IAM maturity model — five levels, five outcomes

Every IAM consultancy has a maturity model. Most are too abstract to use operationally — the five-level descriptions read as marketing rather than engineering, and the gap between "level 3" and "level 4" is described in language that does not produce a backlog. This piece walks the five-level model we use on every engagement, with the concrete artifacts and metrics at each level.

Level 1 — Reactive

Identity is a ticket system. Provisioning happens when someone files a request; deprovisioning happens when someone notices an inactive account during a quarterly audit. There is no warehouse, no certification cycle, no operating runbook. Most organizations think they are above Level 1 and discover during the diagnostic that they are not.

Concrete signals:

• Provisioning latency measured in days (sometimes weeks for non-priority roles)
• Offboarding latency measured in days (sometimes weeks; almost always too long)
• Access reviews conducted via spreadsheet
• No SoD ruleset; no continuous monitoring
• Audit findings reconstructed from disparate logs each cycle

The exit from Level 1 is a single intervention: a real identity warehouse with HR as the authoritative source. Until that exists, every other improvement is built on quicksand.

Level 2 — Centralized

There is an authoritative directory. HR feeds an identity warehouse; provisioning is automated for the major application classes; deprovisioning happens within hours rather than days. Access reviews are run on a quarterly cadence but they generate reviewer fatigue and produce limited findings.

Concrete signals:

• Provisioning latency under 24 hours for in-scope applications
• Offboarding latency under 4 hours for HRIS-driven terminations
• Quarterly access reviews running but completion rates below 90%
• SoD ruleset exists but rarely changes
• Audit findings are reconstructed but with less effort

The exit from Level 2 is risk-aware certification design and the introduction of SoD continuous monitoring. The platform investment is largely there; the operating-model investment is what closes the gap.

Level 3 — Governed

Certifications are risk-aware. Reviewers see access that matters, not the full population of entitlements. SoD violations are detected continuously rather than at certification time. Privileged access governance is in place — vault, brokering, recording, just-in-time elevation.

Concrete signals:

• Access certification completion rates above 95%
• SoD violations detected and remediated within the campaign window
• All privileged access vaulted; standing admin minimized
• Audit-evidence captured per control, not reconstructed
• Quarterly audit cycle is routine, not a fire drill

This is where most regulated enterprises should aim. Below Level 3, audit costs are high and the program is a liability. Above Level 3, the marginal investment per maturity gain is increasingly expensive.

Level 4 — Adaptive

Risk-adaptive policy is the canonical access pattern. Conditional Access in workforce identity uses real signals (device, location, risk score, behavioral); customer identity uses fraud-aware MFA and adaptive step-up. Zero-standing-privilege is the design goal on the privileged side, with every elevation just-in-time, ticket-bound, and recorded.

Concrete signals:

• Most workforce MFA challenges driven by risk signals, not blanket policy
• Customer-side fraud loss reduction measured against pre-program baseline
• Zero standing privilege achieved for at least the top-priority privileged scopes
• Audit-evidence is queryable in real time; auditor questions answered in minutes

Level 4 is where Conditional Access policy libraries get bounded, where passkey rollouts hit 80% adoption, and where the operating model has stabilized enough that the engineering investment can move to optimization rather than mitigation.

Level 5 — Continuous

The IAM program is fully evidence-as-code. Every control is tested in CI; every policy lives in version control; every audit cycle is a routine cycle rather than a fire drill. AI agents are governed under the same identity primitives as humans, with explicit delegation and per-session identity. The program scales with the organization rather than absorbing every M&A integration as a one-off.

Concrete signals:

• Policy-as-code with CI deployment is the default; the console is for diagnosis only
• AI agent identity, delegation, and revocation engineered as first-class primitives
• M&A integration follows a repeated playbook, not an ad-hoc effort
• Continuous monitoring covers the privileged and customer surfaces
• The audit finding rate trends to zero year-over-year

Few organizations operate at Level 5 today. The platforms support it; the operating-model investment to sustain it is substantial. We engage with organizations at every level and design the sequence to lift them to the level the business needs — rarely all the way to 5 in a single program.

How to use the model

The model is useful if it produces a sequenced backlog. The pattern we follow:

1. Diagnostic — score the organization against each level's signals; identify the dominant level and the most-critical gaps
2. Target level — decide where the business needs the program to be (not where the consultancy wants to sell to)
3. Backlog — sequence interventions in the order that produces the most lift per quarter
4. Cycle — re-score after each major intervention; revise the backlog

The model is not the deliverable. The backlog is. The model is a way of producing the backlog quickly and with shared language across stakeholders.

The bottom line

A maturity model is only useful if it produces a sequenced backlog. The five levels we use produce one — with the artifacts and metrics that let an organization actually know where it stands. We start every engagement with the diagnostic and end with a sequenced plan.