Back to Identity and Access Management component
Capability IM.1

IAM Policy

"Identity and access policies define roles, entitlements, joiner/mover/leaver triggers, MFA enforcement, and privilege escalation rules."

This capability evaluates whether the organization has the ownership, process, evidence, and oversight needed to manage this area of identity and access risk.

Scope & Context

What This Capability Means

IAM Policy assesses whether the organization has a defined, repeatable, and evidence-supported approach to identity and access policies define roles, entitlements, joiner/mover/leaver triggers, mfa enforcement, and privilege escalation rules. This includes the policies, roles, workflows, systems, data sources, and oversight practices needed to make the capability operational.

Key Capability Factors

An enterprise IAM policy is version-controlled, board-approved, and mapped to NIST/ISO controls.

Policy covers role taxonomy, entitlement catalogue, JML workflows, MFA mandates, and escalation limits.

Supporting procedures and playbooks exist for each section and are linked in the policy portal.

Annual (or trigger-based) reviews update policy; attestation >= 95 % for in-scope staff.

Strategic Importance

Why This Capability Matters

This capability matters because identity and access weaknesses often determine who can reach sensitive systems, crown-jewel data, administrative tools, or critical workflows. Weaknesses can create blind spots in Governance & Oversight, Access & Authorization, Process & Procedural Gaps, inconsistent decisions, unmanaged privileges, entitlement creep, delayed revocation, and weak executive evidence. A mature capability helps the organization move from fragmented access activity to repeatable, risk-informed, and defensible access governance.

AI & Automation Context

AI-related context should be included where IAM policy, ownership, access logging, privileged account management, BYOD controls, or portable storage restrictions rely on analytics, automated recommendations, or AI-assisted evidence review. Human decision-makers should retain accountability for access decisions.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Access policies, owners, approval workflows, exception processes, and review cycles are unclear, outdated, or inconsistently applied.
  • Joiner, mover, leaver, contractor, BYOD, privileged, and break-glass access processes are not consistently connected to HR, procurement, IT, security, and business triggers.
  • Users retain access after role changes, termination, contract completion, inactivity, or loss of business need.
  • Privileged or sensitive-system access is granted without time limits, justification, monitoring, risk review, or post-use validation.
  • Access logs, failed logins, policy bypasses, sensitive-system events, and entitlement changes are not consistently reviewed or connected to insider-risk decisions.
  • AI-enabled access recommendations, role mining, anomaly alerts, or risk scores are used without validation, human oversight, explainability, or documented accountability.
  • Leaders cannot explain which identity or access weaknesses create the greatest insider-risk exposure or what should be prioritized next.
Signs of Mature Capability
  • The capability has named ownership, documented policy, clear workflows, defined evidence expectations, and repeatable governance review.
  • Access is granted, changed, reviewed, and revoked based on role, business need, asset sensitivity, user context, and risk exposure.
  • Privileged, contractor, remote, BYOD, portable storage, break-glass, and high-risk user access are tightly governed, logged, and reviewed.
  • Access events and violations are logged, correlated, and connected to monitoring, investigation, risk assessment, and remediation workflows.
  • Periodic reviews use business need, asset criticality, usage activity, entitlement age, exception history, and risk context rather than checkbox attestation alone.
  • AI-assisted identity analytics or access recommendations are validated, explainable, auditable, and subject to human oversight.
  • Leadership receives concise evidence showing current access exposure, priority gaps, planned actions, progress, and residual risk.
Governance Guidance

Questions Leaders Should Ask

Question 1

Who owns IM.1 (IAM Policy), and do they have authority to define policy, workflows, evidence, exceptions, and remediation?

Question 2

Which users, roles, contractors, devices, applications, privileged accounts, sensitive systems, and crown-jewel assets are in scope?

Question 3

How are Legal, HR, Compliance, Privacy, Security, IT, procurement, asset owners, and business leaders involved in access decisions?

Question 4

What evidence shows access is approved, reviewed, monitored, revoked, and aligned to business need and risk?

Question 5

How are AI-enabled access recommendations, anomaly alerts, role-mining outputs, or risk scores validated and governed?

Question 6

How do IAM findings drive roadmap actions, risk register updates, control improvements, investigations, and executive reporting?

Defensible Program Artifacts

Evidence Examples

Evidence Type

IAM policy, access control standards, role taxonomy, entitlement catalog, MFA standards, exception procedures, and approval matrices

Evidence Type

IAM owner records, RACI, governance meeting minutes, stakeholder review records, KPI dashboards, and program charters

Evidence Type

Joiner/mover/leaver workflows, HR trigger records, contractor onboarding/offboarding records, access request tickets, and approval records

Evidence Type

Access review campaigns, asset-owner attestations, remediation records, dormant account reports, entitlement age reports, and exception registers

Evidence Type

Privileged access requests, PAM logs, break-glass access logs, session records, post-use justifications, and credential vault records

Evidence Type

Remote access logs, VPN or zero-trust gateway records, device posture checks, MFA logs, conditional access decisions, and blocked-session records

Evidence Type

Sensitive-system access logs, SIEM events, alert records, violation reports, policy bypass records, and case referral records

Evidence Type

Identity proofing records, account creation records, deprovisioning evidence, role change approvals, and user reconciliation reports

Evidence Type

BYOD access policies, MDM/MAM records, app access controls, portable storage approvals, removable media logs, and revocation records

Evidence Type

Risk register entries, roadmap actions, remediation milestones, control exceptions, residual-risk summaries, and executive reporting packages

Regulatory Context

Mapped Standards and Framework References

Standard / Framework ReferenceHow It Relates to This Capability
NIST 800-53, r5 (3.1, AC-1)Relevant to IAM Policy because it supports access governance, identity lifecycle control, authorization, logging, review, evidence, or oversight expectations.
ISO 27002, 12.1.1Relevant to IAM Policy because it supports access governance, identity lifecycle control, authorization, logging, review, evidence, or oversight expectations.
AI governance and responsible AI guidanceRelevant where identity analytics, access recommendations, risk scoring, role mining, anomaly detection, or automated provisioning support this capability.

Use This Mapping to Ask:

Q1.

Which control expectations are most relevant to this capability based on the organization, workforce, assets, and data types?

Q2.

What evidence would show that the control is operating, reviewed, and improving over time?

Q3.

Where do access decisions create insider-risk exposure that should be reflected in the risk register?

Q4.

How should AI-assisted IAM outputs be validated, documented, and governed?

Q5.

Which gaps should become roadmap actions with owners, dates, and measurable progress?

Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

How RiskTKO® Operationalizes This Capability

Assessment evidence

Policies, access logs, entitlement records, IAM workflows, approval records, review outputs, exception records, and other artifacts used to evaluate current capability.

Risk evidence

Risk register items or exposure narratives connected to excessive access, privileged access, contractor access, stale entitlements, sensitive-system access, or access violations.

Roadmap evidence

Recommended actions, owners, milestones, workflow changes, policy updates, access review improvements, monitoring enhancements, and completion status.

Executive evidence

Summaries showing current state, progress, remaining IAM gaps, access exposure themes, and risk reduction over time.

Assess, Prioritize, and Report with RiskTKO®

Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.