The Executive Summary

Most Identity & Access Management (IAM) programmes fail because governance decisions are deferred to technical implementations instead of being designed as a business operating model first.

We see this via a variety of triggers including:

• IAM tooling is deployed successfully but value plateaus soon after
• Access reviews become manual, political, or routinely bypassed
• Security or IT teams own access decisions that should belong to the business
• Audit findings repeat year after year despite “completed” IAM projects

Want to know more?

What are the implications?

When IAM governance is weak or implicit, organisations accumulate access risk silently. Joiners and movers experience delays, leavers retain access, privileged accounts expand unchecked, and audits rely on compensating controls rather than real assurance.

Over time, IAM becomes a constraint rather than an enabler.

What typically goes wrong?

• Tool‑first thinking: IAM products are implemented before ownership, decision authority, and accountability are defined
• Deferred data quality: Identity data issues are accepted as phase‑two problems that never truly arrive
• System‑centric models: Entitlements mirror application structures instead of business responsibilities
• Undefined exceptions: Break‑glass and manual processes grow without clear boundaries

What does good look like in practice?

A great outcome would be to see that business owners are explicitly accountable for access decisions. This should be a non-negotiable, by the way.

Also, a small number of enforceable identity principles should guide all implementations. Let's not make stuff up as we go along!

Our governance rules should be simple enough to survive organisational change. Organisational change is a given. In some organisations, they are easy to predict.

And finally, tooling is configured to enforce decisions, not invent them. Don't let tooling dictate how you run your business!

What are the trade-offs?

Strong upfront governance slows early delivery but accelerates everything that follows. Lightweight governance enables faster pilots, but almost always results in re‑implementation within 18-24 months. (Sorry - you get what you pay for!)

In our experience...

Across complex IAM programmes in regulated and public‑sector environments, the fastest route to sustainable delivery is not better tooling, but earlier agreement on who decides, who approves, and who is accountable. Let's repeat that...

Do you need specialist support?

You probably need to call in some external help when you start to spot the following behaviours:

• IAM design decisions are being made inside implementation sprints
• Audit findings recur despite multiple remediation projects
• IAM ownership is split ambiguously across IT, Security, and Business teams

And remember...