was supposed to solve. For many organizations, it did. Fifteen years ago, with tools like Microsoft Identity Manager. But those tools were built for on-premises directories, XML configuration files, and a world where identity meant one HR system feeding one Active Directory. They required dedicated server environments, deep specialization to operate, and weeks of consulting to configure.
The world moved on. The tooling did not.
The real cost of legacy IAM
The problem with legacy identity management is not that it stopped working. It is that it became impossible to live with.
Nobody dares to touch the configuration. The person who built it left two years ago, and the documentation is a 47-page Word document that was last updated in 2019. Every change request takes weeks because nobody is confident about what will break. Testing means running a sync in a staging environment that does not actually mirror production, then hoping for the best.
The tools themselves fight you. Desktop management consoles that only run on specific Windows versions. XML-based configuration that is unreadable to anyone who did not write it. Run profiles that need to be executed in the right order, manually, or the whole pipeline falls over. Want to make a change to how a single attribute is handled? That is a change request, a consultant engagement, and a three-week timeline.
And the operational overhead never stops. Dedicated sync servers that need patching. SQL databases that need maintenance. SharePoint portals that nobody uses but nobody dares to decommission. The infrastructure cost alone would surprise most CFOs if anyone actually added it up.
Organizations do not run legacy IAM because it works well. They run it because replacing it feels even harder than maintaining it.
Why this is getting worse, not better
The complexity is compounding. Organizations used to have one HR system feeding one directory. Today, a mid-sized company might have Simployer for employees in Norway, SAP SuccessFactors for the global workforce, Visma for contractors, a separate system for students or volunteers, and Entra ID as the target. Each source has its own schema, its own update cadence, its own definition of what “active” means. Legacy tools were never designed for this many moving parts.
Then layer on regulatory pressure. NIS2 in Europe now requires organizations to demonstrate that access rights match actual roles, that offboarding happens promptly, and that identity data flows are auditable. Try proving that with a system nobody fully understands and nobody dares to change.
And then there is the AI dimension. Agentic systems are requesting permissions, acting on behalf of users, making decisions that need to be governed. The identity layer that was already buckling under human users now needs to handle non-human identities too. Good luck adding that to a legacy deployment that takes three weeks to change a single rule.
Why we decided to build Identity Universe
At Fortytwo we have spent years deploying, extending, and troubleshooting these systems across enterprise environments. MIM, FIM, custom integrations, PowerShell scripts that someone wrote five years ago and nobody dares to touch. We know how painful they are because we have been the ones called in to fix them.
That experience taught us something: the fundamental problem with legacy IAM is not missing features. It is that the systems are too hard to operate, too hard to change, and too hard to understand. When your identity platform requires a specialist just to tell you what it is currently doing, something has gone wrong at the design level.
So instead of building another integration layer on top of aging infrastructure, we started from scratch. We took everything we have learned from deploying IAM for enterprises across different vendors and platforms, and asked: what would this look like if we built it today, for the people who actually have to operate it every day?
The answer is Identity Universe.
How we are building it
We are building Identity Universe iteratively, in two-week SCRUM sprints, with a team that has deep IAM experience across multiple vendors and platforms. Every design decision is informed by real enterprise deployments, not theoretical architecture. If we have seen it break in the field, we build it differently.
Three principles guide every sprint:
Simple to operate, powerful underneath. Legacy IAM failed because it was built for consultants, not for the people who run it day to day. Identity Universe is built for the identity admin who needs to understand what is happening, make changes confidently, and go home on time. The complexity lives in the engine. The experience stays simple.
API and MCP first. The portal you see is one client. The identity engine underneath exposes every capability through open APIs and the Model Context Protocol (MCP), the emerging standard for connecting AI tools to live data sources. If you want to manage identity flows from your own tooling, plug operations into your CI/CD pipeline, or let an AI assistant query and govern identities directly, you can. We believe the best identity platform fits into your workflow, not the other way around.
AI from the start. We did not retrofit AI onto an existing product. It is built into how administrators interact with identity data. Ask a question in plain language, get a visual answer. Describe a group of users you want to collect, and the AI generates the filter criteria for you. No query syntax. No report builder. AI is not a feature in Identity Universe. It is an interaction model.
What this looks like in practice
The core of Identity Universe is the Identity Hub. It gives you a live, visual map of your entire identity pipeline: every source connector on the left, a central identity engine in the middle, and every target system on the right. Not a diagram in a PowerPoint deck. Your actual data, flowing in real time. You can see what is happening, understand what changed, and make changes without calling a consultant.
You can drill into any connector, browse its objects, build sync rules with a visual expression builder, and preview exactly what would change before committing. All in the browser.
AI is woven through the platform. The Copilot lets you ask questions about your identity data in plain language and get live visualizations back. “Show me active users” returns a chart, not a table you need to export and pivot.
Smart Collections replace the static group model with dynamic, criteria-based identity grouping. Define rules visually with nested AND/OR logic, or describe who should be included in natural language and let the AI generate the filter. Preview results before saving, so you always know exactly who is in scope.
Beyond that, Universe includes an Explorer for tracing access paths across your entire identity landscape, workflow automation triggered by identity lifecycle events, agent governance for managing non-human identities, and identity governance dashboards with organizational drill-down.
Extending Entra ID, not replacing it
We should be clear about positioning. Entra ID is the identity platform. The authentication, conditional access, and application integration that Microsoft provides are proven and mature. We are not competing with that.
What was missing is the lifecycle layer: getting the right attributes from the right sources into Entra ID, governed and auditable, at scale. Universe is that layer. A bridge from where your identity data lives to where it needs to work, with the power to handle enterprise complexity and the clarity to make it manageable.
Where we are headed
We are shipping Identity Universe iteratively and building in the open. Every sprint adds real capability based on what enterprises actually need, not a roadmap built in isolation.
If you are running a legacy IAM system today, or if you have given up and are managing identity flows with scripts and spreadsheets, this is worth following. We will be sharing deep dives into specific capabilities, architecture decisions, and migration scenarios in the coming weeks.
The question is not whether you need identity lifecycle management. It is whether it needs to be so hard.