In the identity and access management (IAM) market, we've got the terminology all wrong. With bad labels comes misdirected thinking, which ultimately contributes to project failure and disappointed stakeholders. This sounds like a big claim, so allow me to explain. Depending on what milestones you care to consider, the IAM market has been evolving for about twenty years. Perhaps it's time for a reboot.

It began with moving identities and, in some cases, passwords out of the silos of individual applications and into a single directory. Organizations then discovered that one directory was an unrealistic goal and that moving the data out of the silos was not enough; the change management process must be consolidated as well. This is when the term "identity management" was invented, in reference to shared processes for managing identities. Meta directories (to synchronize data) and virtual directories (to present an aggregate view) appeared around this time, as did user provisioning in order to help manage those applications that still couldn't leverage a directory.

Access management shortly ensued, but its focus was on runtime authentication and authorization. While in principle, web access management products support central control over authorization rules, using URL filters and web services APIs, most organizations deployed access management systems mostly for single sign-on across their Intranet or Extranet. Let's pause there.


We now have two terms that are really unrelated. Identity management, which includes user provisioning, directories, meta directories and virtual directories, refers to software used to manage the setup and teardown of users. Access management refers to software for signing users into applications and control what they can access. Administration versus runtime. These two things do not belong in a single product or even the same category. So, of course, vendors and analysts began to refer to the market as "Identity and Access Management", which conflates administration and runtime enforcement.

Despite both identity management and access management systems being widely adopted, medium to large organizations continued to encounter problems. They were never really interested in managing identities for their own sake - that's just a means to an end. What most organizations really care about is what users can access. You have to know who they are before you can grant access rights, but identifying users is not really enough.

Organizations want user setup to be fast and efficient. Teardown should be prompt and reliable. Security rights, now more properly called security entitlements, should be appropriate to a user's business needs. Audit records should be rich and available directly to auditors. Internal controls should be strictly enforced, in part to comply with regulatory requirements.