In response to this, a handful of firms have launched products in a newly imagined market, "Access Governance", providing controls over security rights assigned to users. The idea is to layer this on top of existing deployments of user provisioning systems, which have proven to have limited utility, perhaps because of a focus on identities rather than security entitlements, or maybe simply because they have terrible user interfaces which are difficult to configure and use.

So now we have even more confusion because the governance here is of security entitlements, not of runtime access enforcement. Perhaps this new product category would be more accurately called "Entitlement Governance."

If we actually stop to listen to what organizations want, it is efficient and secure administration AND governance. They want to manage security entitlements first and foremost, and identities only insofar as this is pre-requisite to grant entitlements to users.

Which brings me to the starting point: "Identity and Access Management" is misleading, as is "Access Governance." Moreover, the security controls implicit in "governance" must be enforced at every phase of every administration process. The notion of two product categories layered on top of each other, one for governance and another for administration, is neither architecturally sound nor commercially attractive.


I propose a simpler and more accurate label for our market: "Entitlement Administration and Governance," or EAG for short.

And what does EAG mean?

• Focus on granting and revoking entitlements.
• Automate the management of identities, since users must be assigned digital identities before they can be granted entitlements.
• Include a rich set of connectors to pull information about login IDs and security entitlements from existing systems and directories, and to write updates back to those systems and applications as a consequence of approved change requests.

It includes a rich set of features such as:

• Automation to setup and tear down identities and entitlements based on an HR data feed
• A request portal so that users can request changes on their own behalf and for others, including recipients, who do not appear in an HR data feed.
• An authorization workflow, to get business users to approve or reject proposed changes.
• Access certification, to invite stake-holders to periodically review and correct security entitlements.
• Policy engines, to prevent violations to segregation of duties and other rules.
• Reports and dashboards, so business users can monitor both enterprise-wide security configuration and the change management process.

I think this is what the market really wants: an integrated solution to manage both identities and entitlements throughout the user lifecycle, with integrated governance (i.e., policy and workflow controls throughout). So, let's stop talking about IAM and focus instead on EAG.