Bridging the IAM Innovation Gap: Why Fundamentals Still Matter
The world of Identity and Access Management (IAM) is evolving rapidly. Vendors promise Zero Trust nirvana, passwordless utopia, and AI-powered identity clairvoyance. Innovation is everywhere.
But before we all start handing out biometric tokens and blockchain-based birth certificates, perhaps we should fix the fact that Bob in Finance still has access to the General Ledger even though he left the organisation back in 2019?
Beneath the surface, many organisations are still grappling with the basics - provisioning, role management, and access reviews. This disconnect is what I call the IAM Innovation Gap.
The Innovation Curve v Reality
The IAM Innovation Gap isn’t just technical - it’s strategic. Many organisations chase innovation without aligning it to business outcomes or operational maturity.
The major conferences around the world will have some of the finest speakers in the business wax lyrical about decentralised identity, identity orchestration, and machine identity governance. They make it sound exciting and they make it sound achievable. And yet, many listeners sitting in the auditorium are probably thinking that they are miles behind the innovation curve because they have no visibility of their non-human identities; they still lack integration with legacy systems; and their access review campaigns are built on Excel.
For them, the fundamentals of their IAM architecture aren’t functioning as they were promised:
- Manual provisioning (amazingly) is still a cornerstone for some applications
- Excel spreadsheets drive access reviews, but remediation is never confirmed
- Entitlement drag is a reality because FUD abounds when it comes to entitlement removal
Why the Basics Still Matter
Many of us in the world of IT are magpies - we love shiny things. (Why have a standard Charmander when you can have a Shiny Charmander in your Pokémon arsenal?)
But, here’s the reality. Misconfigured access is still a top breach vector and regulators care more about meaningful access reviews than they do about blockchains!
IAM was supposed to provide a positive return on investment, but IAM inefficiencies drain resources. Manual processes, poor role design, ropey user experiences - these are a result of poor implementation rather than a lack of innovation. If your IAM deployment was a box-ticking exercise, it was an expensive one.
What’s Driving the Gap?
It is highly likely that there are innovation gaps in almost all disciplines across the IT estate - this is not unique to the identity space. But why is that the case?
Well, vendors spend huge amounts of money on marketing the latest and greatest widget and we oftentimes don’t need it. Don’t feel you have to listen to them!
Our executives are under so much pressure to modernise and transform (from whom, I know not). They need to show how brilliant they are by buying those latest and greatest widgets.
IAM ownership in most organisations is fragmented (and I think I’m describing that kindly). It’s not unusual to see multiple identity solutions in a single organisation and it is tough to get any real value out of a single identity solution never mind multiple!
I suppose I could also add the lack of skills in the marketplace because I hear folk in our industry mention this all the time. It’s difficult to hire good people who know what they are talking about and aren’t flummoxed at the mere mention of SCIM, SAML, and OIDC. That said, IT is about data in, jiggling data, and data out - how hard could it really be?
Bridging the Gap: A Practical Guide to IAM Sanity
So, how do we bridge this yawning chasm between innovation and reality? Here’s a pragmatic roadmap:
1. Assess IAM Maturity (Before You Buy Another Dashboard)
Before you invest in the latest identity orchestration platform that promises to “revolutionize access”, take a long, hard look in the mirror. Do you know who has access to what? Can you revoke it in under a week? If not, you’re not ready for orchestration because that may only result in you disguising some fundamental problems in your architecture.
An IAM maturity assessment isn’t just a box-ticking exercise. It’s a brutally honest inventory of your IAM sins. And yes, it will hurt. But it’s the only way to stop layering innovation on top of chaos.
2. Fix Provisioning and Deprovisioning (Yes, Still)
If your user onboarding process involves a spreadsheet, a prayer, and a frantic email to IT, you’re not alone. But you are vulnerable.
Automated provisioning isn’t glamorous, but it’s the bedrock of IAM hygiene. And deprovisioning? That’s the part everyone forgets - until a former contractor logs in from a beach in Bali and downloads your customer database. (Why is it always a contractor?)
3. Automate Access Reviews (Because Manual Reviews Are a Lie)
Let’s talk about access reviews. You know, those quarterly rituals where managers tick those little boxes without reading them, and everyone pretends it’s fine?
It’s not fine!
Automated access reviews, driven by actual usage data and risk signals, are the only way to make this process meaningful. Otherwise, you’re just playing compliance theatre.
4. Invest in IAM Training (No, Not Just for the Security Team)
IAM isn’t just a security problem. It’s a business enabler, a compliance requirement, and (if done right) a user experience win. But most organisations treat it like a dark art practiced by a vitamin-D deficient lone wizard in the basement.
Train your teams. Not just your security folks, but HR, IT, and even the revenue generating business units. IAM literacy is the difference between strategic alignment and endless fire-fighting.
5. Align IAM Strategy with Business Risk (Not Just Vendor Roadmaps)
Finally, stop chasing features and start chasing outcomes. Your IAM strategy should be rooted in business risk, regulatory pressure, and operational reality - not the latest Gartner magic quadrant.
Ask yourself: what keeps your board awake at night? Is it quantum-resistant cryptography, or is it the fact that you have no idea what your privileged users are up to on a daily basis and their entitlements haven’t been reviewed since Brexit?
Conclusion
Innovation in IAM is essential - but it must be built on solid ground. Organisations that master the basics will be better positioned to adopt advanced technologies securely and sustainably. The real innovation is making IAM work consistently, reliably, and at scale.
For more help, you could have a read of our Six Sprints to IAM Success e-book; take our PAM Maturity Assessment; or book a workshop with us.