Most security incidents trace back to identity — compromised credentials, over-provisioned access, accounts that should have been deactivated, privileged sessions that escaped monitoring. Identity and Access Management is therefore one of the highest-leverage security capabilities. It is also one of the most consistently fragmented in practice — directory services here, SSO there, privileged access in a separate tool, joiner-mover-leaver run by HR with limited security involvement, periodic access reviews handled by spreadsheets and goodwill. The IAM programmes that hold up at scale share structural patterns that fragmented IAM does not produce.
The Identity Lifecycle as the Foundation
Joiner-mover-leaver — the discipline of provisioning, modifying, and deprovisioning identities as employees join, change roles, and leave — is the structural foundation of IAM. The discipline sounds administrative; the failure modes are material. Joiners with delayed access lose productivity; movers retaining old access accumulate excessive permissions; leavers retaining any access produce direct security exposure. Strong IAM programmes operate joiner-mover-leaver as automated workflows triggered by HR events, with SLAs on each step and audit-traceable evidence per identity.
Single Sign-On as the Authentication Layer
SSO consolidates authentication across applications through a single identity provider. The security benefit is meaningful — fewer credentials to manage, MFA enforced centrally, account deactivation propagating across systems. The operational benefit is also meaningful — users have fewer passwords to remember, IT has fewer password resets to handle. The programme value comes from breadth of coverage. SSO covering 80% of applications produces 80% of the benefit; SSO covering 40% of applications produces a third of the benefit and leaves the long tail unmanaged. Investing in SSO coverage is one of the higher-leverage IAM investments available.
Privileged Access Management as a Distinct Discipline
Standard user identity management and privileged identity management are different disciplines requiring different tooling. Privileged access — administrative access to systems, infrastructure, sensitive applications — needs additional controls: session recording, just-in-time access, vault-managed credentials, additional approval workflows. PAM platforms (CyberArk, BeyondTrust, Delinea, and others) provide these capabilities. Organisations operating without dedicated PAM tooling typically have privileged access sprawl that produces both audit findings and material security exposure.
A pattern in IAM programme assessments: the basic IAM operates reasonably (SSO, MFA, standard provisioning), and the privileged access side is fragmented (shared admin accounts, credentials in password managers, no session monitoring). The fragmentation is invisible until an incident traces back to privileged credential misuse. PAM is the discipline that addresses this gap, and it is one of the consistently underinvested areas in security programmes.
Access Reviews That Actually Find Issues
Quarterly access reviews are a regulatory expectation in most environments. Reviews that produce no findings are usually weak reviews rather than perfect access — accumulated entitlements rarely match current job needs in any active organisation. Strong reviews compare current entitlements against role-based baselines, flag anomalies (entitlements held without similar peers, entitlements unused for extended periods, entitlements granted as exceptions), and require explicit justification for retention. Reviews implemented as "manager certifies the list looks fine" produce findings during audit that the review missed.
Identity Governance Beyond Compliance
Identity Governance and Administration (IGA) platforms — SailPoint, Saviynt, and others — extend basic IAM with role-based access control, segregation of duties enforcement, access certification workflows, and policy-based provisioning. The platforms are operationally heavy to implement and produce meaningful value for organisations with scale that justifies the investment. Smaller organisations operate IGA through lighter-weight tools and manual workflows; larger organisations benefit from the dedicated platforms. The decision is sizing rather than principle — every IAM programme needs the governance discipline, the question is what tooling supports it.
Components of an IAM Programme That Holds Up
- Automated joiner-mover-leaver triggered by HR events with measured SLAs
- SSO covering the broadest reasonable share of the application estate
- Centrally-enforced MFA, phishing-resistant where the environment supports it
- Dedicated PAM for privileged access with session recording and just-in-time provisioning
- Access reviews that compare entitlements to baselines and flag anomalies
- Identity governance discipline appropriate to organisational scale (platform or workflow-based)
- Integration with security monitoring — identity events feeding the SIEM with appropriate correlation