Gartner Blog Network

IAM: To Control, Observe, and Inform

by Earl Perkins  |  March 24, 2011  |  1 Comment

When organizations are deep into an identity and access management initiative, it is difficult to stay focused on the fundamentals of why you started such an effort in the first place. IAM can be a lot of things to a lot of people. Some of those things can be relatively simple and the solution to it simple as well. Unfortunately, most IAM needs are not simple. But how does an organization maintain focus day after day, month after month, as an IAM program progresses? How does a leader keep an IAM initiative oriented to its strategic goals?

When I think about the reasons for IAM’s existence, there are 3 words that keep coming to my mind: control, observe, and inform. Let me tell you what I think they mean in the context of IAM.

Control: from the time I first started looking at IAM as an analyst, a large part of the technology, process, and skill sets involved the control of access– to networks, platforms, applications, data, and services. This concept of control is integral to IAM, and is the original reason why IAM first started looking like a discipline rather than just a loose collection of technologies to address tactical needs. Whether it is controlling access, controlling the creation and life cycle of identities, or controlling privacy (primarily through controlling access), deploying and managing access control is fundamental to your IAM project;

Observe: to control access or anything else in IAM, you have to know what is going on. You have to collect information about the control event itself, logging information about it for later analysis and use. You have to observe the changes in identity data that occur as day-to-day administration touches the data, monitoring process and workflow to ensure timely completion of IAM activities. In IAM, logging and monitoring are key functions in enabling observation.

Inform: it isn’t enough only to collect information through and for observation– you have to use that information. In IAM, compliance with policy and regulation require that reporting is provided from the control and observation of identities and access. It is necessary to inform key stakeholders and participants in IAM on what exactly is happening, whether the purpose is to improve the IAM process itself, or to inform the business with key identity-indexed knowledge to make good decisions.

Control, observe, and inform. Keep these themes in mind when you’re striving to create an optimum IAM experience in your organization. That way you will be able to see the entire forest, rather than just the trees.


Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio

Thoughts on IAM: To Control, Observe, and Inform

  1. […] The Real Meaning of “Intelligence” in IAM IAM: To Control, Observe, and Inform […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.