Even while ITIL v3 integrates a little bit of access management, the siloes of ITIL, IAM, and GRC are well isolated in most organizations. On the other hand, and approach which understands Identity as a Services is mandatory. These services should be defined using the methodologies of ITIL and, if applicable, follow the defined ITIL best practices. Beyond that, the definition of any Application Security Infrastructure requires the definition of services. ITIL and its methodologies can support there as well, in defining services for the interface between the IAM and the SOA silo.
Most of today’s GRC platforms focus on IAM aspects, mainly access control. Attestation capabilities are focused on the access controls, authorization management is as well, as are the SoD rules. But there is more in GRC. “Classical” security aspects including the management of security events, business continuity, license compliance, and so on – all these areas have to be covered from a Governance, Risk Management, and Compliance perspective. There is no doubt about the central role IAM related issues have. Anyhow, it is time to discuss the question whether future GRC platforms shouldn’t go beyond IAM and include ITSM/BSM (IT/Business Service Management) and thus all the things covered by ITIL, SIEM (Security Incident and Event Management), and more.