What is IAM? The executive guide to identity and access management

An employee resigns on Friday. On Monday, their account is still active. By Wednesday, someone has used those credentials to access your financial systems. The employee didn't do anything malicious; they simply moved on. But their digital identity didn't.

This scenario is more common than most of us would like to admit. According to the Verizon 2024 Data Breach Investigations Report, half of all data breaches trace back to compromised credentials. Not sophisticated zero-day exploits. Not nation-state attacks. Stolen or misused identities.

When people ask me about identity and access management, MFA and password policies are usually the first things that come to mind. And they matter — but they're like saying your car's security system is the door lock. The engine, brakes, and airbags matter too. Identity and access management is no longer an IT checkbox. It's the operating system for digital trust in your organization.

What IAM actually is

IAM stands for identity and access management, but the name undersells what it does. It's not just about managing who logs in. It's the system that governs who can do what, where, and under what conditions, across your entire digital environment.

Think of it as four pillars working together:

Administration is identity lifecycle management. When someone joins your organization, they need accounts, permissions, and access to specific systems. When their role changes, those permissions should evolve. When they leave, all access should be revoked immediately. This sounds simple. In practice, it's where things get complicated — and where most organizations, including my own, have room to improve.

Authentication is verification: confirming that a user is who they claim to be. This is where passwords and MFA live. But authentication alone doesn't determine what someone can do once they're verified.

Authorization determines access levels. After proving identity, what can this person actually do? Authorization enforces the principle of least privilege: users should have only the minimum permissions needed to do their job, and those permissions should be revoked when no longer required.

Auditing ensures everything works as intended. It tracks who accessed what, when, and why. This isn't just about catching bad actors; it's essential for regulatory compliance with frameworks like GDPR, SOX, and PCI DSS. Without proper audit trails, you can't prove your controls are working.

These four pillars must work together. Strong authentication means nothing if you never revoke access when employees leave. Tight authorization policies fail if you can't audit whether they're being followed.

Understanding these fundamentals is essential, but knowing why they matter now requires looking at how the landscape has shifted.

Why IAM matters more than ever

Three shifts have transformed IAM from an IT project into a strategic imperative.

The perimeter moved. Traditional security assumed a clear boundary: trusted users inside the firewall, threats outside. That model is dead. With cloud computing, remote work, and SaaS applications, your employees access critical systems from anywhere, on any device. The perimeter is no longer the firewall. It's the identity.

The identity landscape exploded. IAM used to mean managing employee accounts. Today, you're managing human users (employees, contractors, customers, partners) alongside a growing population of non-human identities: service accounts, API keys, automation workflows, and IoT devices.

And now, AI.

AI changed the game. This is the shift I find myself thinking about most. AI isn't just a tool your employees use; it's embedded everywhere. Browser plugins. Add-ins. Productivity tools. Automation flows. Each of these has some form of identity, some level of access, and in many cases, your IT team has no visibility into them.

Non-human identities already outnumber human users by 50 to 1 in the average enterprise environment. Some analysts project that ratio is heading toward 80 to 1. Here's why this matters: every one of those identities is a potential attack vector. If a compromised service account has access to your customer database, attackers don't need to phish an employee. And unlike human accounts, machine identities often have elevated privileges and credentials that haven't been rotated in years.

The question is no longer "who has access?" It's "what has access?"

The challenges companies actually face

The gap between IAM theory and practice is where breaches happen. These are the problems organizations wrestle with daily:

No deprovisioning automation. Research shows that on average, organizations have a three to seven day gap between an employee leaving and their access being revoked. Some have accounts active months after departure. Each orphaned account is a backdoor waiting to be exploited.

Invisible service accounts. Companies invest in MFA for employees but have no visibility into service accounts and automations running in the background. These accounts often have elevated privileges and credentials that haven't been rotated in years.

No single view of access. Ask most organizations "where does this person have access?" and they can't answer confidently. Access accumulates across systems, SaaS applications, and cloud platforms with no central visibility.

Admin sprawl. Too many people with administrative privileges across too many systems. The principle of least privilege exists in policy but not in practice.

Shadow AI. Employees install browser extensions, connect AI-powered tools, and grant permissions to applications that IT never approved and cannot see. The traditional model of "approved vs. blocked" breaks down when AI capabilities are embedded in everyday tools.

IAM as business enabler

Here's the reframe worth making: IAM isn't a security cost centre. It's a business enabler.

Operational efficiency. Automated provisioning and deprovisioning eliminates manual work, reduces errors, and accelerates onboarding. Research from Gartner suggests automating IAM processes can deliver nearly 300% ROI.

User experience. Single sign-on and streamlined access means employees spend less time managing passwords and more time doing their jobs. It also reduces help desk tickets, since password resets remain one of the top IT support requests.

Secure collaboration. Modern business requires working with contractors, partners, and customers. Mature IAM enables you to grant appropriate access to external parties without compromising security.

Compliance readiness. With proper audit trails and access controls, compliance becomes a byproduct of good IAM rather than a separate exercise.

Risk-based flexibility. The right approach isn't total lockdown or unrestricted access. It's applying strict controls where risk is high (privileged accounts, sensitive data, critical systems) while maintaining flexibility where it makes sense. Conditional access policies can enforce different requirements based on user, device, location, and risk level.

Questions worth asking

These are the questions I keep coming back to when I assess where we stand. They're not gotcha questions — they're the ones that reveal where the gaps actually are:

1. If someone leaves today, how long until all their access is revoked, across every system?

2. Can we show a single view of where any given employee has access?

3. How many service accounts and automations do we have, and when were their credentials last rotated?

4. What AI-powered tools and browser extensions are employees using, and what access have they granted?

I don't always like the answers. But asking them honestly is where improvement starts.

The bottom line

IAM has evolved from a technical function into a strategic capability. It's no longer about keeping bad actors out; it's about enabling the right access for humans and machines alike, at the right time, under the right conditions.

Remember the employee who resigned on Friday? With mature IAM, their access is revoked automatically before they've finished their exit interview. The door lock works, yes, but so does every other system in the car.

The organizations that treat identity as infrastructure — investing in automation, governance, and visibility — will operate faster and more securely. It's a direction, not a destination. None of us have it fully figured out.

Identity is the new perimeter. The real question is whether we're honest about where we actually stand.

---

The growing challenge of shadow AI, including browser plugins, embedded AI tools, and employees granting access without IT visibility, deserves its own discussion. That's a topic for an upcoming article.