The state of IAM program management in 2023

Identity and Access Management (IAM) is a framework of policies and technologies focusing on enhancing how organizations manage user identities. We’ve seen IAM grow and evolve in recent years, and it certainly hasn’t stood still in 2023.

Cybersecurity and compliance have never been more critical, and advancements in adjacent technologies increase the necessity for a re-imagined approach to security. 

However, there are still significant challenges facing IAM that need to be addressed and overcome for any organization wishing to establish or evolve an effective IAM program. Improperly implementing IAM can create entirely new problems rather than becoming a positive change.

So what’s the current state of IAM in 2023? Keep reading to learn about adoption, core technologies, changing security approaches, and challenges that must be addressed.

Adoption is Rapidly Growing

The adoption of IAM technologies and policies is not showing any signs of slowing down. It’s projected that the global IAM market size will reach US$34.52 billion by 2028, a substantial increase from $13.41 billion in 2021.

What’s driving adoption? The same study highlights two key driving factors:

  • Growing security concerns and the need to improve security postures.
  • Increasing awareness of regulatory compliance, including new regulations potentially on the horizon.

When properly implemented, IAM can bolster a company’s cybersecurity, stay compliant, and streamline compliant reporting, all while increasing the productivity of both IT teams and end-users.

It’s also crucial to highlight that we focus on IAM rather than Customer Identity and Access Management (CIAM). These two frameworks take similar approaches and use many of the same technologies but are still distinct.

The Average IAM Maturity Score Remains Low

So if we take a step back and look broadly at IAM programs, how are they being developed, implemented, and improved?

Unfortunately, a Gartner report indicates the average IAM program maturity score is at 2.4 out of a maximum of 5 points. This figure includes a comprehensive breakdown of objectives, activities working towards those objectives, and the inherent maturity of both.

For example, Objective 2 is ‘Manage the Function of IAM,’ worth two or more points. The activities working towards this objective include low-maturity tasks like developing vision and strategy alongside medium-maturity objectives such as budget planning.

It’s a complex scoring system developed by Gartner for the report — and the overall takeaway is that most organizations do not have fully mature programs. This is reflected by identified flaws and lackluster implementation. Let’s look more at the problems dropping this score.

IAM Program Strategies Still Have Significant Flaws

What are the core flaws in how organizations are developing, implementing, and growing IAM programs? Some of the most common flaws are:

  • Failing to fully understand the role identity plays in the overall process
  • Not understanding the expanding scope of IAM
  • Unclear ownership over associated risks
  • Lack of adaptability
  • Not able to communicate enablement value to stakeholders
  • Implementations are tactically focused, leaving features unused

Many of these issues stem from a single core mistake — putting a project manager in charge of the IAM initiative, rather than someone with specific expertise in the framework.

An experienced project manager certainly can take on a wide range of initiatives, but embracing IAM is a unique, comprehensive, and overarching process that requires expertise to be done properly.

Trends and Technologies Are Driving the Need for Better IAM Program Management

If we look over the past few decades, identity management and access management aren’t anything new. 

However, the escalating complexity of the modern technology landscape has necessitated maturing how we manage identities. Some of the trends and technologies that have changed the landscape include:

  • Remote work
  • Cloud adoption
  • Zero trust adoption
  • Machine identities
  • Workforce, customers, business partners

You can see how each of these factors have changed how a company’s IT systems need to be secured — it’s not a clear perimeter that can be protected anymore. 

At the same time, machine identities and external users need more and more access to an organization’s data, which must also be managed (although typically falling under CIAM).

It’s also clear other technologies are creating new risks, such as generative AI and advanced machine learning algorithms. 

How will these recent advancements affect the security and compliance landscape? It remains to be seen, but striving for better control over how identities and their access levels are managed will set the stage for what’s next.



The AI Craze Has Hit Cybersecurity

You don’t have to look far to see the latest buzz in AI. It’s safe to say everyone’s heard about ChatGPT by now. 

Well, it shouldn’t come as a surprise that AI and Large Language Models (LMMs) continue to generate buzz in cybersecurity communities. 

This topic remains a significant inflection point, particularly when it comes to using LMMs to simplify some of the more complex aspects of the IAM sphere. For example, companies are looking into how they can leverage LMMs to automatically generate or convert authentication and authorization rules at scale.

When done correctly, this has significant potential to automate a lot of the tedious parts of policy creation — giving companies a repeatable blueprint for creating new policies, onboarding users, and other manual tasks.


