Skip to main content
Table of Contents
< All Topics
Print

IAM 2.0 Maturity Model

Assessment Framework, Scoring, and RA Capability Mapping

TechVision Research
January 2026

Executive Summary

This IAM 2.0 Maturity Model provides a structured, measurable way to assess where your identity and access management program stands—and what’s required to reach your target state.

Unlike generic frameworks, this model is grounded in the TechVision IAM 2.0 Reference Architecture. Each maturity level maps directly to specific RA layers, patterns, and capabilities you need to implement.

Three Dimensions of Assessment

  • Capability Families (7 core areas): What your IAM program needs to do
  • Maturity Levels (5 stages): How consistently and effectively you do it
  • RA Alignment (patterns and tools): What technology, process, and organizational changes support that level

Key Insight

Most organizations cluster at Levels 2–3 (Basic to Managed). Reaching Level 4–5 requires:

  • Architectural shift to event-driven, API-first design
  • AI/ML integration for continuous governance
  • Organizational model change (from approval-gate to policy-engine)
  • Continuous measurement and autonomous remediation

Maturity Model Overview

What is Maturity?

Maturity is the degree to which identity and access management processes are:

  • Defined – Documented and repeatable, not ad hoc
  • Measured – Tracked against clear metrics and SLAs
  • Controlled – Enforced consistently; exceptions managed formally
  • Optimized – Continuously improved based on data; aligned with business value
  • Autonomous – Operate with minimal manual intervention

Five Maturity Levels

Level Name Characteristics Typical Timeline Risk Posture
1 Ad Hoc Reactive, manual, spreadsheet-based; no formal processes; highly dependent on individuals Initial state Critical
2 Basic Foundational tools in place (IdP, IGA); processes documented but inconsistently applied; some automation 6–12 months High
3 Managed Core IAM processes standardized across enterprise; clear roles and responsibilities; regular reviews; audit trail established 12–24 months Medium
4 Advanced Proactive, data-driven; continuous monitoring and risk-based decisions; significant automation; AI-assisted 24–36 months Low
5 Optimized Fully autonomous; self-healing; policy-as-code; continuous improvement; predictive; Zero Trust native 3+ years Minimal

Capability Family Definitions

Your IAM program spans 7 core capability families. Each must progress through the maturity levels.

Identity Lifecycle Management

What it does: Automate the full employee journey (joiner, mover, leaver) across all systems.

Why it matters: Manual onboarding/offboarding is slow, error-prone, and creates compliance risk. JML is typically the first automation target.

Key Questions:

  • How long does a new hire take to become productive?
  • What % of departing employees are deprovisioned within 1 hour of termination?
  • Are JML processes driven by authoritative source (HR) or manual tickets?

Authentication & Secure Access

What it does: Prove user identity; grant or deny session; enforce adaptive policies based on risk.

Why it matters: Weak authentication (passwords) and static policies create breach risk. Passwordless, context-aware, continuous authentication is the Zero Trust baseline.

Key Questions:

  • What % of workforce uses MFA?
  • Can users access systems without retyping credentials (SSO)?
  • Are authentication decisions context-aware (time, location, device, risk)?
  • Is re-authentication continuous or event-based?

Authorization & Entitlements

What it does: Define who can do what; enforce role/attribute-based policies; prevent conflicts.

Why it matters: Excessive entitlements lead to insider threat risk, data breaches, and compliance violations. Least-privilege enforcement requires clear policy and automation.

Key Questions:

  • Is entitlements catalog discoverable and complete?
  • Are roles business-meaningful or technical/siloed?
  • What % of entitlements are actively used?
  • Are conflicts of duty (SoD) detected and prevented?

Access Governance & Compliance

What it does: Regular review, certification, and evidence collection for compliance audits.

Why it matters: Compliance requires proof of controls. Manual, annual reviews don’t catch drift. Continuous, AI-assisted reviews detect risks faster.

Key Questions:

  • How frequently are access rights reviewed?
  • What % of review tasks are AI-recommended vs. manually confirmed?
  • Can compliance evidence be generated on-demand?
  • Are high-risk users reviewed more frequently than others?

Privileged Access Management

What it does: Control, monitor, and audit every admin action; enforce least-privilege elevation.

Why it matters: Compromised admin accounts are the most damaging. PAM enforces zero standing privilege and creates forensic trails.

Key Questions:

  • Do any admin accounts have standing permissions?
  • What % of admin access is JIT (just-in-time)?
  • Are all privileged sessions recorded and indexed?
  • Can anomalous activity be detected and stopped in real time?

