In our new Roadmap Report Identity Management and GRC 2009, available from Oct 13th 2008, we describe the structured evolution of Identity Management and GRC infrastructures across multiple maturity levels, from basic, administration-focused deployments towards business- and service-oriented implementations.

Within this guideline, I personally think that one of the blocks is particularly interesting. It is about "Identities" (covering the concepts behind and their storage) and moving forward to a business-controlled IAM. What we have in mind there is in fact the integration of Identity Management with the applications which deal with some of the core business objects - like employees, customers, or suppliers.

These objects play a central role within the business applications. And they are identities. Thus, it is obvious that identity management concepts and technologies can provide value in providing a consistent, integrated view on these business objects. From the perspective of business systems, we probably won't use the term identity management. But we will use it.

In the light of such an approach, it becomes clear as well why vendors like SAP, Oracle, and Microsoft are heavily investing in identity management. In approaches where we business objects are managed and used in service-oriented applications, the consistency of these objects is a core requirement. The vendors which provide application infrastructures and business applications thus require identity management technologies. You can, for example, expect NetWeaver Identity Management thus to play a vital role in SAP's Enterprise SOA approach, with a much tighter integration than you might expect today.

That integration is consistent with the overall tendency of IAM moving from an administrative technology to the business-level, with the application integration and business support mentioned as well as with GRC (and, in consequence, business roles and rules) as control infrastructure above today's more or less technical provisioning solutions.