IAM in 2025: Turning Hurdles into High-Value Wins

In the first post of this series, we explored how to maximize the potential of Identity and Access Management (IAM) by streamlining operations, improving security, and enhancing business agility. But even the most robust IAM strategy can fall short without organizational buy-in and cross-functional support. IAM doesn’t exist in a vacuum; its success depends on awareness, collaboration, and shared accountability across the enterprise.

In this post, we’ll focus on two critical aspects of IAM success: raising awareness within your organization and broadening peer support to strengthen your IAM efforts.

Raising Awareness Within Your Organization

A well-executed IAM strategy is only as effective as the people who implement and interact with it. That’s why raising awareness about IAM’s role and value is essential. Without it, employees might inadvertently bypass security protocols or misunderstand the importance of adhering to IAM policies.

Gartner’s 2025 Planning Guide for Identity and Access Management underscores the importance of an “identity-first business strategy” to maintain operational efficiency and competitive advantage. We couldn’t agree more. By placing identity at the center of your security framework, you’re not only safeguarding assets but also enabling organizational resilience.

Let’s dive into a few practical strategies to drive identity-first security awareness and build broad organizational support for these critical initiatives.

Strategies for Identity-First Security Awareness

1. Highlight the Limitations of Traditional Network Controls: The concept of a “secure corporate network” is outdated in today’s hybrid work environment. With employees accessing critical systems from anywhere and on any device, identity has become the new security perimeter.

Why This Matters:
Traditional perimeter-based models rely on securing a fixed network boundary, which no longer exists. Identity-first security shifts the focus to verifying every access request in real-time, regardless of location or device. This approach ensures that security isn’t tied to geography but to verified trust.

How to Articulate This:
Explain that traditional network controls leave gaps in securing remote or hybrid workforces. By contrast, identity-first security provides robust protection through real-time verification and contextual access management.

NIST’s Zero Trust Architecture Guidelines offer a detailed framework for identity-centric security approaches.

2. Provide Examples of Common Identity Failures: Real-world examples resonate with stakeholders and drive home the risks of inadequate identity management.

Case in Point:
In 2024, a disgruntled former Disney employee used retained credentials to sabotage the company’s digital menu displays. This breach highlights a common failure: delayed deactivation of credentials. While SSO systems simplify access management, ensuring complete deprovisioning across all systems remains a significant challenge.

Key Message:
Use examples like Disney’s breach to stress the importance of efficient identity lifecycle management. Timely deactivation of credentials is critical for preventing insider threats and securing organizational assets.

The Identity Defined Security Alliance (IDSA) provides case studies that illustrate the risks of identity mismanagement and the benefits of proactive identity governance.

3. Provide Realistic Examples of Beneficial Identity Initiatives: Highlighting achievable, high-impact IAM initiatives can help bridge the gap between abstract security goals and actionable improvements.

Where to Start:

• Employee Lifecycle Management: Streamline onboarding and offboarding to ensure access permissions align with job roles.
• MFA Coverage: Expand multi-factor authentication to cover all critical systems, minimizing the risk of credential-based breaches.
• Unused Accounts Audit: Regularly review and deactivate accounts that no longer serve a purpose, reducing attack surfaces.

These straightforward initiatives address common IAM gaps, even in mature environments, and demonstrate quick wins that build momentum for more complex projects.

Broadening Peer Support in Your Organization

Once you’ve raised awareness, gaining broad organizational support for identity-first security initiatives is a necessary step to setting yourself up for success. Gartner recommends several key approaches to build organizational support, including using Outcome Driven Metrics (ODMs), creating business context around IAM investments, and having IAM teams take the initiative to identify and close the gaps between other organizational stakeholders.

While these recommendations are sound, they don't cover all the specific strategies you might need to get started. We’ve identified a number of specific strategies and tactics that can help ease your path.

Strategies for Broader Support

1. Build Awareness with Clear Metrics: Data is a powerful tool for building a case. Highlight the rising frequency and cost of identity-based breaches and demonstrate how proactive IAM investments can reduce risks and save money.

Key Metrics to Present:

• The average cost of an identity-related breach versus the cost of implementing IAM improvements.
• Time saved in onboarding and offboarding processes through automated IAM workflows.

Focus:
Rather than relying on fear tactics, emphasize how identity-first security supports operational efficiency, reduces downtime, and enhances the overall user experience.

Verizon’s Data Breach Investigations Report provides valuable statistics on identity-related breaches and their financial impact.

2. Tie IAM to Business Goals: For many stakeholders, IAM can seem like an isolated IT function. Reframe it as a business enabler that supports organizational agility, customer trust, and continuity.

Key Talking Points:

• IAM ensures uninterrupted operations by protecting critical systems.
• Strong identity practices foster customer trust by safeguarding their data.
• IAM contributes to cost reduction by streamlining access management and improving compliance.

Takeaway:
Position IAM as an investment in business effectiveness, not just an IT expense.

McKinsey’s report on Cybersecurity in Iberia: Aligning business and the board illustrates how aligning IAM with business goals strengthens overall strategy. The content applies to more than just the region!

3. Start with Quick Wins: Quick wins are essential for building momentum and demonstrating the value of IAM initiatives. Start with manageable projects that deliver visible results, such as:

• Implementing broader MFA adoption.
• Cleaning up outdated user roles and permissions.
• Automating routine access requests to improve efficiency.

Example:
One organization reduced help desk calls by 30% within the first quarter of rolling out an automated IAM system, showcasing the tangible benefits of streamlined identity management.

Gartner’s quick wins guide provides practical ideas for fast, high-impact improvements.

4. Find External Benefits: Identity-first initiatives can benefit more than just IT. IAM data often reveals insights that other business units can use to optimize resources.

Example:
By analyzing IAM data, an organization identified unused software licenses and reduced spending by 20%. This not only saved money but also demonstrated the cross-departmental value of IAM initiatives.

Takeaway:
Show how IAM improvements align with the goals of other departments, fostering collaboration and shared success.

Conclusion

Raising awareness and building support for identity-first security are vital steps in modern IAM strategy. By focusing on clear communication, impactful metrics, and quick wins, you can secure the organizational backing needed to drive success.

In our next post, we’ll explore how to define and measure IAM outcomes, ensuring your strategy delivers real business value.