AuthZ Continues to Mature

It’s no secret authorization plays a pivotal role in the IAM equation. No one will argue that. The challenge has been finding a way to make authorization more user-friendly without impacting security.

And yet, there’s good news on the horizon as AuthZ continues to reach a place of maturity within IAM. In fact, there are now multiple vendors offering solutions using a variety of standards like XACML, REGO, Zanzibar, ALFRA, or some other open standard.

It’s clear businesses are pushing to adopt AuthZ. However, challenges still remain in finding ways to combine and implement fine grained access control with attribute-based access control. Doing this successfully not only requires having the right recipe, but working with a deployment partner that understands how to make AuthZ work for a specific organization.

The good news? Indigo Consulting is already helping our clients overcome this exact challenge.

Cybersecurity and Compliance Make Mature IAM Critical

It’s no secret that cyber attacks have been on the rise, with data compromises and impacted individuals reaching an all-time high in 2021 with 1862 cases, which was only slightly reduced to 1802 in 2022. Additionally, Gartner estimates that 40% of security breaches involve credential misuse.

The result: mature IAM programs are now business critical. A mature program allows organizations of any size to improve its security posture, become or remain compliant, and ultimately prevent the possibility of costly data breaches and fines.

A Shift From the “Fortress” View of Security is Required

Legacy methods of cybersecurity had focused on security on the perimeter, which some call the ‘fortress view.’ It’s easy to see why this became the standard — in the past, employees worked within the office almost exclusively, there were no cloud-based platforms intertwined with operations, and external parties required minimal access to information.

Now, each of those elements of the ‘fortress view’ are firmly in the past. So if we can’t rely on defending the perimeter, what do we defend? The answer is identities.

Identify-first security is a complex and necessary shift in how an organization’s security is managed. We can simplify things by looking to the high-level overview known as the Three C’s Approach:

  • Consistent: Human and non-human identities are authenticated consistently as they move through IT systems, from the initial connection to completing the task. Fortunately, SSO is able to handle much or all of this authentication, so the user experience isn’t significantly affected (and may even be improved).
  • Context aware: When do users typically connect to company systems? Where do they connect from? What type of connection do they use? What devices and operating systems are generally used? What do they do when connected to IT assets? All of these questions provide context about the given user, and if an oddity is identified even with the right credentials, the user can be disconnected, or an alert can be sent to IT.
  • Continuous: Both of the above processes are ongoing. Contextual awareness evolves as users may change habits, devices, or patterns, while authentication to specific IT systems is continuously monitored.

You can likely see how changing from the perimeter defense perspective to the identity-first perspective is not an easy task without even diving into the specific technologies and policies.

Additionally, it’s estimated that 70% of identity-first security strategies will fail by 2026 unless organizations adopt context-based access policies that are continuous and consistent. There’s simply no middle ground between focusing on identities while hanging on to outdated perspectives of security.


Creating Future-Ready IAM Program Management

Successfully deploying an effective IAM program allows you to shift to passwordless, prepare for zero trust architecture, and employ advanced authentication methods to mitigate the potential damage of a breach.

Developing and deploying an effective, future-ready IAM program is no small undertaking. Let’s explore a few high-level, overarching recommendations to establish and maintain your IAM program:

  • Consider your IAM program business critical, with a strong emphasis on processes and people regardless of business size.
  • Keep stakeholders informed about the benefits and impact of IAM, including minimizing risk, increasing compliance, and enhancing productivity through a better user experience.
  • Review specific use cases to have a strong understanding of where to begin and where to first apply identity-first security.
  • Once deployed, continually evaluate and mature your IAM program to enhance all related capabilities.
  • It’s crucial to have the right people in place across the organization with clear ownership and accountability for specific elements of the program, including established lines of communication.

Creating a robust IAM program won’t be a quick project, but it will create profound benefits in the near term and well into the future.

Build Effective IAM Program Management with Indigo Consulting

We’ve explored how IAM is increasingly critical yet generally lacking across the board. It can be challenging to have the right people in place with the necessary experience and expertise in IAM to develop and safely deploy your program.

Developing and implementing an ineffective program can invite new risks, harm productivity, and generally fail to achieve stated objectives.

That’s why it’s vital to have the right experts on your team to use the right technologies, create effective policies, and carefully roll out the program to truly realize the potential benefits. One of the best ways to accomplish this is to work with an experienced IAM consulting firm.

Indigo Consulting is an industry leader in helping organizations of all sizes understand their needs, find the right solutions, and implement a comprehensive IAM program. Is it time to deploy or mature your IAM program? Contact us today to talk to an IAM expert to learn more.