JIT
NL
← Notebook
Opinion notes Open SourceSecurityAI AgentsStrategy

The CyberArk you don't have to buy

Completing an open-source identity stack with governance and privileged access — and why an AI coding agent finally makes it cheaper than CyberArk.

Open-source identity governance was never expensive software. It was cheap software with expensive plumbing. The licences cost nothing. The integration — wiring a governance engine into your directory, your certificate authority, your secret store — cost a multi-week engagement at consultant rates, and that bill quietly ate the savings. Every euro the licence saved, the plumbing spent. So small companies did the sensible thing and bought the enterprise product, or did nothing at all. “Identity governance” stayed a slide in a compliance deck.

That math just changed. The plumbing — compose files, Ansible roles, connector configs, the runbooks nobody wants to write — is exactly what a coding agent is good at. I’ve been finishing my own identity stack with Claude Code driving the build, and the part that used to make this a false economy is now the part that goes fastest. So here’s the hypothetical, with real numbers: what it takes to give a KMO the governance and privileged-access controls an auditor actually asks for, without the CyberArk cheque.

What’s actually missing

I already run the boring, solid two-thirds: Authentik for single sign-on and MFA, Infisical for secrets, step-ca handing out SSH and TLS certificates that expire in minutes instead of standing keys that live forever. Authentication, secrets, credential issuance. Fine.

The two missing pieces are the ones that surface in an audit:

  • Governance (IGA). Who is entitled to what, who approved it, when it was last reviewed, and whether any of it breaks separation of duties. Today that’s nobody’s job. The directory knows the current state; nothing governs how it got there or proves it’s still right.
  • Privileged elevation (PIM). When I need root for twenty minutes, there’s no request-approve-expire path. I either hold standing privilege, or I hand-edit a group and forget to undo it.

The enterprise answer is well known: CyberArk for the privileged side, SailPoint for the governance side, a certified admin for each, and an annual cheque a KMO will not sign. So the KMO buys neither, and the gap stays open.

What it looks like

Authoritative source your M365 / HR — the joiner-mover-leaver feed NEW midPoint — the governance brain lifecycle · access reviews · recertification separation of duties · time-boxed privileged elevation provision · SCIM / LDAP / REST Authentik — login · MFA · groups the runtime you already run OIDC · group → SSH principal → short TTL step-ca ephemeral SSH / TLS certs OpenBao · Vaultwarden secrets · rotation · passwords every layer streams its audit trail → Wazuh
The governed identity plane. midPoint governs who should have what; Authentik still logs people in; step-ca and the secret stores issue the actual credential. Every seam is an open standard.

One new component does the heavy lifting: midPoint, the only open-source platform that ships access-certification campaigns and separation-of-duties enforcement out of the box. It sits above the runtime as the governance brain. Your M365 is the source of truth; midPoint provisions into Authentik over open standards; Authentik still handles the login. Nothing gets ripped out.

Privileged elevation falls out of the same design. You request a role in midPoint, an approver grants it for a window, midPoint flips the matching Authentik group on for that window only. And because step-ca already mints SSH certificates whose principals come from your groups, the elevated access just appears and then expires on its own. That’s Entra PIM’s behaviour, built from parts you already own.

The labour math

The integration tax, halved the shape of the build — plumbing vs judgment, not to scale plumbing · compose · IaC · connectors · docs judgment · role model · SoD policy Traditional plumbing judgment the full build With a coding agent judgment ≈ half the agent eats most of the plumbing The software was always free. The plumbing was the bill — the part the agent pays down. Most of the build is plumbing the agent absorbs; the judgment barely moves, and stays human.
The integration tax, halved. The agent absorbs the plumbing (compose, IaC, connectors, docs) while the governance design stays human.

Here’s the part that makes it add up. The build splits in two, and only one half is hard:

Plumbing (the agent absorbs this)Judgment (this stays yours)
compose, Ansible, connector configsthe role and org model
secret-engine and rotation wiringthe separation-of-duties policy
audit wiring and dashboardsthe recertification design
docs, runbooks, teststhe elevation and approval policy

The plumbing is the bulk of the work, and it’s exactly what the agent is good at. The judgment — the role model, the SoD policy — barely moves, and shouldn’t: that’s the part you never want a machine deciding. So the work doesn’t vanish. It changes shape: less typing, more deciding, and the total build roughly halves.

One condition, and it’s the real point. That halving isn’t magic from a chatbot. It assumes the base is already standing: a proper agent framework underneath, a fleet of domain sub-agents (identity, infra, network, secrets) wired into the infrastructure, with the tool contracts, the guardrails and the read-only-by-default safety already built. That base is itself an investment, and the first build pays for it; every project after is where the plumbing tax actually falls. Without that foundation you’re just back to typing, and the saving is only a promise. It’s the agent fleet doing the work — Claude Code is the hands, the fleet is the ground it stands on.

The software was always free. The plumbing was the bill — and that’s the part the agent pays down.

Against the proven world

To match the scope you’re not comparing against one product. You’re comparing against CyberArk and SailPoint together — privileged access on one side, governance on the other.

What you’re comparingOpen stack (this plan)CyberArk + SailPoint
Licensing€0 (EUPL / MPL / Apache)5–6 figures/year, quote-only
Governance (IGA)Strong, certification + SoD (midPoint)Strong, SailPoint is the leader
Privileged elevation (PIM)Strong, request / approve / expireStrong
Session recording / isolationModerate, Teleport or DevolutionsHard to beat (PSM)
Time-to-valueWeeks (see the labour math)Months of professional services
Lock-in / exit costMinimal, open standards at every seamHigh
Data sovereigntyFull, self-hosted, EUDepends on edition
Auditor name-recognitionLower, needs explainingHigh, they know the logo
Fit for a KMOExcellent, modular, pay nothingPoor, built for the enterprise

I won’t pretend the open stack wins everywhere. CyberArk’s session isolation and recording are genuinely better, its rotation library is deeper, and for a bank the auditor-recognition and the contractual SLA are worth the money. Three honest cons on my side: you own the glue — no supported midPoint-to-Authentik connector ships, so that seam is a build; session recording is the soft spot; and “we run midPoint and OpenBao” carries less weight in an audit than a logo, fair or not. This isn’t “CyberArk is bad.” It’s “CyberArk is priced for an organisation a KMO is not.”

What an auditor actually asks

Governance isn’t a vibe, it’s evidence — and the open stack produces exactly the artefacts a framework wants:

  • ISO 27001:2022 A.5.18 (access rights) and A.5.16 (identity lifecycle) — midPoint’s joiner-mover-leaver and recertification campaigns are the review-and-removal control, with a timestamped record of who reviewed what.
  • A.5.3 (separation of duties) — midPoint enforces SoD as policy and flags the conflict before it’s granted, not in next year’s findings.
  • A.8.2 (privileged access rights) — the request-approve-expire flow is the control, and every elevation is logged with a reason.

That matters more each quarter, because NIS2 pulled a lot of mid-sized companies into scope and made management personally accountable for precisely these measures — access control and privileged access among them. The open stack doesn’t just tick the box; it generates the audit trail that proves the box is true. A recertification campaign you can hand an auditor is worth more than a product logo you can’t explain.

The bill

Hardware, for a single host that virtualises the whole stack — and close to €0 incremental if you already run a hypervisor:

ItemSingle nodeHA (3-node)
Compute host (≈8 core / 64 GB / 2×1 TB NVMe)€2,500€7,500
UPS + backup target€800€1,000
Capex~€3,300~€8,500

Then the five-year picture, which is where it stops being close:

LineOpen stackCyberArk + SailPoint
Software licensing (5 yr)€0 (±€2–5k/yr optional support)~€400k+
Build / implementationyour own time, roughly halved by the agenta full professional-services engagement
5-year total (illustrative)~€60k~€500k+

Most of that open-stack total is your own engineering time, not money leaving the building — and that time is now half what it was, because the agent wrote the plumbing while I did the thinking. (Numbers are illustrative and order-of-magnitude; CyberArk pricing is quote-only, so those figures are third-party-reported ranges, not a quote.)

So why build it like this

Same rule I keep coming back to: build like you’ll have to leave. Every seam here is a standard, every box swappable, the data yours and in the EU. If midPoint disappoints, you swap the governance brain without touching Authentik. If a client outgrows the open PAM, CyberArk bolts onto the same governed identity — because the governance was never the lock-in. It’s the same seam I use to hand an AI agent the keys safely, one layer up.

It’s not anti-vendor. It’s pro-exit. And the thing that finally makes it pay for a KMO isn’t new software — it’s that the plumbing tax, the quiet killer of every open-source IAM business case for a decade, just got cut in half by an agent that’s happy to write the boring parts while you design the ones that matter.

Hypothetical, for now. But the math is the math.