Non-Human Identity & IoT Governance

What it does: Manage service accounts, cloud roles, API credentials, workload identities, and IoT devices.

Why it matters: Non-human identities vastly outnumber human ones. Unmanaged service accounts and cloud permission sprawl are top breach vectors.

Key Questions:

  • What % of service accounts have hardcoded or shared credentials?
  • Is cloud IAM (AWS, Azure, GCP) discovered and governed centrally?
  • Can unused cloud permissions be automatically removed?
  • Are AI agents and autonomous workflows scoped to minimal capabilities?

Governance Model & Organization

What it does: Define roles, responsibilities, policies, and decision rights for identity management.

Why it matters: Without clear governance, progress stalls. Policy-as-code and autonomous remediation require organizational alignment (who decides? when? with what SLA?).

Key Questions:

  • Is there a named Identity Owner or CISO sponsorship?
  • Are role, access request, and exception approval SLAs defined?
  • What % of governance decisions are automated vs. manual?
  • How are exceptions tracked and remediated?

Maturity Level Progression

Level 1: Ad Hoc

State: Identity and access management is fragmented, reactive, and people-dependent.

Characteristics:

  • No central identity platform; identities scattered across systems
  • Manual provisioning and access decisions
  • Compliance is event-driven (audit happens, then scramble)
  • High staff turnover risk (tribal knowledge)
  • Spreadsheets are primary control mechanism

Typical Organization:

  • Startup or early-stage company
  • No formal IT governance
  • IT staff stretched and reactive

Business Risk:

  • Slow onboarding delays productivity
  • Access creep and orphan accounts create data breach risk
  • No audit trail; compliance violations go undetected
  • Insider threat risk is high

Cost Profile:

  • Low tech spend; high manual labor cost
  • Frequent security incidents

Level 2: Basic

State: Foundational tools (IdP, IGA) are deployed; processes documented but inconsistently applied.

Characteristics:

  • Central identity platform (AD/Okta) in place
  • Basic SSO for major apps
  • IGA tool tracks provisioning; some automation
  • MFA for admins/VPN; not enterprise-wide
  • Annual or quarterly access reviews via spreadsheets
  • Roles exist but not consistently enforced

Typical Organization:

  • Mid-market (500–5,000 employees)
  • IT modernization initiative underway
  • 1–2 dedicated identity team members

Business Risk:

  • Still manual for many processes; SLA misses common
  • Access reviews are burden; many exceptions
  • Conditional access policies not implemented
  • Cloud identity governance missing

Cost Profile:

  • Moderate tool spend (IdP, IGA)
  • Significant manual effort in reviews, exception handling

Level 3: Managed

State: Core IAM processes are standardized and repeatable; clear accountability; regular audits.

Characteristics:

  • Automated joiner/mover/leaver (JML) with SLA tracking
  • Enterprise SSO/SAML federation; conditional access policies
  • Centralized role catalog; role-based access control (RBAC)
  • Quarterly access reviews with evidence collection
  • Separation of duties (SoD) rules defined and monitored
  • Privileged access JIT with approval and logging
  • Monthly/quarterly compliance reporting

Typical Organization:

  • Mid-market to large enterprise (5,000+ employees)
  • Mature IT governance
  • 3–5 dedicated identity team members

Business Risk:

  • Vulnerability lag between access creep and detection
  • Manual reviews still labor-intensive
  • Cloud entitlements not governed centrally
  • AI agent governance not yet addressed

Cost Profile:

  • Moderate tool spend
  • Moderate manual effort (mostly reviews and exceptions)

Level 4: Advanced

State: Proactive, data-driven, continuous monitoring; AI-assisted decision-making; significant automation.

Characteristics:

  • Real-time event-driven JML (< 1 hour)
  • Zero-Trust auth model; passwordless default (FIDO2)
  • Continuous authentication; risk-based step-up MFA
  • Fine-grained ABAC policies; cloud entitlement management (CIEM)
  • Continuous access governance; AI-driven risk scoring
  • High-risk users reviewed weekly; low-risk monthly
  • Anomaly detection for privilege usage
  • Autonomous remediation for low-risk findings
  • Incident response playbooks automated

Typical Organization:

  • Large enterprise (10,000+ employees)
  • Digital-native or undergoing digital transformation
  • 5–10+ identity architects and engineers

Business Risk:

  • Still requires organizational change to trust autonomous remediation
  • Requires modern cloud-native architecture
  • Legacy systems may not support ABAC or continuous auth

Cost Profile:

  • High tool spend (advanced analytics, CIEM, etc.)
  • Lower manual effort (mostly oversight and exceptions)

Level 5: Optimized

State: Fully autonomous, self-healing, policy-as-code; continuous learning and improvement.

Characteristics:

  • Fully autonomous JML with self-healing; predictive offboarding
  • Zero-standing privilege; sessionless access for admins (certificates)
  • Impossible travel detection; behavioral anomaly blocking
  • Autonomous fine-grained policy enforcement
  • AI-driven predictive analytics; zero-day vulnerability elimination
  • 100% continuous micro-certifications
  • Autonomous incident response; < 5-minute containment
  • All governance decisions policy-as-code; self-optimizing
  • Non-human identity fabric fully autonomous (agents, containers, IoT)

Typical Organization:

  • Highly security-mature large enterprises
  • Cloud-native or multi-cloud with heavy AI/ML workloads
  • 10+ identity engineers; AI/ML specialists integrated

Business Risk:

  • Organizational trust in autonomous systems
  • Requires deep security culture maturity
  • Potential over-reliance on ML models; need human oversight

Cost Profile:

  • High tool spend (AI/ML, orchestration, advanced analytics)
  • Very low manual effort (mostly governance oversight)

Comprehensive Maturity Matrix

Below is the definitive 7 × 5 matrix showing how each capability family progresses across maturity levels. This is your primary assessment artifact.

Figure 1: Maturity level visual matrix chart

Detailed Level Descriptors by Capability

Identity Lifecycle Management

Level 1 Level 2 Level 3 Level 4 Level 5
Manual, Spreadsheet-Driven New hires created by IT manually; onboarding tickets tracked in spreadsheet. Mover/leaver changes ad hoc. No SLA. HR Sync (1x/day) HR system synced to directory once daily. Basic provisioning via connectors. Mover/leaver semi-automated. Joiner SLA: 48–72 hours. Automated JML (< 24hrs) Automated joiner within 24 hours; mover role changes within 4 hours; leaver within 1 hour. HR-driven events. Manager approval workflows. Real-time Event-Driven (< 1hr) Joiner SSO-ready < 1 hour. Mover changes within 10 minutes. Leaver fully deprovisioned < 1 hour. Fully autonomous with fallback. Fully Autonomous Self-Healing Predictive offboarding (termination alert weeks before). Auto-detection and correction of stale data. Zero SLA misses.

Authentication & Secure Access

Level 1 Level 2 Level 3 Level 4 Level 5
Passwords Only No centralized auth; local accounts per app; password reuse; no MFA. Basic SSO + MFACentral IdP (Okta, AD FS). SSO for major apps via SAML. MFA for VPN/admin only. 30% MFA enrollment. Enterprise IdP + Conditional Access Cloud IdP (Okta, Azure Entra ID). Conditional access policies (device, location, risk). 95% MFA enrollment. Session mgmt configured. Passwordless Default FIDO2FIDO2 hardware keys default; soft tokens for backup. Continuous auth signals (device health, location). Step-up MFA on risk. 99% phishing-resistant MFA. Zero Trust Continuous Auth Impossible travel detection. Real-time risk re-auth. Behavioral biometrics. < 200ms auth latency. 100% zero-phishing.

Authorization & Entitlements

Level 1 Level 2 Level 3 Level 4 Level 5
Local Roles, Manual Each app has local roles; no central catalog. Entitlements assigned manually. No conflict detection. Basic RBAC IGABasic role catalog in IGA. Some SoD rules. Entitlement discovery starting. Manual app-specific assignments. Centralized RBAC + SoDBusiness-meaningful roles (e.g., “Financial Analyst”). SoD enforced; exceptions tracked. Entitlement catalog 80%+ complete. Owner assignment. Fine-grained ABAC + CIEMAttribute-based policies (department, cost center, clearance). Cloud IAM (AWS/Azure/GCP) discovered and governed. Permission sprawl reduced 50%+. Autonomous Attribute-Driven Self-optimizing policies. Unused permissions auto-removed. Cloud least-privilege fully automated. Zero policy violations.

