Digital TransformationIntermediate7 min read

Identity and Access Management

Identity and Access Management (IAM) is the discipline of defining, governing, and enforcing WHO can access WHAT, under WHAT conditions, across all enterprise systems — workforce, customer, partner, machine. Modern IAM has four pillars: (1) Authentication (proving you are who you say — passwords, MFA, passkeys, biometrics), (2) Authorization (deciding what you can do once authenticated — roles, permissions, attributes), (3) Identity Lifecycle (joiner-mover-leaver: provisioning when you join, updating when you change roles, deprovisioning when you leave), and (4) Privileged Access Management (PAM — extra controls on admin accounts). IAM is the foundation Zero Trust depends on; without strong identity, every other control downstream is theatre. The KnowMBA POV: IAM debt is the most expensive form of tech debt because every breach inquiry starts with 'how did the attacker get in?' and the answer is almost always 'an account was compromised.'

Also known asIAMIdentity ManagementAccess ManagementIGAWorkforce IdentitySSO + MFA Strategy

Challenge a friend Browse library

The Trap

The trap is treating IAM as a tooling decision (buy Okta, ship SSO, declare victory) rather than an operating discipline. Companies adopt SSO for the easy 30 SaaS apps, then leave the long-tail 200 apps on local accounts forever — creating shadow identities that bypass every IAM control. They enforce MFA on user logins but not on admin accounts (the highest-value targets). They provision users efficiently but never deprovision: ex-employees retain access for months or years. The cruel statistic: in most breach forensics, the attacker used a real, valid credential — not a vulnerability — and the credential belonged to someone who had left or changed roles 8+ months earlier. Identity hygiene is the single highest-impact security control, and most enterprises treat it as a routine IT task.

What to Do

Five operational disciplines. (1) Consolidate SSO: every SaaS, every internal app, behind one identity provider — target 95%+ coverage within 18 months. (2) Enforce MFA universally and phishing-resistant (passkeys, hardware tokens) for admin accounts. (3) Automate joiner-mover-leaver: HR system is the source of truth, IAM provisions and deprovisions automatically within 1 hour of HR change. (4) Implement PAM: privileged accounts use just-in-time elevation, recorded sessions, and short-lived credentials — never standing admin. (5) Run quarterly access reviews: business owners certify who should have access to what; revoke anything not certified. Measure MTTR for deprovisioning, MFA coverage %, and orphaned-account count.

Formula

IAM Maturity Score = (% Apps Behind SSO) × (% Identities with MFA) × (% Joiner-Mover-Leaver Automated) × (% Privileged Access Just-in-Time)

In Practice

Okta and Auth0 (acquired by Okta in 2021) became the industry's reference identity providers for workforce and customer IAM respectively. Okta's annual Businesses at Work report tracks the explosion of SaaS sprawl — the average enterprise now uses 100+ SaaS apps, each previously a separate identity silo before SSO. Critically, Okta's own 2022 security incident (a third-party support engineer's compromised laptop briefly exposed customer support tooling) became a case study in WHY identity hygiene matters even at the IAM vendor itself: when identity is compromised, everything downstream is at risk. Microsoft Entra ID (formerly Azure AD), with billions of monthly authentications and decades of conditional-access investment, is the other reference for workforce IAM at enterprise scale. Both vendors' incident histories underscore that IAM is a continuous program, not a project.

Pro Tips

01
The single highest-impact IAM move is killing standing admin accounts. Replace 'forever-admin' with just-in-time elevation: a user requests admin access, gets it for 4 hours, sessions recorded, automatically revoked. This single change collapses the 'how did the breach happen' attack surface by 60-80%.
02
Customer Identity (CIAM) is its own discipline — different from workforce IAM. CIAM optimizes for low-friction registration, social login, progressive profiling, and consent management. Don't run customer authentication through your workforce identity provider — the requirements are fundamentally different.
03
Service accounts and machine identities are often 5-10x more numerous than human identities and rotated less. Inventory them, give every one a named owner, rotate credentials on a schedule, and decommission unused ones. They're the most common breach vector after compromised user credentials.

Myth vs Reality

Myth

“Strong passwords are enough for security”

Reality

Passwords are the weakest link. The Verizon Data Breach Investigations Report (annual) consistently shows 60-80% of breaches involve compromised credentials. MFA reduces credential-based breach risk by ~99% (per Microsoft's 2019 analysis). Passkeys and phishing-resistant MFA are the path forward. Password complexity rules without MFA are security theater.

Myth

“Once SSO is rolled out, IAM is done”

Reality

SSO is the entry-level IAM capability. Mature IAM also requires identity governance (access reviews), privileged access management (PAM), customer identity (CIAM), and identity threat detection. Most companies that 'have SSO' are 30% of the way to mature IAM. The remaining 70% is where the actual breach prevention happens.

Try it

Run the numbers.

Pressure-test the concept against your own knowledge — answer the challenge or try the live scenario.

🧪

Knowledge Check

An enterprise rolls out SSO covering 60 SaaS apps and enforces MFA for all employees. 14 months later, an attacker breaches a critical system using credentials from an employee who left 9 months earlier. What's the most likely IAM gap?

Industry benchmarks

Is your number good?

Calibrate against real-world tiers. Use these ranges as targets — not absolutes.

Credential-Related Breach Statistics

Verizon DBIR, IBM Cost of a Data Breach, Microsoft Identity Security analyses

Breaches involving stolen/compromised credentials

~80% of breaches

Reduction in account compromise risk from MFA

~99% (Microsoft 2019)

Breaches where ex-employee account was abused

~20% (industry estimates)

Average cost per breach (credential vector)

~$4.5M (IBM 2024)

Source: https://www.verizon.com/business/resources/reports/dbir/ and https://www.ibm.com/security/data-breach

Real-world cases

Companies that lived this.

