For over two decades, I’ve had a front-row seat for the evolution of identity and access management (IAM). I’ve seen organizations launch ambitious IAM modernization projects, only to watch them falter. In my years of helping clients develop identity strategies, I’ve noticed a consistent pattern: the most successful initiatives are not those with the biggest budgets or the flashiest technology. They are the ones built on a clear, well-defined foundation of policy and controls.
Too often, organizations view IAM as a purely technological challenge—a matter of choosing the right software or deploying a new authentication system. They spend millions on technology without first answering a fundamental question: What is our mission? Without clearly defined high-level policies and low-level controls, an identity architecture will struggle to be effective, regardless of the technology it employs. This is particularly critical because IAM budgets are not unlimited. Identifying what policies and controls the organization must meet is the only way to prioritize investments effectively and ensure every dollar spent contributes to a meaningful business outcome.
The Critical Link: Policies, Controls, and Investment
Think of it this way: policies are your “north star.” They represent the overarching, high-level objectives—the what and why of your IAM program. Controls are the “guardrails”—the specific, enforceable mechanisms that translate policy into action. This clear distinction provides the framework for strategic investment.
Consider a healthcare organization, an industry where the stakes for data security are incredibly high. A high-level policy might state: “All access to patient Protected Health Information (PHI) must be authenticated with a high degree of assurance.” This is the organization’s directive, but it doesn’t specify how to achieve it. That’s where controls come in. The corresponding control might be: “All users accessing PHI must use multi-factor authentication (MFA).”
With this policy-control link established, the organization’s investment priorities become crystal clear. A new MFA solution is not a “nice-to-have”; it is a non-negotiable, foundational investment required to meet a core business policy and legal obligation. Other projects, such as deploying a single sign-on solution for non-critical, internal applications, can be prioritized later or even deferred if they don’t directly address a critical policy or control. This approach ensures that capital is allocated where it delivers the most value and manages the greatest risk.
Sourcing Your Directives: From Regulation to Contracts
For GRC professionals, the key to building this framework lies in knowing where to look for these foundational policies and controls. They aren’t created in a vacuum; they are sourced from a variety of internal and external obligations.
Industry Regulations: In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) mandates specific controls around the privacy and security of PHI. A robust IAM program must directly map its controls to these regulatory requirements to ensure compliance and avoid costly penalties. Financial services have similar obligations under regulations like the Gramm-Leach-Bliley Act (GLBA). The principle is the same across all regulated industries: your IAM program must be an operationalization of your regulatory duties.
Legal Requirements: Beyond regulation, two often-overlooked sources for control requirements are legal and contractual agreements. Contracts with customers may contain clauses that specify how their data must be secured, including specific access controls. Similarly, cyber insurance policies increasingly mandate the implementation of certain security measures—such as MFA for all remote access—as a prerequisite for coverage. Failing to meet these contractual or insurance-based controls could leave an organization exposed to significant financial and legal risk. These external forces provide a compelling business rationale for prioritizing specific IAM initiatives.
The Payoff: A Clear Mission for Modernization
My experience has shown that when an organization has a clear, actionable policy and control framework, every IAM project has a purpose. I’ve witnessed organizations that were already mature in their policies and controls embark on IAM modernization projects and make incredible progress. Their mission was clear from day one: to align their technology with their pre-established, well-understood obligations. This clarity allows for efficient resource allocation, mitigates the risk of “scope creep,” and provides a clear metric for success—did we meet the control and, by extension, the policy?
Conversely, I’ve seen well-intentioned teams struggle for years, caught in an endless cycle of pilots and projects that fail to deliver meaningful value because they lacked a defined mission. They were trying to build a house without a blueprint, and the result was a disjointed, insecure, and inefficient architecture.
The true mission of identity and access management isn’t just to deploy the latest software. It’s to build a purposeful, resilient architecture that is directly tied to an organization’s business, legal, and compliance obligations. By rooting your strategy in clearly defined policies and the controls that enforce them, you transform IAM from a technological expense into a strategic, value-driven asset. The result is not only a stronger security posture but a clear, measurable roadmap for success that will resonate with every level of the organization.