See The Gartner IAM Program Maturity Model
Level 1 Initial |
Level 2 Developing |
Level 3 Defined |
Level 4 Managed |
Level 5 Optimized |
|
---|---|---|---|---|---|
Governance | Ad hoc, informal | Subsumed with InfoSec (and InfoSec governance strcutures) | IAM governance structure defined and accepted | IAM governance structure fulfilled and refined | IAM governance optimization |
Organization | Informal, basic roles, responsibilies decentralized | Technical projects sponsored by BUs and CISO; informal inventory of IAM skills | IAM PMP established; IAM roles and training defined | IAM PMO active; RACI matrix defined; proactive skills development | Optimal integration with business; skills optimized |
Vision and Strategy | Conceptual awareness at best | Certain business drivers identified; tactical priorities set | Business-aligned vision defined; strategic priorities set | IAM vision and strategy continually reviewed to track business strategy | Periodic optimization of vision and strategy |
Processes | Ad hoc, informal | Semiformal BU-specific and target-specific processes | Formal processes defined, consistent across BUs and target systems | Formal processes integrated and refined, aligned with business processes | Process optimization |
Architecture and Infrastructure Design | Possible use of target-specific productivity tools | Disjoint technical projects; technology redundancy likely | Discrete IAM architecture defined; rationalization and consolidation in hand | IAM architecture refined and aligned with EA | IAM architecture embedded with EA; optimization |
Business Value | None measurable | Tectical efficiency and (maybe) effectiveness improvements; low direct value | Sustained, quintifiable improvements tied to GRC imperative; moderate direct value | Sustained, quantifiable contribution to all key business imperatives; high direct value | Business value optimization; transformational direct value |