Research-Backed Methodology
AXIS is built on 15 primary research sources across 11 publishers, comprising 350+ pages of validated research. Every assessment decision traces back to published, peer-reviewed data.
Five-Level Maturity Scale (0-4)
Directly aligned with the Gartner IAM Program Maturity Model (September 2025) and CMMI V2.0 staged representation.
Absent
= Gartner “Initial”No formal process exists. Capability is absent or completely ad hoc.
Initial
= Gartner “Developing”Basic capability exists but is manual, inconsistent, and undocumented. Relies on individual knowledge.
Developing
= Gartner “Defined”Capability is documented, standardized, and consistently applied. Some automation may exist.
Established
= Gartner “Managed”Capability is fully automated, measured, and proactively managed. Metrics drive continuous improvement.
Optimized
= Gartner “Optimized”Capability is continuously optimized using advanced techniques (AI/ML). Organization adapts based on predictive indicators.
The AXIS maturity scale maps to Gartner, CMMI, NIST CSF Tiers, and Simeio scales for cross-framework compatibility.
9 IAM Domains
Comprehensive coverage spanning workforce, customer, and hybrid identity programs.
Privileged Access Management (PAM)
Controls over administrator accounts, credential vaulting, session management, and just-in-time access.
Identity Governance & Administration (IGA)
Identity lifecycle management, access certification, role management, and separation of duties.
Identity Threat Detection & Response (ITDR)
Detection of identity-based attacks, anomalous behavior analysis, and automated incident response.
Workforce Authentication
Multi-factor authentication, passwordless strategies, SSO, and adaptive access policies for employees.
Cloud & SaaS IAM
Cloud entitlement management, SaaS governance, and non-human identity (NHI) lifecycle controls.
IAM Governance
Identity data ownership, strategy alignment, metrics programs, and organizational accountability.
Customer Identity (CIAM)
Customer registration, authentication experience, progressive profiling, and consent management.
CIAM Data & Privacy
Customer data governance, privacy compliance, consent lifecycle, and data subject request handling.
CIAM Privileged Access
Administrative controls over customer-facing platforms, delegated administration, and B2B access.
Deterministic, Impact-Weighted Scoring
Same inputs always produce the same outputs. No subjective adjustments, no hidden overrides.
Impact-Weighted Domain Scores
Questions are weighted by their security impact. Critical controls that form the foundation of IAM programs — such as MFA enforcement, privileged access protection, and identity lifecycle management — carry the most influence on your domain score. Enhancement capabilities carry less weight, ensuring your score reflects the strength of your security fundamentals.
Impact classifications are derived from FAIR/NIST 800-30 risk quantification principles and validated by IBM/Ponemon research showing that critical control gaps amplify breach costs by 20-25%.
Domain-Weighted Overall Maturity
Each of the 9 IAM domains contributes to the overall maturity score proportional to its security significance. Domains with higher breach impact and broader organizational risk — such as privileged access and identity governance — contribute more than those with lower relative risk exposure. This approach is aligned with the COBIT 2019 process capability assessment methodology.
Domain weights ensure that the overall score accurately reflects organizational risk posture regardless of how many questions exist in each domain.
Domino Cap — Foundational Control Prerequisites
9 of 35 questions (26%) are classified as “domino” controls — foundational capabilities whose absence undermines the entire IAM program. If any domino control scores below the established threshold, the overall maturity score is capped. This prevents misleading high scores when critical prerequisites are missing.
Research Basis
Aligned with CMMI staged representation: “A maturity level rating is achieved when all process areas at that level have been appraised as meeting their specific and generic goals.” SailPoint Horizons validates that “to be in one horizon, customer capabilities need to cover most environments and identities.”
Domino Controls (9 of 35)
Cryptographic Integrity Verification
Every assessment result is cryptographically signed at the time of calculation. This ensures that scores cannot be tampered with after generation — providing consulting firms and their clients with confidence that results are authentic and unmodified.
4-Tier Dynamic Benchmark Intelligence
Benchmarks blend published research with real assessment data, becoming more precise as the assessment pool grows.
Hierarchical Benchmark Tiers
AXIS benchmarks are not static. The platform uses a 4-tier hierarchy that transitions from published research estimates to data-driven values as more assessments enter the pool — without sudden jumps or discontinuities.
Same licensee + industry + region
Most relevant peer comparison
All licensees + same industry + region
Regional industry benchmark
All licensees + same industry (global)
Global industry benchmark
Published research values
Fallback baseline
Contextual Peer Comparison
Benchmarks account for your industry, organization size, and geography to provide a meaningful peer comparison. A 500-person retail company is compared differently than a 50,000-person financial institution — because their regulatory environments, threat landscapes, and resource availability are fundamentally different.
