SailPoint TSA separation is the work of standing up a dedicated Newco identity governance tenant, rebuilding the connectors to Newco source systems, recreating the roles, policies, and certifications, and exiting the seller deployment before Newco access reviews keep running inside the seller governance layer. The work sits inside the broader carve-out advisory program and depends on identity separation finishing first, because governance sits on top of the directories and applications it reviews. Treated as an afterthought, it leaves Newco access uncertified and the seller able to see Newco entitlements.
SailPoint separation starts with an inventory of the seller deployment, whether it is IdentityIQ on premises or Identity Security Cloud as a service. The buyer needs the connected sources and which feed Newco systems, the identity profiles and which identities belong to Newco, the roles and access profiles, the certification campaigns, the provisioning and lifecycle policies, and the separation of duties rules. Governance is the control plane over access, so the inventory maps how the business proves who has what rather than a user list.
The seller runs Newco identities inside a shared governance deployment alongside the rest of the seller workforce. The clean end state is a dedicated Newco tenant, almost always Identity Security Cloud for a standalone business, contracted and administered by Newco. A shared seller deployment is acceptable only as a bridge during the TSA, because the seller controls the governance platform, sees Newco entitlements, and owns the certification record.
Target tenant strategy favors the cloud platform for most carve-outs because a standalone business rarely wants to operate IdentityIQ infrastructure. Where the seller ran IdentityIQ, the separation is often a move to Identity Security Cloud rather than a like for like rebuild, which is settled early because it changes the connector model and the migration approach.
A clean inventory drives the sequence: the tenant build, the source connector rebuild, the role and policy recreation, the certification restart, and the cutover. Governance is only as good as the systems it connects to, so the inventory is also a readiness check on whether the underlying identity separation is far enough along.
SailPoint is licensed by managed identity on the Identity Security Cloud platform, often inside a broader seller agreement. That agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real identity count and the modules it needs, whether core governance, access requests, or password management. The risk is that Newco inherits a module set and identity tier scaled for the seller enterprise.
SailPoint reads a carve-out as a buyer that needs to govern access for a defined identity population. Negotiating leverage comes from the identity commitment and from a credible alternative governance platform. The buyer scopes the Newco subscription from the identity inventory before negotiating, and writes implementation support into the contract so the tenant and its connectors are validated before cutover.
Where the seller continues to govern Newco identities through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp. The seller cannot mark up a subscription it already holds, and the TSA defines who runs Newco certifications, how the governance data is returned, and what visibility the seller retains. A reverse TSA may run the other way where Newco governs identities the seller still needs.
Implementation, where a partner is engaged, is fixed fee for defined deliverables under disciplined change control. A governance tenant stand up has a finite scope, contracted against named sources, roles, and campaigns rather than open ended consulting time. The engagement model is Fixed Fee plus Portfolio Retainer.
The Newco tenant is only useful once it connects to Newco source systems. Every connector that read from the seller directory, the seller HR system, and seller applications is rebuilt to point at the Newco equivalents. This is why governance separates after identity: SailPoint reads from the identity provider and the applications, so those must exist for Newco before the governance layer can aggregate accurate entitlement data.
The authoritative source is the starting point. SailPoint typically treats the HR system as the source of identity, so the connector to the Newco HR system is rebuilt first to establish the correct Newco population. The directory connector follows so the tenant reads accounts from the Newco identity provider rather than the seller directory. The discipline mirrors the broader Okta identity separation work that the governance layer depends on.
Application connectors are rebuilt in priority order. The applications that carry the most sensitive access, finance, infrastructure, and customer data, are connected first so Newco can certify privileged access early. Lower risk applications follow. The buyer confirms each connector aggregates accounts and entitlements accurately before relying on its data for a certification.
The entitlement boundary matters. The seller deployment holds entitlement data for Newco identities, and that data does not simply move, it is rebuilt from the Newco sources. The buyer documents what the seller retains and confirms Newco entitlement data is removed from the seller deployment at exit.
Roles and access profiles are recreated in the Newco tenant. The buyer reviews the role model from the seller deployment, retains the roles that fit the standalone business, and uses the migration as a chance to retire roles that accumulated entitlements the smaller Newco does not need. A role model copied without review carries the seller complexity into Newco.
