Congratulations Reader, you’ve made it to the last of part of my four part blog series on enterprise patterns for modern IAM! The journey started a few weeks ago in which I discussed principles that inform this approach to modern IAM. We then moved on to exploring ways to optimize controls for different kinds of systems that modern IAM needs to protect and enable. Last week we explored a notional architecture for a modern IAM architecture. And this week we end at the beginning or, more accurately, how to begin one’s journey to building a modern IAM architecture in their own organization.

How to begin

Delivering the kinds of dynamic IAM capabilities the modern enterprise requires will not happen in a single step. One does not simply wave a wand and transform their existing IAM architecture into a modern one… nor will replacing a single component in that architecture transmute IAM tech debt into a future proof solution. There are several steps one should consider taking:

Perform a “Four Component” analysis

As an exercise to better understand how to categorize IAM capabilities, I proposed that all IAM architectures had four components: policy, data, orchestration, and execution. Additionally, I proposed a way to walk through one’s IAM infrastructure to identify what capabilities were applicable at which times of use, as well as which capabilities were ripe for augmentation versus those that were ready for replacement. Performing such an analysis is a useful, early, step towards enacting the kinds of change needed to deliver more dynamic IAM capabilities.

Evaluate data management capabilities

To build the kind of data tier needed to power a modern IAM infrastructure fit for a dynamic enterprise requires more formal data governance and management capabilities than most IAM teams have on their own. Until such time as fit-for-purpose IAM data tiers exist in the market, IAM teams will need help. Security peers might have some insights from their experiences working with security data lakes. More likely, IAM teams will either need to enlist the services of enterprise data teams, if they exist, or cultivate data skills internally. Regardless, IAM teams should evaluate what their own capabilities are, what enterprise data platforms are available to them, and where they can get help within the enterprise.

Build an event-based signaling network

Near real-time events are crucial to delivering modern dynamic IAM capabilities. Standards like SSF, CAEP, and RISC give enterprises and vendors the means to begin to construct an IAM nervous system of a sort - one that allows components with the IAM infrastructure to signal to interested parties when something of note happens. Recognizing that most applications and platforms do not yet offer robust support for these standards, IAM teams will also need a means to incorporate proprietary event streams. An important step towards the goal of delivering dynamic IAM capabilities is to build out “event hubs” that can consume, transform, and transmit signals - be they standards-based or proprietary events. Infuse the event hub with the ability to act upon policy and the IAM infrastructure can respond far more immediately to events. Add a more robust data tier to that and those policies can become more focused and more effective. 

Building a Dynamic, Future-Proof IAM Infrastructure

As organizations continue to evolve, so too must their IAM systems. The demands of a dynamic enterprise, with its ever-changing environment and increasing ability to rely on real-time data, require an IAM infrastructure that can adapt without the need for constant overhaul. By embracing contextual awareness, automating responses, and augmenting existing systems with modern components (potentially including AI-driven capabilities), organizations can create a resilient and flexible IAM architecture.

However, the key to success lies not just in the adoption of new technologies, but in doing so thoughtfully. Leveraging established standards ensures that systems remain interoperable and future-proof, while kill switches and other safeguards protect against unforeseen risks. By building on top of a solid data foundation and investing in orchestration and execution tiers that work seamlessly together, enterprises can stay ahead of both external threats and internal pressures to change.

Moving towards a more dynamic IAM requires that the focus remain on augmenting existing systems, integrating new capabilities when needed, and planning for the future—all while maintaining control and minimizing risk. The path is complex, but by taking a principles-informed approach, organizations can achieve a modern IAM infrastructure that is both agile and secure, ready to meet the challenges of today and tomorrow.

Heartfelt thanks

As I mentioned in the first post, I could not have built this series of posts without friends helping me out. More importantly, I could not have come up with these ideas without numerous conversations, document reviews, and healthy arguments. Here is a small list of people materially contributed to this: