The Measurement Problem

Identity and access management has moved from a niche IT function to a board‑level priority, driven by the staggering cost of data breaches—IBM’s 2025 report pegs the average at $4.88 million—and the prevalence of credential‑based attacks. The IDSA 2024 survey found that 90% of large enterprises suffered an identity‑related incident in the last twelve months, with 84% feeling direct business impact. As organizations pour capital into IAM tools, the missing piece is a consistent way to measure whether those investments translate into stronger security posture.

A raft of independent studies paints a sobering picture of where firms stand. SailPoint’s Horizons research places 63% of surveyed companies in the two lowest maturity horizons, while Ponemon/GuidePoint reports only 23% of respondents rating their IAM effectiveness as high (9‑10 on a 10‑point scale). Even among high performers, 39% still experience incidents, underscoring that tool effectiveness alone isn’t enough. The data also reveal industry nuances—financial services show a slightly better maturity distribution, yet the majority across sectors remain stuck in early stages, often relying on spreadsheets for access reviews.

The absence of a vendor‑neutral, community‑adopted maturity framework hampers executives’ ability to benchmark, set realistic roadmaps, and justify spend to stakeholders. A standardized metric would enable cross‑industry comparison, drive best‑practice adoption, and provide a clear language for board reporting. Part 2 of this series will dissect the fragmented frameworks currently in use, while Part 3 will outline design principles for a credible, shared standard—an essential step toward turning IAM from a compliance checkbox into a measurable business advantage.