HomeIT ServicesIdentity & Security ConsultingEY
Identity & Security ConsultingLondon, United Kingdom

EY Review 2026 — Identity & Security Consulting

4.1/ 5.0 from 2,080 verified buyer references
Founded
1989 (merger)
Headquarters
London, United Kingdom
Employees
~395,000 (FY2024)
Regions Served
150+ countries
Industries
Energy, life sciences, financial services
Typical Engagement
$400K–$40M+ programmes

Overview

EY (Ernst & Young) is one of the Big Four professional services networks, formed in 1989 through the merger of Ernst & Whinney and Arthur Young. The network reported US$51.2 billion in aggregate revenue for FY2024 across approximately 395,000 employees in more than 150 countries, operating as EY Global Limited with member firms in each major market. Janet Truncale assumed the role of Global Chair and CEO in July 2024, succeeding Carmine Di Sibio. Cyber and identity work sits within EY Consulting and is anchored by EY US, EY UK, EY Germany, EY India (GDS), and EY Australia.

Within identity and security consulting, EY runs a Big Four practice that has materially expanded over the past three years following the cancellation of the Project Everest split. EY holds top-tier alliance status with SailPoint, Microsoft, Okta, Saviynt, ForgeRock, and CyberArk, and operates a sizeable EY Global Delivery Services (GDS) bench in India and Poland for IGA platform work. Industry depth is strongest in oil and gas, power and utilities, life sciences, capital markets, and government. EY also runs a Managed Services capability for IAM operations and incident response through EY Cybersecurity Managed Services.

EY is typically a fit for global enterprises in energy, life sciences, or capital markets that want identity work bundled with risk, regulatory, or operational resilience programmes. The firm is rarely the cheapest option and faces the same audit-conflict constraints as other Big Four members in the US market. Smaller single-platform IGA deployments under US$1 million are usually better served by Optiv, SailPoint Professional Services, or another specialist.

Services Offered

Typical Engagement

Engagement TypeModelTypical Range
IAM strategy and target state designFixed-fee project$220K–$950K (6–12 weeks)
IGA or PAM implementationFixed-fee or T&M$1.6M–$8.5M (8–18 months)
Enterprise identity transformationMulti-year outcome contract$8M–$40M+ (24–42 months)
Managed identity servicesMonthly retainer$65K–$750K per month
Staff augmentation (Certified IAM)Hourly bill rate$170–$320/hour blended

Pricing ranges verified May 2026 from public procurement records, identity vendor channel benchmarks, and reference checks. EY GDS centres in India, Poland, and the Philippines lower blended rates by 25–35%.

Strengths

  • Deepest Big Four identity assets for oil and gas, power and utilities, and life sciences
  • Strong OT and IT identity convergence advisory for industrial buyers
  • EY Global Delivery Services (GDS) deliver competitive blended IGA platform rates from India and Poland
  • Top-tier alliance with SailPoint, Saviynt, CyberArk, Microsoft Entra, Okta, and ForgeRock
  • Mature regulatory advisory bench across DORA, NIS2, NERC CIP, FERC, and FDA 21 CFR Part 11
  • Audit-aligned controls testing methodology for SOX, SOC2, and ISO 27001

Limitations

  • Premium pricing — partner rates frequently exceed US$385/hour onshore
  • Audit-client independence rules restrict the addressable buyer base in the US for non-audit clients only
  • Methodology rigidity can slow product-led IGA work compared with specialist firms
  • Project Everest split cancellation in 2023 caused episodic senior consultant departures still affecting bench depth
  • Lighter retail and consumer goods footprint than Deloitte and PwC for identity-specific work

Regions Served

United States United Kingdom Germany India Australia Canada Japan Singapore Netherlands

Alternatives

Deloitte
Larger Big Four cyber practice, broader industry coverage
4.2
PwC
Big Four peer, stronger in financial services audit territory
4.1
KPMG
Big Four peer, stronger on SAP-anchored IGA and SoD analytics
4.1
Optiv
Specialist alternative, 15–25% lower pricing, vendor-agnostic
4.3
Accenture Security
Largest non-Big-Four practice, deeper systems integration capability
4.2

Compare EY

EY vs Deloitte → EY vs PwC → EY vs KPMG →

Frequently Asked Questions

What is EY's typical identity project size?
EY rarely accepts identity engagements below US$400,000 in total contract value. Most IAM strategy and target-state projects land between US$220,000 and US$950,000 over six to twelve weeks. SailPoint, Saviynt, CyberArk, or BeyondTrust implementations typically run US$1.6 million to US$8.5 million over eight to eighteen months. Enterprise identity transformation programmes spanning IGA, PAM, customer identity, and OT identity span US$8 million to US$40 million or more over 24 to 42 months and typically involve blended onshore and EY GDS delivery.
How does EY price managed identity services?
EY prices managed identity services on monthly retainers typically between US$65,000 and US$750,000 per month, scaled to platform scope, identity population, and SLA targets. Most retainers cover Level 2 and Level 3 platform administration, scheduled access certifications, role and policy management, and a defined hours pool for connector and workflow enhancements. EY GDS centres in Bangalore, Trivandrum, Wroclaw, and Manila are used for most run-state operations.
How does EY compare to Deloitte for identity?
Deloitte runs the larger overall cyber practice with broader industry coverage. EY has materially deeper identity depth in oil and gas, power and utilities, and life sciences, and a more developed OT and IT identity convergence bench. EY pricing is broadly comparable to Deloitte for similar scope. EY tends to win more often where industrial or regulated-energy buyers need integrated cyber, OT, and IAM advisory in a single contract.
Which industries does EY specialise in for identity?
EY has the deepest Big Four identity assets in oil and gas, power and utilities, mining, life sciences, capital markets, and government. The firm maintains pre-built process accelerators for SOX, DORA, NIS2, NERC CIP, FERC, FDA 21 CFR Part 11, and HIPAA. EY US Government and Public Sector serves federal and state markets with cleared personnel. The firm is comparatively lighter in retail and telecommunications than Deloitte and Accenture for identity-specific work.
Can EY deliver onshore-only identity programmes?
Yes. EY maintains onshore identity capacity in the United States, United Kingdom, Germany, Australia, Canada, and Japan, with cleared US federal personnel for public sector engagements. Onshore-only delivery runs roughly two to three times higher than blended pyramids that use the EY Global Delivery Services centres. Senior architect capacity is constrained for complex SailPoint, Saviynt, and CyberArk programmes, with staffing lead times of 60 to 90 days for cleared engagements.
Last updated: May 2026

About EY

Formed 1989 from the merger of Ernst & Whinney and Arthur Young. Headquarters: London, United Kingdom (EY Global Limited). Approximately 395,000 employees. Revenue: US$51.2B (FY2024). Global Chair and CEO: Janet Truncale (from July 2024). Top-tier alliance with SailPoint, Saviynt, CyberArk, Microsoft Entra, Okta, and ForgeRock.

All Identity & Security Consulting Providers → Identity Consulting in United States → Identity Consulting in United Kingdom →

Related Categories

Cybersecurity Services IT Governance & Compliance Data Privacy & GDPR IoT & Edge Computing SAP Implementation

Research

Identity Consulting RFP Guide 2026 Identity Consulting Pricing Benchmark Best Identity Consultancy for Financial Services
Last updated: