Governance

GOV-04

IAM Operating Model and Skills

This control asks one thing: How is the IAM function organized, staffed, and skilled to deliver and sustain the organization's identity security objectives?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Fragmentation and inconsistent decisions. IAM priorities are overridden by operational urgency, and no one owns the outcome.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Turns the IAM function from a technical team into a strategic business capability.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Assign named IAM responsibility to an individual and establish a basic mandate and scope.

What reaching level 2 (Developing) unlocks

Operational stability for existing IAM capabilities.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Dedicated IAM team with defined roles
  • RACI matrix for IAM processes
  • IAM roadmap documented with basic training budget

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite GOV-04 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for GOV-04 resolves to 3 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on GOV-04?

This page is the teaser layer. The full rubric behind GOV-04 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.