Access Governance & Compliance

Level 1 Level 2 Level 3 Level 4 Level 5
Ad Hoc, No Reviews Access reviews reactive only (during audit). No evidence. Compliance violations go undetected. Annual Manual Reviews Annual reviews via spreadsheets. Manager certification via email. Manual evidence collection. 50% completion rate. Quarterly Reviews + SoD Monitor Quarterly manager reviews. SoD violation flagging. Audit evidence auto-collected. 100% completion within 60 days. Exception workflow with SLA. Continuous Risk-Based Reviews High-risk users reviewed weekly. Medium-risk monthly. Low-risk quarterly. AI recommendations for exceptions. < 48-hour SLA. 95% auto-approved. AI-Driven PredictiveContinuous micro-certifications. Zero false positives. Predictive flagging of future violations. 99.9% exception-free.

Privileged Access Management

Level 1 Level 2 Level 3 Level 4 Level 5
Shared CredentialsAdmin passwords shared; no tracking. Standing admin accounts. No session recording. Manual Elevation + Logging Manual requests for privilege escalation. Basic command logging. Session transcripts. Shared passwords still exist. JIT + Approval + Recording Request → approval workflow (2–4 hour SLA). Temporary creds issued (4-hour TTL). Session recording indexed and searchable. Zero shared creds. Zero Standing Privilege + Anomaly All elevation JIT. Multi-person rules for critical. Real-time anomaly detection (mass deletion, config changes). Auto-kill suspicious sessions. < 5-minute investigation. Sessionless AutonomousCertificate-based access (no passwords). Autonomous elevation decision (policy engine). Behavioral baseline blocks anomalies in real-time. < 1-minute incident containment.

Non-Human Identity & IoT Governance

Level 1 Level 2 Level 3 Level 4 Level 5
Unmanaged Shadow Accounts Service accounts with hardcoded/shared credentials. Cloud roles unmanaged. No discovery. Manual InventoryManual discovery of service accounts. Basic secret rotation (quarterly). Shadow account scanning. 60% coverage. Automated Rotation + Discovery Automated credential rotation (monthly). Continuous discovery scanning. Service account registry. Cloud entitlements identified. 90% coverage. CIEM + Workload FusionCloud IAM fully discovered and governed. Permission sprawl 80% reduced. Workload identity federation implemented. AI agent capabilities scoped. 99% coverage. Autonomous Identity Fabric Self-registering service accounts. Auto-scope capabilities. Self-healing secrets. Zero shared credentials. Agents/containers fully governed. 100% coverage.

Governance Model & Organization

Level 1 Level 2 Level 3 Level 4 Level 5
No Formal GovernanceAd hoc decisions; no roles or responsibilities. No policy. Exception handling reactive. Basic Policies, Ad HocIAM policies documented (informally). Basic roles (IGA Owner, App Owner). Exception handling via email. 50% compliance with policy. Governance Workflows + Audit Trail Formal IAM governance model. Role provisioning, exception approval, and review workflows. 95% policy compliance. Clear audit trail. Policy-Driven ContinuousAll decisions via policy engine (not manual approval). Policy-as-code. Continuous compliance monitoring. Automated enforcement. 99% SLA adherence. Self-Governing ML-Optimized Governance fully autonomous. Policies self-optimize via ML feedback. Zero manual overhead. Continuous improvement cycle. 100% business value realized.

Scoring Sheet and Assessment Process

How to Conduct an Assessment

An IAM maturity assessment involves 2–3 days of discovery and analysis.

Phase 1: Preparation (½ day)

  1. Assemble team: Identity architect, CISO/Security lead, IT Operations, Compliance, App Owner representative
  2. Review scope: Which business units to assess (pilot vs. enterprise-wide)?
  3. Distribute questionnaire: 5–10 questions per capability family (40–70 total)

Phase 2: Discovery (1 day)

Conduct interviews:

  • Scope of questions: “How today does X happen?”
  • Ask for evidence: “Show me the process document, screenshot, log.”
  • Don’t accept subjective answers; ask for metrics.

Gather artifacts:

  • Process documentation
  • Current system architecture diagram
  • Role catalog
  • Recent access review evidence
  • Incident logs
  • Compliance reports

Phase 3: Analysis & Reporting (1 day)

  1. Rate each capability at the level where MOST characteristics are true
  2. Calculate overall maturity as weighted average or lowest capability (choose per organization risk tolerance)
  3. Identify gaps between current and target
  4. Prioritize improvements

Assessment Questionnaire Template

Identity Lifecycle Management

# Question Level 1 Level 2 Level 3 Level 4 Level 5
1 How are new employee accounts created? Manual via email / IT ticket HR system syncs daily; manual finalization Fully automated from HR system Real-time event-driven automation Autonomous with predictive offboarding
2 What is the joiner SLA (account + SSO ready)? > 72 hours 48–72 hours 24 hours (target) < 1 hour < 30 minutes
3 What % of departing employees are deprovisioned within 1 hour? < 50% 50–75% 75–95% 95–99% 100%
4 Are mover changes (role, department) automated? No; manual ticket Partially; IGA connector Yes; within 4 hours Yes; within 10 minutes Yes; instant with validation
5 Is the process driven by authoritative source (HR system)? No (manual) Partial (daily sync) Yes (API-driven) Yes (event-driven real-time) Yes (predictive)

[Continue with 5–10 questions per capability family…]

Scoring Sheet

Organization: ___________________
Assessment Date: ___________________
Assessors: ___________________

Capability Family Scores

Capability L1 L2 L3 L4 L5 Current Target Gap
Identity Lifecycle
Authentication & Access
Authorization
Governance & Compliance
Privileged Access
Non-Human Identity
Governance Model

Overall Maturity

  • Lowest capability score: ___ (bottleneck)
  • Weighted average: ___ (overall health)
  • Target maturity level: ___
  • Timeline to target: ___

RA Capability Mapping

This section connects maturity levels to specific RA capabilities, patterns, and tools.

Level 2 → Level 3: The “Managed” Transition

This is where most organizations are heading right now.

What Changes

Aspect At Level 2 At Level 3 RA Component Pattern
Joiner Automation IGA has connector; some manual steps Fully automated; <24 hr SLA Interact (HR Event API), Change (Provisioning), Repositories (Identity Correlation) Event-Driven Joiner Automation
Role Management Basic roles; manual assignment Business-meaningful roles; approval workflows Change (Role Catalog, Role Lifecycle), Repositories (Role Definitions) Centralized Role Lifecycle Management
Access Reviews Annual spreadsheets Quarterly IGA-managed reviews with evidence Change (Review Workflows), Analytics (Usage Analytics), Manage (Audit Trail) Risk-Based Continuous Certification
SoD Enforcement Rules defined but not enforced Real-time detection; exceptions managed Change (SoD Engine, Conflict Detection), Repositories (SoD Rule DB) Real-Time SoD Enforcement with Exception Workflow
Privilege Access Manual elevation; basic logging JIT with approval; session recording; indexed Access (PAM), Change (JIT Workflows), Manage (Session Recording) Fully Audited Privilege Elevation
Cloud Governance Not started Cloud entitlements identified; some remediation Analytics (Cloud Entitlement Analytics), Change (Cloud Policy Mgmt) Continuous Cloud Least Privilege

Organizational Changes

  • Ownership: Identify named “Identity Owner” with budget and authority
  • Roles: Define role provisioning, exception approval, and review approval workflows with clear SLAs
  • Staffing: 3–5 dedicated identity team members
  • Processes: Document core processes; train staff

Technology Stack

Layer Component Example Tools
Interact HR API Integration Workday, SAP SuccessFactors, custom webhooks
Repositories Directory, Identity Graph Active Directory, Azure AD, Neo4j
Access IdP, MFA, Conditional Access Okta, Azure Entra ID, Ping Identity
Change IGA Platform SailPoint Identity IQ, Okta Identity Governance, Saviynt
Manage Monitoring, Runbooks Splunk, ServiceNow, basic playbooks

Level 3 → Level 4: The “Advanced” Jump

This requires architectural change and organizational maturity.

What Changes

Aspect At Level 3 At Level 4 RA Component Pattern
Auth Model SSO + conditional access policies Passwordless default (FIDO2) + continuous auth Access (Zero Trust IdP, Continuous Auth Engine, Policy Engine) Zero Trust Identity
Risk Assessment Manual, quarterly Real-time, continuous; AI-scored Analytics (Risk Scoring Engine, Behavioral Analytics), Manage (Real-time Policy Engine) Continuous Risk Scoring & Adaptation
Access Governance Quarterly reviews, 100% manual Continuous risk-based reviews; 70%+ AI-recommended Change (Continuous Certification Engine), Analytics (AI Recommendations), Manage (Auto-Remediation for Low-Risk) AI-Driven Continuous Governance
PAM JIT + approval + recording Zero standing privilege; anomaly detection; auto-kill Access (PAM), Analytics (UEBA, Anomaly Detection), Manage (Auto-Response Playbooks) Autonomous Privilege Management
Cloud Governance CIEM (identified unused perms) CIEM + automated remediation; permission sprawl reduced 60%+ Analytics (Advanced CIEM), Change (Automated Remediation), Access (Least-Privilege Policy Engine) Autonomous Cloud Least Privilege
Governance Model Workflow-based (approval gates) Policy-based (policy engine decides) Change (Policy-as-Code Engine), Manage (Orchestration, Autonomous Operations) Policy-as-Code Self-Optimizing