Industry
Research-derived baselines for 7+ industry verticals
Organization Size
Scaled by identity count using logarithmic modeling
Geography
Regional adjustments reflecting regulatory maturity
Growing Network Effect
Every assessment that enters the AXIS benchmark pool makes all future assessments more accurate. As the pool grows, benchmarks transition smoothly from research-based estimates (Tier 4) toward data-driven peer comparisons (Tier 1). Only anonymized, domain-level aggregates are used — no personally identifiable information enters the benchmark pool.
20+ Regulatory Frameworks
Each framework has a research-derived maturity threshold. Your assessment shows alignment across all applicable frameworks.
How Compliance Mapping Works
AXIS maps each assessment question to the regulatory frameworks it supports. Each framework has a research-derived maturity threshold — the minimum maturity level at which a control is considered compliant. Your compliance percentage reflects how many of your applicable controls meet or exceed the threshold for each framework.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Supported Frameworks
AXIS provides compliance alignment scoring for the following regulatory and industry frameworks, with thresholds calibrated to each framework's specific requirements.
15+ Primary Sources, 11+ Publishers — and growing
Every benchmark, weight, and threshold in AXIS traces to published research. Full PDFs on file for independent verification.
Gartner IAM Program Maturity Model (Sept 2025)
Very High6 dimensions, 5 levels
SailPoint Horizons of Identity Security (2025-2026)
Very High375 IAM decision-makers, 46 pages
IBM/Ponemon Cost of a Data Breach (2025)
Very High600 organizations, 3,470 interviews, 31 pages
IDSA Trends in Identity Security (2024)
Very High521 professionals, 16 pages
Gartner Magic Quadrant: PAM (Oct 2025)
Very High12 vendors evaluated, 40 pages
Gartner Magic Quadrant: Access Management (Nov 2025)
Very High14 vendors evaluated, 40 pages
IDC MarketScape: Identity Security (2025)
High20 vendors evaluated
Gartner Peer Insights: IGA (Dec 2024)
HighUser reviews and ratings, 16 pages
KuppingerCole Leadership Compass: IGA (Aug 2024)
High23 vendors evaluated
Okta: Path to CIAM Maturity
Medium4-stage maturity model, 26 pages
Auth0 Identity Maturity Framework (IMF)
Medium6 dimensions, 10 pages
Simeio State of Identity (2024)
High80 measures, cross-industry
Delinea Cyber Insurance Report (2025)
High750+ US/UK security leaders
CyberArk Identity Security Landscape (2025)
High2,600 decision-makers
FIDO Alliance Barometer (2024-2025)
HighGlobal consumer data
Verizon Data Breach Investigations Report (2025)
Very High10,000+ incidents analyzed
Aligned with Industry Standards
AXIS maps directly to established maturity and security frameworks for cross-reference and defensibility.
Gartner IAM Program Maturity Model
Six assessment dimensions mapped to AXIS domains with level-to-level correspondence.
Source: Gartner, September 2025
CMMI V2.0
Maturity level definitions and the prerequisite concept that underpins the domino cap mechanism.
Source: CMMI Institute / ISACA, 2023
NIST Cybersecurity Framework 2.0
Implementation tier mapping provides cross-walk between AXIS levels and NIST CSF tiers.
Source: NIST, February 2024
ISO 27001:2022
Annex A.9 (Access Control) mapped to AXIS assessment questions for audit readiness.
Source: ISO, 2022
COBIT 2019
Domain weighting approach aligned with COBIT process capability assessment methodology.
Source: ISACA, 2019
CISA Zero Trust Maturity Model
Identity pillar scoring aligned with CISA Zero Trust maturity levels for federal alignment.
Source: CISA, 2023
Source Attribution Standards
Every value in AXIS is labelled by its provenance. We are transparent about what is researched and what is pending validation.
Value derived directly from published research with citation
Value calculated from sourced data using a documented formula
Based on expert judgment; will be validated and refined via pilot assessments
Items marked PENDING PILOT represent methodological decisions based on industry best practice and logical reasoning, but lack direct empirical validation. These values will be refined as AXIS collects aggregate assessment data. This transparency is intentional and reflects our commitment to methodological honesty.
See the Methodology in Action
Run a free assessment and experience how research-backed scoring, dynamic benchmarks, and compliance mapping come together to deliver actionable IAM maturity insights.