CIAM

CIAM-02
Domino control

Consent & Privacy Management

This control asks one thing: What is the dominant operating model for capturing, storing, and enforcing customer consent and privacy preferences across your digital properties?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

You cannot prove lawful basis for processing. Any complaint becomes a high-cost legal scramble.

Why this control caps your score

Privacy isn't paperwork, it's a production system. If you can't prove consent and execute deletion, you are carrying hidden legal and brand risk.

CIAM-02 is one of the domino controls in the AXIS model. When the weakest domino control in an assessment sits at a low level, the overall maturity score is capped, regardless of how strong everything else is. The cap lifts as this control matures; the exact schedule is part of the scoring model.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Turn privacy from a cost center into a scalable operating capability.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Implement explicit consent capture with a centralized consent store and unique customer identifier linkage.

What reaching level 2 (Developing) unlocks

Channel-specific preference management.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Each app has its own consent table
  • Support must contact engineering/data teams to answer consent disputes
  • Manual effort to produce audit evidence ('what did they consent to, and when?')

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for CIAM-02 resolves to 2 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on CIAM-02?

This page is the teaser layer. The full rubric behind CIAM-02 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.