Organizational Changes

  • Mindset: Shift from “manual approval = control” to “policy engine = control”
  • Staffing: Add AI/ML specialists, cloud architects, security engineers (5–10 total)
  • Training: Extensive training on event-driven architecture, policy design, AI model validation
  • Governance: Establish policy review cadence (monthly); algorithm fairness oversight

Technology Stack

Layer Component Example Tools
Interact Event Mesh, Orchestration Apache Kafka, AWS EventBridge, Azure Event Grid
Access Zero Trust IdP, ABAC Engine Okta Workforce Identity, Azure Conditional Access, Styra OPA
Analytics Risk Scoring, UEBA, CIEM Exabeam, CrowdStrike Falcon, Ermetic, Wiz
Change Advanced IGA, Auto-Remediation SailPoint IdentityGovernance, Saviynt, custom Lambda/Functions
Manage Orchestration, Incident Response HashiCorp Terraform, PagerDuty, Splunk SOAR

Level 4 → Level 5: The “Optimized” Frontier

This is aspirational for most; achievable only in highly mature, large organizations.

What Changes

Aspect At Level 4 At Level 5 RA Component Pattern
Identity Lifecycle Real-time < 1 hour Predictive, autonomous self-healing Repositories (Identity Graph, Predictive Analytics), Manage (Autonomous Orchestration) Predictive, Self-Healing Identity Fabric
Privilege Access Zero standing privilege + anomaly detection Sessionless (certs); impossible travel blocking Access (Certificate-Based Auth), Analytics (Behavioral Baseline), Manage (Autonomous Kill-Chain) Sessionless Autonomous Privilege
Access Governance Continuous; 70% AI-assisted 100% continuous; 99.9% exception-free; predictive Analytics (Predictive ML, Zero-Day Violation Detection), Manage (Full Autonomy with Human Oversight) Predictive, Prescriptive Governance
Non-Human Identity CIEM + workload federation Autonomous fabric (agents, containers, IoT all self-governed) Repositories (Unified Identity Fabric), Change (Autonomous Registration & Scoping), Manage (Autonomous Lifecycle) Autonomous Non-Human Fabric
Governance Model Policy-driven; manually reviewed Self-optimizing; policy feedback loops; zero manual overhead Manage (ML-Driven Policy Optimization), Change (Policy Evolution Engine) Self-Governing Intelligence
Incident Response < 5 minutes to contain < 1 minute; forensics automated; root cause auto-identified Manage (Autonomous Response Playbooks, Forensic Automation, Root Cause Engine) Autonomous Forensics & Remediation

Implementation Roadmap by Level

Use this roadmap to plan your progression.

From Level 2 to Level 3 (12–18 months)

Investment: $500K–$2M (tools + staff + professional services)

Key Initiatives (in order):

  1. HR → IAM Integration (Months 1–2)
    • Implement HR system API integration (Workday, SAP SuccessFactors)
    • Build event stream (HR → IGA → directory → apps)
    • Set joiner SLA: 24 hours
    • RA: Interact (Event Listener), Change (IGA Provisioning)
  2. Identity Repository & Correlation (Months 2–4)
    • Deploy cloud directory if hybrid (Azure AD Connect, Okta Sync)
    • Implement identity deduplication and graph
    • Clean up orphan accounts
    • RA: Repositories (Directory, Identity Graph, Data Quality)
  3. IGA Role & Entitlement Governance (Months 3–6)
    • Design business-meaningful role catalog
    • Define role assignment rules (by job code, manager exception)
    • Implement entitlement discovery
    • Define SoD rules
    • RA: Change (Role Lifecycle, Role Assignment, SoD Enforcement)
  4. Access Reviews & Certification (Months 6–8)
    • Implement quarterly review workflow in IGA
    • Collect evidence (audit logs, entitlement usage)
    • Define exception approval SLA
    • RA: Change (Review Workflows), Analytics (Usage Analytics), Manage (Audit Trail)
  5. Privilege Access Governance (Months 8–12)
    • Deploy PAM platform (CyberArk, Delinea, HashiCorp Vault)
    • Implement JIT elevation workflow
    • Configure session recording
    • Set approval SLA (2–4 hours)
    • RA: Access (PAM), Change (JIT Workflows), Manage (Session Recording)
  6. Cloud Entitlement Discovery (Months 10–14)
    • Deploy CIEM tool (Ermetic, Wiz, Lacework)
    • Enumerate AWS, Azure, GCP IAM
    • Identify dangerous permissions
    • Create remediation backlog
    • RA: Analytics (Cloud Entitlement Analytics), Change (Cloud Policy Mgmt)
  7. Compliance Automation (Months 12–18)
    • Build compliance dashboards (SSO coverage, MFA, access review completion)
    • Automate audit log export and formatting
    • Create compliance reports (SOC 2, HIPAA, PCI)
    • RA: Manage (Compliance Dashboards, Reporting)

Success Criteria:

  • ✓ 95% of joiners SSO-ready within 24 hours
  • ✓ 100% of leavers deprovisioned within 1 hour
  • ✓ 100% quarterly access reviews, 100% completion within 60 days
  • ✓ 0% shared admin credentials; 100% JIT elevation
  • ✓ All major cloud entitlements discovered; dangerous perms flagged
  • ✓ Monthly compliance reporting automated

From Level 3 to Level 4 (18–30 months)

Investment: $1M–$5M (advanced tools, AI/ML, professional services, staffing)

Key Initiatives (in order):

  1. Event-Driven Architecture Foundation (Months 1–4)
    • Deploy event mesh (Kafka, EventGrid, EventBridge)
    • Refactor JML to event-driven (no polling/batch)
    • Implement event routing and transformation
    • RA: Interact (Event Mesh Foundation)
  2. Zero Trust IdP Deployment (Months 2–6)
    • Move from SSO (Okta/Azure) to Zero Trust model
    • Implement FIDO2 as default
    • Enable continuous auth signals (device health, location, risk)
    • Target: 95%+ of users on phishing-resistant MFA
    • RA: Access (Zero Trust IdP, Continuous Authentication)
  3. AI-Driven Risk Scoring & Recommendations (Months 4–10)
    • Deploy behavioral analytics (Exabeam, Splunk UBA)
    • Train baseline models on normal user behavior
    • Implement risk scoring algorithm
    • Integrate with access review workflows (AI recommendations)
    • RA: Analytics (Risk Scoring Engine, UEBA), Change (AI-Assisted Review)
  4. Autonomous Remediation (Months 8–12)
    • Define auto-remediation rules (high-confidence actions)
    • Implement approval workflows for escalations only
    • Build incident response playbooks (SOAR)
    • Test auto-remediation; measure false positive rate
    • Target: < 2% false positives
    • RA: Manage (Auto-Remediation Playbooks, Incident Response Automation)
  5. Advanced CIEM & Permission Minimization (Months 6–14)
    • Implement advanced CIEM (Ermetic, Wiz)
    • Analyze unused permissions; create remediation backlog
    • Automate safe permission removal (quarantine 30 days)
    • Target: 60% reduction in permission sprawl
    • RA: Analytics (Advanced CIEM), Change (Automated Remediation), Access (Least-Privilege Policy Engine)
  6. Agentic AI & Autonomous Workload Governance (Months 12–20)
    • Deploy workload identity federation
    • Implement AI agent capability scoping
    • Define guardrails for autonomous workflows
    • RA: Access (Workload Authentication, Agent Authorization), Change (Agent Policy Lifecycle)
  7. Policy-as-Code Governance (Months 14–24)
    • Convert approval workflows to policy rules
    • Implement policy-as-code framework (e.g., Styra OPA)
    • Move from “approval gates” to “policy engine”
    • Enable policy versioning and audit trail
    • RA: Change (Policy-as-Code Engine), Manage (Policy Lifecycle, Orchestration)
  8. Continuous Risk-Based Governance (Months 18–28)
    • Move from quarterly to continuous access reviews
    • Implement micro-certifications (weekly for high-risk, monthly for med-risk)
    • Integrate AI risk scoring
    • Target: 100% continuous, 95%+ auto-approval
    • RA: Change (Continuous Certification Engine), Analytics (AI Recommendations)

Success Criteria:

  • ✓ 100% joiner SLA < 1 hour; real-time event-driven
  • ✓ 95%+ passwordless (FIDO2) MFA
  • ✓ Continuous authentication with < 200ms latency
  • ✓ 100% continuous access reviews; risk-scored
  • ✓ Zero standing privilege; anomaly detection active
  • ✓ Cloud permission sprawl reduced 60%+
  • ✓ Auto-remediation of low-risk findings; < 2% false positive rate
  • ✓ AI agent governance fully in place