Verified narratives with the numbers that prove (or break) the concept.

🔵

Okta (workforce IAM reference)

2009-present

mixed

Okta became the de facto independent identity provider for workforce SaaS, with thousands of SaaS connectors and a leadership position in the IAM analyst rankings. Their annual Businesses at Work report has documented the SaaS explosion (average enterprise: 100+ apps), making Okta the cleanest data source on identity sprawl. Critically, Okta's own 2022 security incident — a third-party support engineer's laptop was compromised, briefly exposing customer support tooling — became a case study in WHY identity hygiene matters at every level, including the identity vendor itself. Okta responded with significant investment in supply-chain identity controls, third-party risk management, and customer-facing transparency. The lesson: even the most identity-mature organizations have identity gaps; the discipline is continuous improvement, not one-time hardening.

App Connectors

7,000+ SaaS integrations

Avg Apps per Enterprise (2024)

~100

Notable Incident

2022 third-party support engineer compromise

Post-Incident Investment

Supply-chain identity controls, customer transparency

Even Okta has had identity gaps. The takeaway isn't 'Okta is bad' — it's 'identity is hard, and any enterprise that thinks they're done is wrong.' Treat IAM as a continuous program with a named owner, regular audits, and supply-chain identity controls — not a project that ends.

Source ↗

🟧

Auth0 (CIAM reference, acquired by Okta 2021)

2013-present

success

Auth0 became the developer-favorite Customer Identity (CIAM) platform, offering low-friction social login, passwordless authentication, MFA, and progressive profiling — the controls that govern customer-facing identity, distinct from workforce identity. Okta acquired Auth0 in 2021 for $6.5B specifically because workforce IAM and customer IAM are fundamentally different products with different optimization goals (security and governance vs conversion and friction reduction). Auth0's growth proved that customer identity is its own discipline — not a side feature of workforce IAM. Companies that try to run customer authentication through their workforce identity stack typically over-control (high friction → conversion loss) or under-control (low friction → fraud), missing the right balance.

Acquisition Price (2021)

$6.5B

Strategic Rationale

CIAM is distinct from workforce IAM

Customer Identity Patterns

Social login, passwordless, progressive profiling

Pre-Acquisition ARR

~$200M

Customer identity (CIAM) and workforce identity are two products, not one. Optimize each for its actual goal: workforce for security/governance, customer for conversion/experience. Auth0's existence (and Okta's $6.5B acquisition) is the market's vote that they need separate platforms.

Source ↗

Decision scenario

The IAM Investment Sequencing Decision

You're new CISO at a $1.2B financial services firm. IAM audit reveals: SSO covers 30% of apps, MFA enforced for 65% of users (not admins), JML deprovisioning takes 18 days, no PAM. Annual IAM budget: $5M. Board wants you to pick the highest-impact investment for the year — they'll fund one major initiative.

SSO Coverage

30% of apps

MFA Coverage (users)

65%

MFA on Admin Accounts

Not enforced

Deprovisioning Time

18 days

PAM Maturity

None (standing admin everywhere)

IAM Budget

$5M for one major initiative

Decision 1

Three credible options: (a) Expand SSO from 30% → 90%, (b) Implement PAM with phishing-resistant MFA on admin accounts, (c) Automate JML to 1-hour deprovisioning. Each is real work, each costs ~$5M, each takes 9-12 months. Where's the highest leverage?

Expand SSO from 30% to 90% — broad coverage demonstrates progress and unlocks future MFA enforcementReveal

Year 1: SSO coverage hits 88% (real progress, board pleased with the metric). But during the year, an admin account is compromised via phishing (no MFA on admins) and the attacker exfiltrates customer PII for 8 days before detection. $14M breach cost, regulatory penalty, customer notification. Post-incident review: 'SSO coverage didn't prevent this — admin MFA would have.' The CISO is asked why admin MFA wasn't the priority. Career impact severe.

SSO Coverage: 30% → 88%Admin MFA: Still not enforcedBreach Outcome: $14M, regulatory action

Implement PAM with phishing-resistant MFA on all privileged accounts as Year 1 priority. Defer SSO expansion and JML automation to Years 2 and 3.Reveal

Year 1: All ~400 privileged accounts move to JIT elevation with hardware-token MFA, sessions recorded, no standing admin. Mid-year, three phishing attempts targeting admins all fail at the MFA step (logged, attackers identified, threat intel shared). End of year: zero admin compromise, audit posture massively improved, PAM becomes the case study for the rest of the IAM program. Year 2 SSO expansion gets funded based on PAM credibility. Year 3 JML automation rounds out the program. Board cites IAM transformation as a flagship initiative.

PAM Coverage: 0% → 100% of privileged accountsAdmin MFA: Phishing-resistant on allPhishing Attempts Blocked: 3 admin attempts blocked at MFASubsequent Funding: Years 2-3 IAM program approved on Year 1 success

Automate JML to 1-hour deprovisioning — closes the highest-frequency historical attack vectorReveal

JML automation lands on schedule. Deprovisioning time drops from 18 days to 1 hour. ~3 ex-employee accounts that would have been compromised based on prior pattern are no longer exposed. Real risk reduction, but: standing admin accounts (no MFA) remain the higher-value target. Mid-year, an admin account is phished. The breach happens through the unaddressed attack surface. Lesson: JML was a real win but the wrong sequencing — admin protection had higher EV.

Deprovisioning Time: 18 days → 1 hourAdmin Attack Surface: UnchangedYear 1 Breach: Smaller than option A but still material

Related concepts