Identity

January 19, 2026

Why Identity Is the Control Point Every Organisation Is About to Be Judged On

IAM isn't a security project anymore. It's the operating system for how work actually happens.

We've spent years in identity and access management leading multi-year programs across government, universities, and enterprise, managing identity lifecycles for environments with 450,000+ users. The conversation has fundamentally shifted.

For a long time, IAM was treated as a security platform. Something you implemented to tick a compliance box or stop the wrong people getting into the wrong systems. It lived in IT security's world, and most of the organisation didn't think about it unless something broke.

That framing is outdated.

IAM isn't about logging in. It's about who can act, what they can touch, and how control is maintained across every system, partner, cloud service, and AI-driven process in your environment.

If you can't clearly answer:

  • Who has access to what
  • Why they have it
  • How that access is governed
  • And how it is removed

then you don't have digital control. You have accumulated risk.

IAM is the control point for the entire organisation.

Identity is the new perimeter

The traditional security perimeter is gone. People work remotely. Systems live in the cloud. Third-party platforms are embedded into core operations.

What remains constant is identity.

Every transaction, every permission, every audit trail flows through who or what is allowed to act. IAM defines accountability, security, and scale.

I see organisations treat identity as an afterthought, and the patterns are always the same: inconsistent access controls, manual joiner/mover/leaver processes, privilege creep, unmonitored admin access, and expensive audits full of gaps.

The issue is rarely the technology. Most organisations have access to decent IAM platforms. The problem is the operating model: how identity is managed day-to-day, who owns it, and how governance works in practice.

Why so many IAM programs fail

I've watched IAM programs stall or get shut down more times than I can count. The failure modes are predictable.

Over-engineering from day one. Designing for every edge case instead of adopting proven standards. They rebuild access models from legacy systems rather than starting with what already works.

  • Procurement drags on for months to years. Lengthy requirements and scoring frameworks that lock teams into unnecessary customisation instead of best-practice approaches.
  • Fragmented ownership. Security owns the platform. HR owns provisioning. Infrastructure owns the directory. No one owns the end-to-end outcome.
  • Technology without governance. Platforms are implemented without defining how access is approved, audited, reviewed, and removed in practice.
  • No tangible outcomes fast. I've spoken to project leaders at universities and large organisations who watched IAM programs get cancelled when steering committees saw budgets draining with little to show for it. Without executive sponsorship and a strategy that delivers incremental value, these programs collapse under their own complexity.

IAM sits alongside ERP and HCM as one of the hardest transformations to deliver. That is exactly why phased, outcome-driven approaches matter.

The result is familiar: long timelines, slow adoption, and systems that never become the single source of truth. Or worse, programs that are shut down before they deliver any value at all.

What's already happening (and most orgs are blind to it)

The next phase of IAM isn't more users or applications. It's more non-human actors.

AI agents, automation platforms, service accounts, certificates, integrations are already operational participants. They act independently, request access, and move data at machine speed. Recent reports (CyberArk 2025) show machine identities already outnumber humans 82:1 on average - and AI adoption is turbocharging that growth.

This introduces a new class of risk: identity sprawl without ownership, unclear accountability for automated actions, and privileges that outlive their purpose.

IAM must evolve from "user access management" into identity governance across humans, systems, and agents.

Organisations that don't adapt won't fail because of a breach. They will fail because they can't confidently demonstrate how work happens inside their digital environment. When regulators, auditors, or executives ask the hard questions, the gaps will be obvious.

What good IAM looks like

The high-performing IAM programs I've worked with share three characteristics:

  1. Standards over custom logic. They adopt proven identity patterns (RBAC, SAML, OIDC) and adapt them to fit. They don't reinvent the wheel.
  2. Automated lifecycle management. Joiner, mover, leaver workflows are system-driven, not ticket-driven. Access is provisioned or removed automatically. It improves over time because the process is repeatable and measurable.
  3. Privileged access is tightly governed. Admin accounts, service accounts, vendor access - controlled upfront, reviewed regularly, and traceable. The strongest programs align privileged access controls to established frameworks like Essential 8, NIST, or CIS benchmarks.

This is not about finding the "best" IAM tool. It's about designing the right operating model around identity.

Identity is now an executive issue

IAM directly affects things executives care about:

  • Risk and audit readiness. Can you demonstrate control? Can you prove access is reviewed and removed when it should be?
  • Operational efficiency. How much time is spent on manual provisioning? How long does onboarding and offboarding take?
  • Scalability. Can you integrate new systems or partners without rebuilding your access model every time?

I see this most clearly during structural change: acquisitions, new business units, government restructures. Strong IAM enables rapid integration instead of months of manual access provisioning.

Organisations that don't get this right discover that complexity always compounds. By the time the impact is visible, they are deep in technical debt and fixing it feels overwhelming.

Identity is the control point.

How well you govern it determines how ready you are for what comes next.

Is your IAM helping you scale or quietly becoming your biggest risk?

We've built a short Identity & Access Management Health Check that shows where your organisation sits across governance, security, automation, and readiness for what's already happening.

It takes less than 3 minutes and gives you:

  • Your current maturity level
  • Your key exposure areas
  • The highest-impact improvements you can make

👉 Take the IAMHealth Check

aboutsolutionscontactinsights

Brisbane-based consultancy helping organisations figure out what's slowing them down and what to do about it. Working with growing businesses and enterprise clients across Australia.

© Move FWD. All Rights Reserved. Privacy Policy
