This morning, I had two conversations on the question about who should be in charge of IAM in an organization. Afterwards, I run through my records and did some analysis. The main question: Which role do the IAM and GRC responsibles have in their organizations? I for sure only did a sample and asked myself the question how I'd rate what they were doing.

First of all: There are many good IAM implementations driven by IT administration or IT infrastructure. But, interestingly, the most advanced implementations, with a scope beyond administrative IAM, are usually driven by others - Compliance officers and GRC departments, CIO offices, CISOs, and others. Anyhow, an administrative project might have as well a strong strategic background if done correctly.

What is much more important is that there are approaches which are likely to lead to solutions with a too limited scope, especially in these days of increasing GRC requirements. Amongst these are

  • Projects with a strong IT service focus: IAM and GRC go well beyond IT operations and the automation of service desk requests. Business control, the implementation of business roles and rules, and new business models which integrate external users and make use for example out of the technologies of user-centric Identity Management might not be considered in a sufficient way. Not to talk about application security concepts.
  • Projects with a strong security focus: Yes, IAM and GRC can improve security. But they are not only about security, but as well about business control and, in general, Business/IT alignment.
My expectation is that GRC platforms will become the business control layer for IAM, like mentioned in our new reports "IAM and GRC roadmap 2009" and "Trend report IAM & GRC 2009", both available at

In that context, the responsibility for at least the IAM strategy has to be at a level with a holistic view, e.g. the GRC responsibles like a Chief Risk/Compliance Officer or the CIO. The execution of different parts, in alignment with that overall strategy, will than be for example at the IT operations department. But, if the question is "who should be in charge of IAM?", the answer clearly is that it has to be someone who has a broader view on IT. IAM is tightly connected to BSM. It is tightly coupled to GRC. And there are no secure applications and business processes if the relation between application architectures and IAM isn't fully understood.