SSO and SCIM Not Enough
Reed McGinley-Stempel, CEO of Stytch, on authentication for AI agents
A pure SSO and SCIM product solves an urgent buying trigger, but it does not own enough of the identity workflow to compound into a large standalone platform. Teams usually buy SSO when one big customer asks for Okta or Microsoft login, then later need admin setup, authorization, fraud controls, audit logs, and full user management. That is why WorkOS expanded from connection APIs into AuthKit, admin tooling, authorization, fraud, and integrations, and why Stytch and Clerk also push beyond basic enterprise add ons.
-
Standalone SSO is easy to tack onto an existing stack, which makes adoption fast, but that same simplicity caps ownership. If the app still keeps its main login system elsewhere, the vendor risks becoming a narrow feature supplier instead of the system of record for identity.
-
The winning products bundle the next jobs around the login button. WorkOS added hosted login, directory sync, admin portal, audit logs, authorization, fraud detection, and token connection infrastructure. Stytch bundles auth, B2B SSO, admin portal, fraud, and Connected Apps. Clerk bundles auth UI, org management, billing, and enterprise controls.
-
The market also moved downstream. SSO used to be mainly for very large enterprise accounts, but now even 50 to 100 seat deals often require it. That increases demand, but it also turns SSO into table stakes, which pushes vendors to monetize the surrounding workflow rather than the connection alone.
Going forward, identity vendors that win will look less like a single enterprise checkbox and more like a control layer for every user and app interaction, human or agent. The expansion path is clear, start with login, then own provisioning, permissions, risk, delegated access, and the admin surfaces where enterprise customers actually run identity day to day.