From Level 4 to Level 5 (24+ months)

Investment: $2M–$10M+ (cutting-edge tech, ML engineers, organizational change)

Key Initiatives (in order):

  1. Predictive Identity & Lifecycle (Months 1–6)
    • Deploy predictive models for identity risk
    • Implement offboarding prediction (alert before termination date)
    • Enable self-healing identity graph
    • RA: Repositories (Predictive Analytics, Identity Graph), Manage (Autonomous Orchestration)
  2. Sessionless, Autonomous Privilege Access (Months 2–8)
    • Transition from time-bound creds to certificate-based access
    • Implement impossible travel detection
    • Enable behavioral baseline with auto-block
    • < 1-minute incident containment
    • RA: Access (Certificate-Based Auth, Continuous Behavioral Baseline), Manage (Autonomous Kill-Chain)
  3. Autonomous Non-Human Identity Fabric (Months 4–12)
    • Full autonomous service account lifecycle (auto-register, auto-scope, auto-rotate)
    • Workload identity for all containers, serverless, IoT
    • Zero shared credentials anywhere
    • RA: Repositories (Unified Identity Fabric), Change (Autonomous Registration & Scoping), Manage (Autonomous Lifecycle)
  4. Self-Optimizing Governance (Months 8–18)
    • Implement policy evolution engine (ML feedback loops)
    • Enable zero-day violation prediction
    • Governance decisions fully autonomous (no manual approval)
    • RA: Manage (ML-Driven Policy Optimization, Policy Evolution Engine)
  5. Autonomous Forensics & Root Cause (Months 10–20)
    • Automated incident forensics
    • Auto-identify root cause (identity, technical, process)
    • Automated remediation of root cause
    • < 1-minute detection-to-containment SLA
    • RA: Manage (Autonomous Forensics, Root Cause Engine, Autonomous Response)
  6. Full Optimization & Continuous Learning (Months 18–24)
    • Implement continuous improvement loop
    • Monitor all metrics; feed back into policy and model training
    • Zero manual governance overhead
    • 100% business value realization
    • RA: Manage (Continuous Learning Loop, Full Autonomy)

Quick Assessment Guide

Use this for a 15-minute assessment to ballpark your current level.

5 Key Questions (Score 1–5 per question)

Question Scoring
How manual is your joiner process? 5 = fully manual spreadsheet; 1 = fully automated real-time
What % of users have MFA? 5 = < 20%; 4 = 20–50%; 3 = 50–80%; 2 = 80–95%; 1 = > 95%
How often are access rights reviewed? 5 = never; 4 = annually; 3 = quarterly; 2 = continuous (manual); 1 = continuous (AI-assisted)
Do any admin accounts have standing privilege? 5 = yes, majority; 4 = yes, some; 3 = minimal; 2 = zero (JIT all); 1 = zero (sessionless)
Is cloud IAM (AWS/Azure/GCP) governed centrally? 5 = not at all; 4 = discovered; 3 = some remediation; 2 = automated; 1 = fully autonomous

Calculate: Sum scores, divide by 5.

  • 5–5: Level 1 (Ad Hoc)
  • 5–4.4: Level 2 (Basic)
  • 5–3.4: Level 3 (Managed)
  • 5–2.4: Level 4 (Advanced)
  • 1–1.4: Level 5 (Optimized)

Conclusion

This IAM 2.0 Maturity Model provides clarity on where you are and where you need to go.

Key Takeaways

  1. Most organizations are at Level 2–3. You have foundational tools but face automation and governance gaps.
  2. Level 3 to 4 is the hardest jump. It requires architectural change (event-driven, policy-as-code, AI/ML) and organizational mindset shift (policy engine vs. approval gate).
  3. Each level has clear success criteria. Use the metric tables to track progress.
  4. RA patterns map to maturity levels. Technology investments should align with target maturity—not jump ahead.
  5. Assessment is the first step. Conduct a formal assessment; identify top 3 gaps; prioritize ruthlessly.

For organizations ready to assess or design their maturity roadmap, TechVision Research provides tailored assessments, architecture design, and implementation guidance.

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!

Stay in the know!

Keep informed of new speakers, topics, and activities as they are added. By registering now you are not making a firm commitment to attend.

Congrats! We'll be sending you updates on the progress of the conference.