The Part of IAM Nobody Wants to Talk About

Someone asked a question in a professional community I belong to last week. Simple question: does anyone know of an operational framework for running an identity management program?

Twenty replies from senior practitioners. Big 4 alumni. People running IAM at Fortune 100 companies. Community contributors. And the collective answer was: no. Nothing like that exists. Everyone gave their own version of how they run it.

I was not surprised. But I was a little frustrated, because this is a conversation the industry has been having with itself for years and nobody has done anything about it.

We have everything except the part that matters

The IDPro Body of Knowledge is excellent for understanding identity concepts. NIST and ISO will tell you what controls to implement. Gartner will sell you a maturity model. Vendors will sell you tools for every domain you can name and a few you have never heard of.

What nobody has published is how to actually operate an IAM program. Who owns access decisions. How those decisions get escalated when there is a conflict. What the joiner/mover/leaver process looks like end to end and who is on the hook for each step. How you separate the people who build from the people who run from the people who govern. What gets measured and reported to the board.

The Big 4 have answers to all of this, locked inside proprietary engagement methodologies that you access by paying them a few hundred thousand dollars. A couple of practitioners in that thread mentioned they have built internal operating models and thought about open-sourcing them. That would be great. But as of today, nothing is out there.

So every organization that tries to stand up or mature an IAM program ends up reinventing the wheel. Thousands of companies, all solving the same problem independently, most of them badly.

The real pattern

Here is what I actually see on consulting engagements.

Organization spends serious money on IAM tools. SailPoint, CyberArk, Okta, pick your stack. Technical teams do a decent job implementing them. And then... nothing changes. Access reviews still get rubber-stamped. Nobody at the business level owns access decisions, so IT approves everything because someone has to. Policies live in a SharePoint graveyard. When the board asks "how mature is our IAM program?" the CISO either improvises or spends a quarter building a spreadsheet that is already wrong by the time it gets presented.

I have seen this at organizations that have spent millions on identity tools. The tools are not the problem. The tools never were the problem.

The problem is that nobody built the operating layer underneath them. No governance structure. No clear ownership. No metrics that report risk instead of activity. No way to measure where the program actually stands across domains.

Gartner published their IAM Program Maturity Model in September 2025, and it evaluates six dimensions. Governance is listed first. That is not an accident. Their research shows that without governance, the other five dimensions (organization, strategy, processes, architecture, business value) fall apart. SailPoint's 2025 Horizons report backs this up: over 40% of organizations are still stuck at the earliest maturity stage despite years of tool investment. The IDSA found that 90% experienced an identity-related incident in the past year.

These are not under-resourced organizations. These are companies with budgets and tools and teams. What they do not have is anyone flying the plane.

What I think the answer looks like

I am not going to pretend there is a neat five-pillar framework that solves this, because there is not. The people in that community thread were right that there is no single model that works everywhere. IAM programs report into different parts of the org depending on company structure, and a mid-size financial services firm with workforce and customer IAM has very different needs than a 200-person SaaS company.

But the building blocks are the same everywhere. Governance (who decides). Processes (how things run). Organizational structure (who does what). Metrics (what gets reported). And some form of maturity benchmarking so you know where the gaps actually are instead of guessing.

The part most organizations skip is the last one. They invest in tools, stand up processes, maybe even define a RACI. But they never establish a baseline. They never measure where they stand across all the IAM domains in a structured way. So they end up chasing whatever the last audit found or whatever the newest vendor is pitching, instead of systematically closing the gaps that carry the most risk.

Why I built governance into AXIS

This is the reason AXIS evaluates governance as its own domain, not as a subset of something else. When you run an assessment and your authentication maturity comes back at Level 3 but your governance is at Level 0, that tells you something important. It tells you that your MFA rollout, your SSO coverage, your phishing-resistant authentication, all of it is running without anyone formally accountable for maintaining it. That is a program that looks mature on paper and is one reorg away from falling apart.

AXIS caps your overall score when governance is critically weak, no matter how strong your technical controls are. Some people push back on that when they see it in their results. But the logic holds: if nobody owns IAM decisions, every downstream control is operating on borrowed time.

That is not a complete answer to the operating model question. The community still needs a published, portable, practitioner-driven framework that organizations can adapt. But you cannot build an operating model if you do not know where you stand today. The assessment is the diagnostic. Everything else builds on top of it.

The conversation in that community thread will keep happening until someone actually builds the thing everyone keeps asking for. I would love to see the community take it on. In the meantime, at least start by measuring where you are.