What Is an IAM Assessment and How Does It Work?

by Marty Aquino
What Is an IAM Assessment and How Does It Work?

15,000 per organization. That’s the average number of digital or electronic identities per medium-sized business that have to be managed. If your organization is an S&P 500 company, one of the 500 largest publicly traded companies in the U.S., then that number jumps to approximately 1,542,810 — per company. According to CyberArk, the average employee has over 30 digital identities.

The simple math:

  • Medium-Sized Businesses: Medium-sized businesses typically have 500 employees or more. 500 employees x 30 digital identities = 15,000 digital identities per organization — on average.
  • Large-Sized Businesses: 51,427 is the average S&P 500 company employee headcount. 51,427 employees x 30 digital identities = 1,542,810 digital identities per organization — on average.

Amazingly, this does not include machine identities which overwhelmingly outnumber human identities by a factor of 45. That’s an incredible amount of digital identities that your organization has to contend with. Identity management is verifying your users based on preexisting data in your identity management database. Access management is confirming user access rights to your various systems, applications data, devices, etc.

Digital identities are key components of our rapidly expanding cyber reality. Historically, as societies evolved with digital technologies, people became increasingly identified by numbers or digits. Social Security, driver’s licenses and passport numbers are old-school numeric/alphanumeric methods of identifying individuals. Fast forward to the digital world today. Your employee’s digital identity is multipronged and often unique for each experience. For example, if one of your systems requires a password and multifactor authentication (MFA) prompt from your team member, your organization knows that it is allowing access to the right individual or machine — and no one else.

With the exponential unfurling of the internet, the need for securing each interaction within it and just outside of it (intranet or local-only networks) has never been greater. In short, confirming your digital identity is seemingly the only way to gain access to mundane day-to-day operations as well as mission-critical sensitive data. Identity and access management (IAM) is your organization’s protocol, solutions set or framework that shepherds all of your human and machine electronic identities. No small feat in today’s expanding cyberverse. Accordingly, IAM assessments have never been more important to robust digital infrastructure security.

Why Are IAM Assessments Important?

Cybercriminals, like ransomware gangs, are on the loose, and they’re only getting more active. They are actively seeking your organization’s credentials to gain access to your crucial and sensitive data. According to CyberArk:

  • The No. 1 risk area cited by respondents was “credential access” with 40%.
  • More than 70% of respondent organizations experienced ransomware attacks in 2021.
  • The average employee has over 30 digital identities* per organization.
  • 68% of nonpersons or machines have access to sensitive data and assets.

Security professionals agree that many organizations are now in “cybersecurity debt”: The investments in proven security solutions are not keeping pace “with organizations’ investments focused on driving business operations and growth.” In a research report from SailPoint Technologies, surveying 300 global cybersecurity executives:

  • 43% of all identities within the average organization are machine identities.
  • 31% of all identities within the organization are customer identities.
  • With the remaining balance of only 16% of all identities within the organization belonging to employees.

The need for your organization to control user access to critical data is significant. Further, because of the growing external (e.g. regulatory compliance, laws, etc.) and internal (e.g. board of directors, shareholders, etc.) pressures, your organization can no longer afford to depend on manual and/or error-prone processes. Commensurately, choosing which IAM solution is best for your organization can be daunting, but there is an effective method of helping your team make those crucial decisions.

What Is an IAM Assessment?

Before you take action, deploy precious resources and burn irrecoverable time … develop a plan. A comprehensive IAM assessment will help you do just that. It analyzes your current state of identity and access management, where your strengths and weaknesses lie, and equally importantly, it helps you create an IAM game plan for making your organization’s IAM strong.

A strong IAM assessment will clearly define and prove who, what, where, when and how variables about your identity and access management:


Up until recently, “users” used to mean only people. Now, that’s clearly not the case. “Who” can mean a human being or an Internet of Things (IoT) device or application or mobile phone, etc. A strong IAM assessment will track and document all network users, human or not, and which systems they can access — as well as their privileged access levels.


This segment of the assessment examines and documents your assets and user behavioral patterns. It will consider compliance requirements, existing cybersecurity architecture and, of course, current IAM procedures. Any deficiencies and vulnerabilities are only noted and documented at this stage.


Since the COVID-19 pandemic, remote access has grown exponentially. According to McKinsey & Company research:

  • 58% of Americans reported having the opportunity to work from home at least one day a week.
  • 35% of respondents reported having the option to work from home five days a week.

Increasingly, remote work is a catalyst for robust IAM and periodic IAM assessments. Moreover, with the growing traffic from disparate places from potentially around the world, the need for determining “friend or foe” locations is more critical than ever. This stage will track, document and analyze where identities are located and ensure proper IAM protocols.


Although many organizations tend to have a standardized work period on any given day, certain users may operate outside of those times. Further, establishing a behavioral pattern for each user can help identify harmless anomalies from harmful ones. For example, if an authorized user normally logs in between 7 a.m. and 8 a.m. Eastern, then access patterns can be derived from location data and login time. Therefore, any deviation from this normal behavior pattern could be flagged and registered as a potentially harmful anomaly.


Your entire IAM assessment builds up to this stage. This is “how” your team takes what they’ve learned and transforms it into an actionable and achievable road map to IAM success. This stage will involve recommending upgrades and overhauls and aligning them with compliance requirements as well as business goals.

An IAM Assessment Is a Competitive Advantage

An IAM assessment is not just one more project to take on. Custom-crafted IAM assessments generate competitive advantages by implementing IAM tools and benefits from identified best practices. IAM assessments help your organization establish greater control of your user access — mitigating the overall risk of external and internal security breaches. Ultimately, well-executed IAM assessments lead to more effective organization-wide collaboration, more efficient productivity and reduced operating expenses. Work with a trusted strategic partner to schedule your custom IAM assessment.

Still have IAM assessment questions?

We have answers: contact The Migus Group today.

Marty Aquino has been a passionate writer on venture capital, technology, forecasting, risk mitigation, wealth and entrepreneurial topics since 2009. He is the founder of Carbonwolf Energy, a venture capital firm specializing in world-changing and status-quo-defying technologies and people.