When does Identity Risk become material to the business? How do we know when such risks become realized? Where do IT GRC controls appear in a multi-level risk strategy? These are some of the questions that large organizations are starting to ask. We present some answers for debate on this topic.