Separation of duties and provisioning policies are rebuilt so Newco enforces the same access controls. The lifecycle rules that grant access on joining, change it on transfer, and revoke it on leaving are recreated against the Newco HR feed and identity provider so the joiner, mover, and leaver process works from the first day rather than depending on manual provisioning.
Certifications are the visible output of governance, and they restart in the Newco tenant. The buyer schedules an early certification of privileged and high risk access so Newco has a defensible record of who has access soon after standing up the tenant. An access review that has not run since the carve-out is a finding waiting for the first audit.
Access requests and approvals are reconfigured so Newco users can request access and managers can approve it through the Newco tenant. The request workflows that routed through the seller governance are rebuilt against Newco approvers and Newco applications.
Cutover transfers governance of Newco identities from the seller deployment to the Newco tenant. Because governance is a control rather than a daily tool, the cutover is sequenced behind identity and application separation, and the runbook covers the source connectors, the role and policy activation, the first certification, and a clear statement of when the Newco tenant becomes the system of record for access.
Validation confirms governance works against real Newco systems. The connectors aggregate accurate accounts, the lifecycle rules provision and revoke correctly, access requests route to the right approvers, and a certification campaign runs end to end. The buyer runs a real certification before declaring the move complete, because a governance tenant that cannot certify access has not replaced the seller control.
Stabilization runs while connectors are tuned and the role model settles. Aggregation errors, mis mapped entitlements, and broken provisioning are triaged within agreed service-level commitments. The buyer confirms the Newco tenant reflects the true state of Newco access before certifying governance for TSA exit.
The audit record is the point of the exercise. A clean separation leaves Newco with a complete, defensible record of who approved what access and when, generated by Newco rather than inherited from the seller. The buyer confirms the historical governance evidence Newco needs is preserved and the seller deployment no longer holds live Newco data.
SailPoint separation cost is driven by the managed identity count, the module set, and the effort of rebuilding connectors. The discipline is to size the subscription and modules to Newco real needs, prioritize the connectors that carry the most risk, and use the move to simplify a role model that grew complex inside the seller enterprise rather than replicate it.
The common failure mode is sequencing governance too early. SailPoint reads from identity and applications, so a governance tenant stood up before identity separation is finished aggregates incomplete or wrong data. Buyers that schedule governance after identity avoid the rework of reconnecting every source twice.
The common control mistake is letting certifications lapse during the transition. The fix is to restart certification of privileged access early in the Newco tenant so the access record is current. A PMO maintains the dependency map across governance, identity, and the connected applications, escalating blocks inside forty eight hours.
A clean SailPoint separation produces a Newco that governs its own access, with its own connectors, roles, and certifications, and a defensible audit record from Day One. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Because governance reads from the directories and applications it reviews. SailPoint aggregates accounts and entitlements from the identity provider, the HR system, and connected applications, so those must exist for Newco before the governance tenant can produce accurate data. Sequencing governance after identity avoids reconnecting every source twice.
Yes. The clean end state is a dedicated Newco tenant, usually on Identity Security Cloud, contracted and administered by Newco, with its own connectors, roles, and certifications. A shared seller deployment is acceptable only as a bridge during the TSA, because the seller otherwise sees Newco entitlements and owns the certification record.
The source connectors. The governance value depends on accurate aggregation from Newco systems, so when the underlying directory, HR feed, and applications change, every connector must be rebuilt to point at the Newco equivalents. A connector left pointing at a seller source produces governance data that no longer reflects Newco access.
Governance follows identity and application separation, so the timeline depends on how far those have progressed. Most buyers plan three to five months so connectors can be rebuilt against stable Newco sources and an early certification of privileged access can run before TSA exit.
Vault strategy, the credential and safe move, and the privileged access cutover.
Read the article →Federation strategy, the application reconnect, and the single sign on cutover.
Read the article →Tenant strategy, the user and app move, and the federation rebuild for Newco.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up a clean identity tenant first — every application cutover and every security control depends on it, and the seller holds the keys until you do.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →