<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Newsletter Archives - IDPro</title>
	<atom:link href="https://idpro.org/category/newsletter/feed/" rel="self" type="application/rss+xml" />
	<link>https://idpro.org/category/newsletter/</link>
	<description>The Professional Organization for Digital Identity Management</description>
	<lastBuildDate>Mon, 29 Jun 2026 23:11:12 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://idpro.org/wp-content/uploads/2023/07/cropped-idpro_stickerA-circle-100-32x32.jpg</url>
	<title>Newsletter Archives - IDPro</title>
	<link>https://idpro.org/category/newsletter/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>A Landscape of Incompatible Approaches</title>
		<link>https://idpro.org/incompatible-approaches-to-iam-maturity/</link>
		
		<dc:creator><![CDATA[Elizabeth Garber]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 23:11:11 +0000</pubDate>
				<category><![CDATA[Blog]]></category>
		<category><![CDATA[Newsletter]]></category>
		<category><![CDATA[iam]]></category>
		<category><![CDATA[iam maturity]]></category>
		<category><![CDATA[identity and access management]]></category>
		<category><![CDATA[measurement]]></category>
		<guid isPermaLink="false">https://idpro.org/?p=3059</guid>

					<description><![CDATA[<p>Several maturity frameworks exist in the IAM space. The problem is not that they are unavailable. It is that they are incompatible with each other.</p>
<p>The post <a href="https://idpro.org/incompatible-approaches-to-iam-maturity/">A Landscape of Incompatible Approaches</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><strong>NEWSLETTER SERIES: WE STILL DON&#8217;T HAVE A STANDARD WAY TO MEASURE IAM MATURITY</strong></p>



<p class="wp-block-paragraph">Part 2 of 3</p>



<p class="wp-block-paragraph">By Vidyaa Ganesh</p>



<p class="wp-block-paragraph"><em><em>This is Part 2 of a three-part series on IAM maturity measurement. Part 1 reviewed the published research showing that 60-70% of organizations remain at early-to-mid stages of IAM maturity. This installment examines the frameworks currently available and the structural reasons no standard has emerged.</em></em></p>



<p class="wp-block-paragraph">If 60% to 70% of organizations are stuck at early-to-mid stages of IAM maturity, as five independent research sources consistently show, a natural question follows: why can&#8217;t they measure and track their way out? The answer is not that frameworks are absent. Several exist. The answer is that they are incompatible with each other and, in most cases, not designed for cross-organizational comparison.</p>



<h2 class="wp-block-heading"><strong>CMMI and General-Purpose Maturity Models</strong></h2>



<p class="wp-block-paragraph">The Capability Maturity Model Integration, now maintained by ISACA, provides a well-established framework for assessing process maturity across domains. Its five-level structure (Initial, Managed, Defined, Quantitatively Managed, Optimizing) has been widely adopted outside its original software engineering context. CMMI&#8217;s staged representation introduces an important concept: lower-level capabilities must be satisfied before higher levels can be claimed. An organization cannot skip foundational process areas and still achieve a high maturity rating.</p>



<p class="wp-block-paragraph">CMMI&#8217;s limitation for IAM is that it is domain-agnostic. It provides structure and principles, but it does not define what IAM-specific capabilities should be measured, how they should be weighted, or what constitutes a reasonable benchmark for a given industry.</p>



<h2 class="wp-block-heading"><strong>Gartner IAM Program Maturity Model</strong></h2>



<p class="wp-block-paragraph">Gartner&#8217;s IAM Program Maturity Model, published in September 2025, defines six dimensions of IAM maturity across five levels. It is perhaps the most authoritative vendor-neutral reference available, and its dimension structure (covering governance, identity lifecycle, access management, privileged access, and related areas) reflects a comprehensive view of what IAM programs should include.</p>



<p class="wp-block-paragraph">However, the model is paywalled, which limits its utility as a shared community standard. It also does not publish empirical benchmark data showing where organizations in specific industries typically fall on its scale. Without that benchmark layer, an organization can assess itself against the model&#8217;s definitions but has no way to know how it compares to its peers.</p>



<h2 class="wp-block-heading"><strong>SailPoint Horizons Framework</strong></h2>



<p class="wp-block-paragraph">SailPoint&#8217;s Horizons framework is notable because it publishes actual empirical data. The five-horizon model is based on annual surveys, uses a clustering algorithm to assign organizations to maturity levels, and breaks results out by industry, geography, and organizational size. It also explicitly incorporates the concept of capability prerequisites: to be placed in a given horizon, an organization&#8217;s capabilities must cover most environments and identity types.</p>



<p class="wp-block-paragraph">The limitation is that SailPoint is a vendor with commercial interests in the identity governance space. While the research methodology appears sound, a vendor-published framework will always face questions about objectivity, particularly when the recommended path to higher maturity runs through capabilities that the vendor sells.</p>



<h2 class="wp-block-heading"><strong>CISA Zero Trust Maturity Model</strong></h2>



<p class="wp-block-paragraph">The Cybersecurity and Infrastructure Security Agency published a Zero Trust Maturity Model that includes an identity pillar with explicit maturity levels. It is publicly available and government-backed, which gives it credibility. The model explicitly states dependencies between pillars: identity capabilities must be established before device trust or network trust can be meaningful.</p>



<p class="wp-block-paragraph">The model is scoped to zero trust architecture, not IAM broadly. It does not cover domains like identity governance and administration, customer identity, or the operational and organizational dimensions of an IAM program. It is useful as a reference but incomplete as a general-purpose IAM maturity standard.</p>



<h2 class="wp-block-heading"><strong>Vendor-Specific Models</strong></h2>



<p class="wp-block-paragraph">Several vendors have published maturity models specific to their market segment. Okta published a four-stage CIAM maturity curve (Basic, Automated, Intelligent, Continuous). Auth0, now part of Okta, published an Identity Maturity Framework with six assessment dimensions. WSO2 published a five-level CIAM maturity model.</p>



<p class="wp-block-paragraph">These models are useful for understanding capability progression within a specific domain, but they share a common limitation: none publishes empirical data about where organizations actually fall on their respective scales. They define the levels but do not populate them with benchmark data.</p>



<h2 class="wp-block-heading"><strong>The Comparability Problem</strong></h2>



<p class="wp-block-paragraph">The fundamental issue is not that frameworks are absent. It is that they are mutually incompatible. An organization assessed using SailPoint&#8217;s five-horizon model cannot compare its results to one assessed using Bravura&#8217;s four-level model or Gartner&#8217;s six-dimension framework. The scales differ, the dimensions differ, the weighting logic (where it exists) differs, and the definitions of what constitutes each level differ.</p>



<p class="wp-block-paragraph">For IAM practitioners, this means that changing consultants often means starting the measurement process from scratch. For CISOs reporting to boards, it means that year-over-year comparisons are only valid if the same assessment approach is used each time. For the industry as a whole, it means there is no aggregate data pool that could raise the bar for everyone.</p>



<p class="wp-block-paragraph"><strong>Table 2. </strong><em>Comparison of existing IAM maturity frameworks</em></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Framework</strong></th><th><strong>Scale</strong></th><th><strong>Empirical Data?</strong></th><th><strong>Vendor-Neutral?</strong></th><th><strong>Cross-Org Comparable?</strong></th></tr></thead><tbody><tr><td>CMMI</td><td>5 levels</td><td>N/A (domain-agnostic)</td><td>Yes</td><td>Within CMMI adopters</td></tr><tr><td>Gartner IAM Maturity</td><td>6 dim, 5 levels</td><td>No (paywalled)</td><td>Yes</td><td>No public benchmarks</td></tr><tr><td>SailPoint Horizons</td><td>5 horizons</td><td>Yes (375 respondents)</td><td>No (vendor)</td><td>Within SailPoint data</td></tr><tr><td>CISA ZT Maturity</td><td>4 levels, 5 pillars</td><td>No</td><td>Yes</td><td>No benchmarks</td></tr><tr><td>Okta CIAM Curve</td><td>4 stages</td><td>No</td><td>No</td><td>No</td></tr><tr><td>Auth0 IMF</td><td>6 dimensions</td><td>No</td><td>No</td><td>No</td></tr></tbody></table></figure>



<h2 class="wp-block-heading"><strong>Why No Standard Has Emerged</strong></h2>



<p class="wp-block-paragraph">Given the clear need for standardized measurement, it is reasonable to ask why one does not already exist. Several structural factors have worked against the emergence of a shared standard.</p>



<p class="wp-block-paragraph"><strong>Vendor incentives cut against standardization. </strong>Identity vendors benefit from publishing their own maturity models because it frames the conversation in terms of their product capabilities. A vendor&#8217;s maturity model will, almost by definition, position the vendor&#8217;s strongest features as markers of advanced maturity. This creates a structural incentive against converging on a shared, vendor-neutral standard.</p>



<p class="wp-block-paragraph"><strong>IAM spans too many domains. </strong>IAM encompasses identity governance and administration, privileged access management, workforce authentication, customer identity, cloud identity, identity threat detection, and governance and strategy. Each has its own maturity curve, vendor landscape, and regulatory drivers. Building a single model that meaningfully covers all of them requires significant domain expertise and difficult weighting decisions.</p>



<p class="wp-block-paragraph"><strong>No governing body has taken ownership. </strong>Unlike financial accounting (which has GAAP and IFRS) or software process maturity (which has CMMI), identity management does not have a single governing body that has taken responsibility for defining and maintaining a measurement standard. Organizations like IDPro, IDSA, NIST, and ISACA each contribute pieces of the puzzle, but none has published a comprehensive, empirically-grounded IAM maturity standard.</p>



<p class="wp-block-paragraph"><strong>Measurement requires difficult methodological choices. </strong>How should domains be weighted against each other? Should privileged access management carry more weight than governance? How do you handle the scenario where an organization scores highly in advanced areas but has gaps in foundational controls? These are not trivial questions, and without empirical data to validate different approaches, any methodology choice can be challenged.</p>



<p class="wp-block-paragraph"><strong>The CIAM measurement gap. </strong>While workforce IAM has at least some benchmark data available, the CIAM space has essentially none. Gartner&#8217;s 2025 research found that over 50% of organizations still use homegrown or no CIAM solution at all. Multiple vendors have published CIAM maturity models, but none has published empirical data about where organizations actually fall on those models.</p>



<p class="wp-block-paragraph"><strong>Endnotes</strong></p>



<p class="wp-block-paragraph">9. ISACA, CMMI Version 3.0 (CMMI Institute/ISACA, 2023).</p>



<p class="wp-block-paragraph">10. Gartner, Inc., Identity and Access Management Program Maturity Model (September 2025), Document ID: 1203314.</p>



<p class="wp-block-paragraph">11. SailPoint, Horizons 2025-2026, Appendix, p. 44.</p>



<p class="wp-block-paragraph">12. Cybersecurity and Infrastructure Security Agency, Zero Trust Maturity Model (CISA, 2023).</p>



<p class="wp-block-paragraph">13. Okta, Inc., From Zero to Hero: The Path to CIAM Maturity (Okta eBook).</p>



<p class="wp-block-paragraph">14. Auth0/Okta, Auth0 Identity Maturity Framework (IMF) (Auth0, 2021).</p>



<p class="wp-block-paragraph">15. WSO2, A Maturity Model for Customer IAM (WSO2 Blog).</p>



<p class="wp-block-paragraph">16. Gartner, Inc., Innovation Insight for Customer and Partner IAM (April 2025).<br><br></p>



<p class="wp-block-paragraph"><strong>NEXT IN THIS SERIES</strong></p>



<p class="wp-block-paragraph"><strong>Part 3: What Good Measurement Looks Like</strong></p>



<p class="wp-block-paragraph"><em>If the IAM community is going to move toward standardized measurement, what would a credible framework need to include? Seven design principles, the open questions that remain, and a call to action.</em></p>



<h2 class="wp-block-heading"><br><br>About the Author</h2>



<div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:100%">
<figure class="wp-block-image size-full is-resized"><img fetchpriority="high" decoding="async" width="400" height="400" src="https://idpro.org/wp-content/uploads/2026/05/image-3.png" alt="" class="wp-image-3037" style="width:361px;height:auto" srcset="https://idpro.org/wp-content/uploads/2026/05/image-3.png 400w, https://idpro.org/wp-content/uploads/2026/05/image-3-300x300.png 300w, https://idpro.org/wp-content/uploads/2026/05/image-3-150x150.png 150w, https://idpro.org/wp-content/uploads/2026/05/image-3-320x320.png 320w" sizes="(max-width: 400px) 100vw, 400px" /></figure>
</div>
</div>



<p class="wp-block-paragraph">Vidyaa Ganesh is a Senior IAM Engineer and a solutions architect with over six years of experience delivering identity governance programs for financial services, energy, telecommunications, and public sector clients. She holds a Master of Engineering from Concordia University, is a member of IDPro, and is the creator of AXIS (axis.identara.ca), an open IAM maturity assessment framework.</p>



<p class="wp-block-paragraph"></p>



<figure class="wp-block-gallery has-nested-images columns-2 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img decoding="async" width="346" height="350" data-id="2898" src="https://idpro.org/wp-content/uploads/2025/11/image-2.png" alt="" class="wp-image-2898" srcset="https://idpro.org/wp-content/uploads/2025/11/image-2.png 346w, https://idpro.org/wp-content/uploads/2025/11/image-2-297x300.png 297w" sizes="(max-width: 346px) 100vw, 346px" /></figure>



<figure class="wp-block-image size-full"><img decoding="async" width="600" height="600" data-id="2390" src="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png" alt="" class="wp-image-2390" srcset="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png 600w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-300x300.png 300w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-150x150.png 150w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-320x320.png 320w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
</figure>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://idpro.org/incompatible-approaches-to-iam-maturity/">A Landscape of Incompatible Approaches</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>The Measurement Problem</title>
		<link>https://idpro.org/the-measurement-problem/</link>
		
		<dc:creator><![CDATA[Elizabeth Garber]]></dc:creator>
		<pubDate>Sun, 31 May 2026 02:56:07 +0000</pubDate>
				<category><![CDATA[Blog]]></category>
		<category><![CDATA[Newsletter]]></category>
		<category><![CDATA[iam]]></category>
		<category><![CDATA[iam maturity]]></category>
		<category><![CDATA[identity and access management]]></category>
		<category><![CDATA[measurement]]></category>
		<guid isPermaLink="false">https://idpro.org/?p=3033</guid>

					<description><![CDATA[<p>Five independent sources, 2,000+ respondents, one conclusion: most organizations cannot measure their IAM maturity. And that is a problem.</p>
<p>The post <a href="https://idpro.org/the-measurement-problem/">The Measurement Problem</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><strong>NEWSLETTER SERIES: WE STILL DON&#8217;T HAVE A STANDARD WAY TO MEASURE IAM MATURITY</strong></p>



<p class="wp-block-paragraph">Part 1 of 3</p>



<p class="wp-block-paragraph">By Vidyaa Ganesh</p>



<p class="wp-block-paragraph"><em>Five independent sources, 2,000+ respondents, one conclusion: most organizations cannot measure their IAM maturity. And that is a problem.</em></p>



<p class="wp-block-paragraph">Identity and access management has become one of the most consequential areas of enterprise security. The IDSA&#8217;s 2024 survey of 521 security professionals found that 90% of organizations experienced at least one identity-related security incident in the prior 12 months, with 84% reporting direct business impact. IBM&#8217;s 2025 Cost of a Data Breach report, based on 600 organizations and over 3,400 interviews, puts the global average breach cost at $4.88 million, with compromised credentials remaining the most common initial attack vector.</p>



<p class="wp-block-paragraph">These numbers create obvious pressure for organizations to invest in IAM. And they are investing. But a harder question follows: how do you know whether your IAM program is actually working? How do you measure where you stand relative to your industry, track improvement over time, or communicate your posture to a board of directors in terms that hold up to scrutiny?</p>



<p class="wp-block-paragraph">The honest answer, as of early 2026, is that most organizations cannot do any of these things reliably. There is no widely accepted, vendor-neutral framework for measuring IAM maturity. What exists instead is a patchwork of vendor-specific models, consultant-developed scorecards, and ad hoc approaches that vary from one engagement to the next. The measurements produced by these approaches cannot be compared across organizations, across time, or even across different consultants assessing the same organization.</p>



<p class="wp-block-paragraph">This is the first installment in a three-part series examining this problem. In this piece, we look at what the published research actually says about where organizations stand. In Part 2, we survey the frameworks currently in use and analyze why no standard has emerged. In Part 3, we propose design principles that a credible, community-adopted standard would need to follow.</p>



<h2 class="wp-block-heading"><strong>What Published Research Tells Us</strong></h2>



<p class="wp-block-paragraph">Before discussing what a standard should look like, it is worth understanding what the data actually says about where organizations stand. Several independent research efforts have attempted to measure IAM maturity across large populations, and their findings tell a remarkably consistent story.</p>



<h2 class="wp-block-heading"><strong>SailPoint Horizons of Identity Security (2025-2026)</strong></h2>



<p class="wp-block-paragraph">SailPoint&#8217;s annual Horizons research surveyed 375 IAM decision-makers across North America, Europe, Asia, and Latin America. The study evaluates organizations across four enablement areas (strategy, technology and tools, operating model, and talent) covering 60 IAM capabilities, then assigns each organization to one of five maturity horizons using a clustering algorithm.</p>



<p class="wp-block-paragraph">The headline finding is striking: over 40% of organizations remain at Horizon 1, the lowest maturity level. These are organizations where identity is not a strategic focus, capabilities are highly immature, and there is no centralized operating model for managing identities across the organization. When you include Horizon 2, the number climbs to roughly 63% of organizations stuck at the bottom two tiers.</p>



<p class="wp-block-paragraph">Industry breakdowns reveal meaningful variation. In financial services, 34% are at Horizon 1, with 13% reaching Horizon 4 or above. In technology, the distribution is bimodal: 46% at Horizon 1, but 15% at Horizon 4 or higher, reflecting a split between early-stage companies with minimal IAM investment and mature enterprises with sophisticated programs.</p>



<h2 class="wp-block-heading"><strong>Ponemon Institute and GuidePoint Security (2025)</strong></h2>



<p class="wp-block-paragraph">The Ponemon Institute, in partnership with GuidePoint Security, surveyed 626 IT professionals on the state of IAM maturity in 2025. On a 10-point effectiveness scale, only 50% of respondents rated their IAM tools as effective (scoring 7 or higher). Just 23% qualified as high performers, rating their effectiveness at 9 or 10.</p>



<p class="wp-block-paragraph">The study also found that 50% of organizations experienced an identity-related incident in the prior 12 months. Even among high performers, 39% still experienced incidents, compared to 58% for others. Manual processes remain dominant: 34% of organizations still use spreadsheets for access reviews, and only 17% use an identity governance platform for this purpose.</p>



<h2 class="wp-block-heading"><strong>IDSA Trends in Identity Security (2024)</strong></h2>



<p class="wp-block-paragraph">The Identity Defined Security Alliance surveyed 521 qualified security professionals at organizations with 1,000 or more employees. The findings reinforce the pattern: 90% experienced an identity-related incident, 84% reported direct business impact, and 91% invoked their incident response plans for identity-related events.</p>



<p class="wp-block-paragraph">When asked to self-assess their maturity, only 8% of respondents placed their organization at the highest level. The majority clustered in the middle tiers, suggesting widespread acknowledgment that current capabilities are insufficient.</p>



<h2 class="wp-block-heading"><strong>Other Sources</strong></h2>



<p class="wp-block-paragraph">Bravura Security, in partnership with Gartner Peer Insights, conducted a smaller study of 100 IT leaders across North America and EMEA using a four-level maturity scale. Their finding: the average organization falls between levels 2 and 3 on a four-point scale, consistent with the other sources.</p>



<p class="wp-block-paragraph">Simeio&#8217;s State of Identity research, covering 80 measures across industries, found a cross-industry average maturity of 2.4 on a five-point scale. Financial services scored highest at approximately 2.6, with healthcare and public sector trailing.</p>



<h2 class="wp-block-heading"><strong>What the Data Tells Us</strong></h2>



<p class="wp-block-paragraph">Five independent research efforts, using different scales, different sample sizes, and different methodologies, converge on the same conclusion: the majority of organizations, somewhere between 60% and 70%, remain at early-to-mid stages of IAM maturity. The consistency across sources is significant. This is not one vendor telling a convenient story. It is a pattern that holds up regardless of who is asking the question or how they frame it.</p>



<p class="wp-block-paragraph"><strong>Table 1. </strong><em>Cross-source validation of IAM maturity findings</em></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Source</strong></th><th><strong>Sample Size</strong></th><th><strong>Scale</strong></th><th><strong>Key Finding</strong></th></tr></thead><tbody><tr><td>SailPoint Horizons 2025-2026</td><td>375</td><td>5-horizon</td><td>63% at Horizons 1-2</td></tr><tr><td>Ponemon/GuidePoint 2025</td><td>626</td><td>10-point</td><td>50% rate tools effective; 23% high performers</td></tr><tr><td>IDSA 2024</td><td>521</td><td>5-level self-assessment</td><td>90% had incidents; 8% at highest maturity</td></tr><tr><td>Bravura/Gartner 2024</td><td>100</td><td>4-level</td><td>Average between levels 2-3</td></tr><tr><td>Simeio (Kaleru 2025)</td><td>80 measures</td><td>5-point</td><td>Cross-industry average: 2.4</td></tr></tbody></table></figure>



<p class="wp-block-paragraph"><strong>NEXT IN THIS SERIES</strong></p>



<p class="wp-block-paragraph"><strong>Part 2: A Landscape of Incompatible Approaches</strong></p>



<p class="wp-block-paragraph"><em>Several maturity frameworks exist in the IAM space. Each offers something useful. None has achieved the status of a shared standard. We examine why.</em></p>



<p class="wp-block-paragraph"><strong>Endnotes</strong></p>



<p class="wp-block-paragraph">1. Identity Defined Security Alliance, 2024 Trends in Securing Digital Identities (IDSA, 2024), 521 respondents.</p>



<p class="wp-block-paragraph">2. IBM Security, Cost of a Data Breach Report 2025 (Ponemon Institute Research, 2025), 600 organizations, 3,470 interviews.</p>



<p class="wp-block-paragraph">3. SailPoint Technologies, The Horizons of Identity Security 2025-2026 (SailPoint, July 2025), 375 IAM decision-makers.</p>



<p class="wp-block-paragraph">4. SailPoint, Horizons 2025-2026, Exhibit 7, p. 15.</p>



<p class="wp-block-paragraph">5. Ponemon Institute and GuidePoint Security, The State of Identity and Access Management (IAM) Maturity (May 2025), 626 IT professionals.</p>



<p class="wp-block-paragraph">6. Identity Defined Security Alliance, 2024 Trends in Securing Digital Identities (IDSA, 2024).</p>



<p class="wp-block-paragraph">7. Bravura Security and Gartner Peer Insights, IAM &amp; PAM Maturity Survey (Bravura Security, 2024), 100 IT leaders.</p>



<p class="wp-block-paragraph">8. Simeio, State of Identity 2024 (Simeio Solutions, 2024).<br><br><em>Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.</em></p>



<h2 class="wp-block-heading"><br><br>About the Author</h2>



<div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:100%">
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="400" height="400" src="https://idpro.org/wp-content/uploads/2026/05/image-3.png" alt="" class="wp-image-3037" style="width:361px;height:auto" srcset="https://idpro.org/wp-content/uploads/2026/05/image-3.png 400w, https://idpro.org/wp-content/uploads/2026/05/image-3-300x300.png 300w, https://idpro.org/wp-content/uploads/2026/05/image-3-150x150.png 150w, https://idpro.org/wp-content/uploads/2026/05/image-3-320x320.png 320w" sizes="auto, (max-width: 400px) 100vw, 400px" /></figure>
</div>
</div>



<p class="wp-block-paragraph">Vidyaa Ganesh is a Senior IAM Engineer and a solutions architect with over six years of experience delivering identity governance programs for financial services, energy, telecommunications, and public sector clients. She holds a Master of Engineering from Concordia University, is a member of IDPro, and is the creator of AXIS (axis.identara.ca), an open IAM maturity assessment framework.</p>



<p class="wp-block-paragraph"></p>



<figure class="wp-block-gallery has-nested-images columns-2 is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="346" height="350" data-id="2898" src="https://idpro.org/wp-content/uploads/2025/11/image-2.png" alt="" class="wp-image-2898" srcset="https://idpro.org/wp-content/uploads/2025/11/image-2.png 346w, https://idpro.org/wp-content/uploads/2025/11/image-2-297x300.png 297w" sizes="auto, (max-width: 346px) 100vw, 346px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="600" data-id="2390" src="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png" alt="" class="wp-image-2390" srcset="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png 600w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-300x300.png 300w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-150x150.png 150w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-320x320.png 320w" sizes="auto, (max-width: 600px) 100vw, 600px" /></figure>
</figure>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://idpro.org/the-measurement-problem/">The Measurement Problem</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Most Regulatory Frameworks are Built on Top of Graves</title>
		<link>https://idpro.org/most-regulatory-frameworks-are-built-on-top-of-graves/</link>
		
		<dc:creator><![CDATA[Elizabeth Garber]]></dc:creator>
		<pubDate>Sun, 31 May 2026 00:07:48 +0000</pubDate>
				<category><![CDATA[Blog]]></category>
		<category><![CDATA[Newsletter]]></category>
		<category><![CDATA[iam]]></category>
		<category><![CDATA[identity and access management]]></category>
		<category><![CDATA[regulation]]></category>
		<category><![CDATA[regulatory framework]]></category>
		<guid isPermaLink="false">https://idpro.org/?p=3034</guid>

					<description><![CDATA[<p>Every major regulatory framework you work against was written in response to something that already went wrong. Not hypothetically wrong. Catastrophically, publicly, irreversibly wrong. We don’t build policy proactively in this industry; we build it reactively, after the damage has been done and the headlines have forced someone’s hand.</p>
<p>The post <a href="https://idpro.org/most-regulatory-frameworks-are-built-on-top-of-graves/">Most Regulatory Frameworks are Built on Top of Graves</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><strong>Author:</strong> Nishad Sankaranarayanan </p>



<p class="wp-block-paragraph"><strong>Role:</strong> Cybersecurity Executive | “Identity-First” Security Leader </p>



<p class="wp-block-paragraph"><em>What IAM practitioners need to understand about the human cost hiding inside your compliance checklist…</em></p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">The Pattern Nobody Talks About Out Loud</h2>



<p class="wp-block-paragraph">Every major regulatory framework you work against was written in response to something that already went wrong. Not hypothetically wrong. Catastrophically, publicly, irreversibly wrong. We don’t build policy proactively in this industry; we build it reactively, after the damage has been done and the headlines have forced someone’s hand.</p>



<p class="wp-block-paragraph">Think about what’s sitting underneath the frameworks you navigate daily.</p>



<ul class="wp-block-list">
<li><strong>HIPAA</strong> didn’t emerge from healthcare executives deciding patient data deserved protection. It emerged from a landscape of rampant insurance fraud, discriminatory data practices, and medical record abuses that left real people with real consequences &#8211; lost jobs, denied coverage, destroyed privacy. The law was the cleanup crew, not the prevention.</li>



<li><strong>SOX</strong> didn’t come from auditors deciding financial controls needed tightening. It came after Enron and WorldCom vaporized billions in investor value and shredded retirement accounts for thousands of ordinary people who trusted the numbers they were shown. The Act is a forensic document masquerading as a compliance framework.</li>



<li><strong>GDPR</strong> wasn’t a vision for a privacy-respecting digital future. It was a regulatory response to years of data harvesting, unconsented profiling, and cross-border data abuses that regulators finally couldn’t ignore after Facebook’s Cambridge Analytica exposure became impossible to contain politically.</li>



<li><strong>The Amber Alert system</strong> is named after Amber Hagerman, a nine-year-old murdered in Arlington, Texas in 1996. The system that now protects children didn’t exist until a child was killed and her community demanded something change.</li>



<li><strong>PCI-DSS</strong> exists because card fraud became so pervasive and so costly to the financial ecosystem that the major card networks had no choice but to mandate baseline controls across every merchant touching card data. The standard didn’t anticipate the breach, it was written after thousands of them.</li>
</ul>



<p class="wp-block-paragraph">This is the pattern. Harm occurs. Harm scales. Harm becomes undeniable. Regulation follows. And then we all inherit the compliance framework and treat it like it arrived from nowhere, like it was always just the way things were.</p>



<p class="wp-block-paragraph">It didn’t arrive from nowhere. It arrived from graves.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">IAM Is No Different &#8211; Here Are the Breaches That Wrote Your Policies</h2>



<p class="wp-block-paragraph">The identity space follows the same pattern exactly. The controls we build and enforce today weren’t invented in a vacuum by forward-thinking architects. They were demanded by specific, named failures that exposed how badly we were underinvesting in identity fundamentals.</p>



<ul class="wp-block-list">
<li><strong>Target (2013):</strong> The breach wasn’t a sophisticated nation-state attack. An HVAC vendor with network access and no meaningful segmentation became the entry point for 40 million stolen card records. The core failure was third-party identity governance, an external account with far more privilege than its function required, and no monitoring to detect its abuse. Every time I review a vendor access policy, this breach is in the room.</li>



<li><strong>SolarWinds (2020):</strong> Supply chain compromise at massive scale, enabled in part by service accounts operating with excessive privilege across thousands of customer environments. The attackers didn’t force their way in, they walked through doors that were left open by over-permissioned build pipeline identities and inadequate separation between production and development access.</li>



<li><strong>Colonial Pipeline (2021):</strong> A single compromised VPN account with no MFA enforced. One identity. No second factor. Fuel supply disruption across the eastern United States. Every MFA mandate that landed in your organization after 2021 has this incident’s fingerprints on it.</li>



<li><strong>Uber (2022):</strong> A contractor’s credentials obtained through MFA fatigue, repeated push notifications until the user accepted to stop the noise. The attacker then moved laterally through internal systems because access controls weren’t scoped tightly enough to limit blast radius. The failure wasn’t technical sophistication. It was operational immaturity in how MFA was implemented and how privilege was bounded.</li>



<li><strong>Microsoft (2023):</strong> A stolen MSA signing key used to forge authentication tokens across cloud tenants. The identity trust model itself became the attack surface. When cryptographic key management fails, every downstream access decision built on top of it is compromised.</li>



<li><strong>MGM Resorts (2023):</strong> Attackers identified a senior employee via LinkedIn, called the IT help desk impersonating them, and convinced the agent to reset credentials and MFA with no callback protocol, no strong out-of-band verification. Caesars Entertainment was hit the same month by the same pattern. The failure wasn’t in the authentication stack. It was in the help desk itself. The layer where humans prove humans and deepfake voice and video now make that layer trivial to defeat at scale.</li>
</ul>



<p class="wp-block-paragraph">Each of these is an IAM failure. Excessive privilege. Missing MFA. Orphaned accounts. Poor federation hygiene. Inadequate key lifecycle management. Help desk identity verification. The controls that now appear in your compliance frameworks have these incident names written invisibly inside them.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">What Compliance Actually Tells You (And What It Doesn’t)</h2>



<p class="wp-block-paragraph">Here’s the uncomfortable truth about compliance frameworks: they are lag indicators by design. They codify the minimum bar required to prevent the breach that already happened. They say nothing reliable about the breach that’s being planned right now.</p>



<p class="wp-block-paragraph">The gap between a compliance checkbox and mature IAM posture is where the next incident is living. I see this gap constantly, and it’s worth naming directly.</p>



<ul class="wp-block-list">
<li><strong>MFA enabled</strong> versus <strong>phishing-resistant MFA enforced</strong> at the authentication policy layer hardware-bound, not just a push notification toggle sitting in a dashboard that nobody monitors for fatigue patterns.</li>



<li><strong>Privileged access documented</strong> versus <strong>PAM operationally enforced</strong> with just-in-time provisioning, session recording with active review, and standing access treated as a policy exception rather than the default.</li>



<li><strong>Access reviews completed</strong> versus <strong>access reviews that actually reduce privilege</strong>, where the outcome of the review cycle is measurably fewer entitlements per identity, not just a signed-off spreadsheet that nobody acted on.</li>



<li><strong>Service accounts inventoried</strong> versus <strong>non-human identities continuously monitored</strong> with behavioral baselines, anomaly alerting, and rotation schedules enforced by automation rather than calendar reminders.</li>



<li><strong>Zero Trust policy adopted</strong> versus <strong>a network architecture where identity is actually the control plane</strong>, not a slide in a board presentation, and where access decisions factor not just who the user is, but where they are, what device they’re on, and whether their current behavior looks like their baseline.</li>
</ul>



<p class="wp-block-paragraph">Identity used to answer “are you allowed?” It now has to answer “does this access attempt even look like you?” Impossible travel, high-risk geographies, session risk, device posture — these belong inside the authentication decision, not inside a dashboard someone reviews on Mondays.</p>



<ul class="wp-block-list">
<li><strong>IAM capabilities deployed</strong> versus <strong>IAM KPIs tracked and trended over time</strong> because what doesn’t get measured doesn’t improve, and the maturity of an identity program shows up in the shape of its metric curves, not in the inventory of tools on the license schedule. If you can’t tell me whether entitlements-per-identity is declining, whether standing privilege has shrunk quarter over quarter, or how long a new joiner waits for correct access &#8211; you don’t have a program posture, you have a tool stack.</li>
</ul>



<p class="wp-block-paragraph">Compliance tells you what the floor looks like. It does not tell you where the ceiling is. And in my experience, most organizations have stopped somewhere between the two and called it done.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">The Dangerous Comfort Zone: When Your Team Mistakes Compliance for Security</h2>



<p class="wp-block-paragraph">The organizational behavior this creates is one of the most persistent problems I work against. When audit cycles become the primary driver of the IAM roadmap, the team’s incentive structure warps in a specific and dangerous direction.</p>



<p class="wp-block-paragraph">You stop optimizing for threat reduction. You start optimizing for evidence collection.</p>



<p class="wp-block-paragraph">I’ve seen this show up in recognizable patterns across organizations of every size.</p>



<ul class="wp-block-list">
<li><strong>Quarterly access reviews conducted as rubber stamps</strong>, certifiers clicking approve on hundreds of entitlements in minutes because the process was designed to generate a record, not to generate a decision. The question being answered isn’t “does this person need this access?” It’s “how quickly can we close the certification campaign?”</li>



<li><strong>Role proliferation allowed to compound year over year</strong> because the current roles passed the last audit, so nobody wants to touch them. The organization is carrying thousands of roles, most of which are poorly defined, overlapping, and impossible to audit meaningfully but the audit passed, so the conversation doesn’t happen.</li>



<li><strong>PAM tools deployed, licensed, and documented and operationally ignored.</strong> The vault exists. The accounts are technically onboarded. But privileged sessions aren’t being reviewed, standing access is still the default, and the tool that was supposed to transform privileged access management is functioning as an expensive credential repository.</li>



<li><strong>IGA platforms configured to enforce policy at provisioning and then left unmonitored for drift.</strong> Accounts created with the right access on day one, accumulating entitlements through ad-hoc requests for three years, and nobody has looked at the aggregate picture because the provisioning workflow is compliant.</li>
</ul>



<p class="wp-block-paragraph">If any of this feels familiar, I’m not judging the team rather I’m naming the system. When compliance is the primary success metric, this is the rational response to the incentive structure. The problem is that rational compliance behavior and effective security behavior are not the same thing, and the gap between them is where attackers operate.</p>



<p class="wp-block-paragraph">IAM practioners shoould put it plainly to leadership: <strong>Audit Ready is not the same as Breach Proof.</strong> A team optimizing for closing the certification campaign rather than reducing the risk the entitlement actually carries will produce a clean audit and a vulnerable organization at the same time. The moment those two phrases get conflated above the CISO’s head, the program inherits a mandate that looks like security but isn’t.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">How to Get Ahead of the Grave &#8211; A Practitioner’s Operating Model</h2>



<p class="wp-block-paragraph">Diagnosis without direction isn’t useful. So here is the operating model I apply when I want to move an identity program from reactive compliance posture to proactive threat-informed design. This isn’t theoretical, it’s what actually works in practice.</p>



<p class="wp-block-paragraph">The list is structured deliberately: the first six harden your posture against breach patterns already on public record; the seventh forces your program to keep pace with threats no auditor has yet catalogued.</p>



<ol class="wp-block-list">
<li><strong>Threat-model your identity fabric before you scope your controls.</strong> Start with adversary behavior, not framework requirements. Map the specific identity attack paths relevant to your environment — credential theft, privilege escalation, lateral movement via federated trust, non-human identity abuse. Then ask which of your current controls actually interrupt those paths and which ones only satisfy an auditor.</li>
</ol>



<ul class="wp-block-list">
<li>A frame worth internalizing here, from John Lambert: defenders think in lists, attackers think in graphs, and as long as that’s true, attackers win. Your access review spreadsheet is a list. The web of trust between your identities, groups, federations, service accounts, and privileged resources is a graph, and that graph is the terrain your adversary is actually traversing.</li>
</ul>



<ol start="2" class="wp-block-list">
<li><strong>Define your identity tiers and map blast radius per tier explicitly.</strong> Not all identities carry equal risk. A tier-one privileged identity with access to production infrastructure and administrative federation capabilities has an entirely different blast radius than a standard user account. Your controls, monitoring intensity, and response playbooks should reflect that difference. If they don’t, you’re applying uniform protection to non-uniform risk.</li>



<li><strong>Run tabletop exercises scoped specifically to identity failure modes.</strong> Most tabletops I’ve participated in simulate perimeter or endpoint compromises. Run the scenario where your IdP is compromised. Run the scenario where a service account with excessive privilege is abused by an insider. Run the scenario where MFA is defeated at scale through fatigue or SIM swapping. The gaps that surface in those conversations are the gaps that matter.</li>



<li><strong>Red team your identity layer &#8211; don’t wait for a real incident to find the gaps.</strong> Tabletops surface the failures you can imagine; adversarial testing surfaces the ones you can’t. Commission identity-focused red team engagements on a recurring cadence — credential theft, session hijack, federation abuse, privilege escalation, help desk social engineering and feed what they find back into architecture rather than filing it as a report. Gaps that never appear in access reviews or audits almost always appear under someone actually trying to break in.</li>



<li><strong>Instrument your IGA for behavioral anomaly, not just policy violation.</strong> Policy enforcement catches known-bad. Behavioral analytics surface unknown-bad. If your identity governance platform is only alerting when a provisioning rule is violated, you’re blind to the user whose access pattern changed three months ago in ways that no individual action violated policy but the aggregate behavior is deeply suspicious.</li>



<li><strong>Build your access review process around privilege reduction as the measurable outcome.</strong> Track entitlements per identity over time. Make the success metric a declining curve, not a closed certification campaign. If your access reviews aren’t resulting in access removal, they aren’t reviews, they’re rituals.</li>



<li><strong>Treat non-human identity with the same rigor as privileged human identity.</strong> Service accounts, API keys, OAuth tokens, pipeline credentials &#8211; these are the identities attackers are targeting at scale right now because they’re often under-governed and over-privileged. If you don’t have a comprehensive non-human identity inventory with ownership, purpose, and lifecycle enforcement, this is the highest-priority gap in most environments I’ve seen.</li>



<li><strong>Plan for the attacks your compliance framework hasn’t named yet.</strong> The controls in your baseline were written against breaches that have already happened. Deepfake-assisted help desk impersonation, AI-generated vishing, synthetic identity fraud, ML-enhanced MFA fatigue — these are landing in production right now and appear in no auditor’s checklist. Build a forward-looking layer into your program that tracks emerging identity threats quarterly, runs tabletop exercises against them, and lands the control before the framework tells you to.</li>



<li><strong>Rehearse the recovery, not just the detection.</strong> Assume the breach has already landed. Do the right people know their roles, and are they reachable at 3 a.m. on a holiday? How fast can you rotate privileged credentials at scale, sever federated trust, and re-establish a known-good authentication plane? Most programs have never actually measured how long identity recovery would take under real conditions. Find out before an attacker makes you find out.</li>



<li><strong>Plan for the attacks your compliance framework hasn’t named yet.</strong> The controls in your baseline were written against breaches that have already happened. Deepfake-assisted help desk impersonation, AI-generated vishing, synthetic identity fraud, ML-enhanced MFA fatigue &#8211; these are landing in production right now and appear in no auditor’s checklist. Build a forward-looking layer into your program that tracks emerging identity threats quarterly, runs tabletop exercises against them, and lands the control before the framework tells you to.</li>
</ol>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">The Obligation We Carry as IAM Practitioners</h2>



<p class="wp-block-paragraph">I want to end with something direct, because I think it matters.</p>



<p class="wp-block-paragraph">The people building identity infrastructure today are either providing the incident report that writes the next regulation, meeting the one that already exists, or for the few doing this exceptionally well, quietly setting the bar that tomorrow’s framework will codify as the new minimum, not because something went wrong but because it got done right first.</p>



<p class="wp-block-paragraph">There is no neutral position. The access controls you enforce or fail to enforce, the privilege you scope or over-grant, the MFA you deploy meaningfully or deploy performatively, all of it is making a real-world determination about whether the next catastrophic breach happens on your watch and in your environment.</p>



<p class="wp-block-paragraph">That’s not meant to be dramatic. It’s meant to be accurate.</p>



<p class="wp-block-paragraph">Reframing what good IAM work actually means is worth doing explicitly.</p>



<ul class="wp-block-list">
<li><strong>Good IAM work is not completing a certification campaign on time.</strong> It is ensuring that the humans approving entitlements are actually examining them and removing the ones that shouldn’t exist.</li>



<li><strong>Good IAM work is not deploying a PAM tool.</strong> It is operationalizing privileged access controls to the point where standing access is genuinely exceptional and every privileged session is visible and accountable.</li>



<li><strong>Good IAM work is not enforcing MFA across the enterprise.</strong> It is enforcing phishing-resistant MFA in the places where a compromised credential would have catastrophic blast radius, and knowing specifically which those places are.</li>



<li><strong>Good IAM work is not a team drowning in manual toil.</strong> It is using the automation and AI capabilities now available to us to surface dangerous privileges, inform access review decisions, and detect the identity patterns no human reviewer will ever catch at scale, freeing human judgment for the decisions that actually require it.</li>



<li><strong>Good IAM work is not passing an audit.</strong> It is building an identity posture that would survive an attacker who has never read your audit report and does not care about your certification timeline.</li>
</ul>



<p class="wp-block-paragraph">The frameworks we operate inside exist because somewhere, at some point, someone’s identity infrastructure failed publicly enough to force a regulatory response. The question I carry into every architecture decision, every policy review, and every control deployment is a simple one: am I building something that prevents that, or am I building something that looks like I prevented it?</p>



<p class="wp-block-paragraph">The difference between those two things is where real harm lives and where the next regulation is quietly being drafted.</p>



<p class="wp-block-paragraph"><strong>Build identity infrastructure that makes the next compliance framework unnecessary.</strong></p>



<p class="wp-block-paragraph"><em>Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.</em></p>



<h2 class="wp-block-heading">References</h2>



<p class="wp-block-paragraph">&#8211; [1] U.S. Department of Health and Human Services, “Health Insurance Portability and Accountability Act of 1996 (HIPAA),” Public Law 104-191. https://www.hhs.gov/hipaa/index.html</p>



<p class="wp-block-paragraph">&#8211; [2] U.S. Securities and Exchange Commission, “Sarbanes-Oxley Act of 2002,” Public Law 107-204. https://www.sec.gov/about/laws/soa2002.pdf</p>



<p class="wp-block-paragraph">&#8211; [3] European Union, “Regulation (EU) 2016/679 (General Data Protection Regulation),” Official Journal of the European Union. https://eur-lex.europa.eu/eli/reg/2016/679/oj</p>



<p class="wp-block-paragraph">&#8211; [4] PCI Security Standards Council, “Payment Card Industry Data Security Standard (PCI DSS).” https://www.pcisecuritystandards.org/standards/pci-dss/</p>



<p class="wp-block-paragraph">&#8211; [5] U.S. Department of Justice, AMBER Alert Program, “About AMBER Alert.” https://amberalert.ojp.gov/about</p>



<p class="wp-block-paragraph">&#8211; [6] Krebs, Brian, “Target Hackers Broke in Via HVAC Company,” KrebsOnSecurity, February 5, 2014. https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/</p>



<p class="wp-block-paragraph">&#8211; [7] Cybersecurity and Infrastructure Security Agency (CISA), “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (SolarWinds),” Alert AA20-352A, December 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a</p>



<p class="wp-block-paragraph">&#8211; [8] Cybersecurity and Infrastructure Security Agency (CISA) and FBI, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks (Colonial Pipeline),” Alert AA21-131A, May 2021. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a</p>



<p class="wp-block-paragraph">&#8211; [9] Uber Technologies, “Security update,” Uber Newsroom, September 19, 2022. https://www.uber.com/newsroom/security-update/</p>



<p class="wp-block-paragraph">&#8211; [10] Microsoft Security Response Center, “Analysis of Storm-0558 techniques for unauthorized email access,” Microsoft Threat Intelligence, July 14, 2023. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/</p>



<p class="wp-block-paragraph">&#8211; [11] U.S. Securities and Exchange Commission, MGM Resorts International Form 8-K, September 12, 2023. https://www.sec.gov/Archives/edgar/data/789570/000119312523237814/d551104d8k.htm</p>



<p class="wp-block-paragraph">&#8211; [12] Lambert, John, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.,” GitHub, 2015. https://github.com/JohnLaTwC/Shared</p>



<h2 class="wp-block-heading"><br><br>About the Author</h2>



<div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:100%">
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="321" height="321" src="https://idpro.org/wp-content/uploads/2026/05/image-4.png" alt="" class="wp-image-3036" style="width:361px;height:auto" srcset="https://idpro.org/wp-content/uploads/2026/05/image-4.png 321w, https://idpro.org/wp-content/uploads/2026/05/image-4-300x300.png 300w, https://idpro.org/wp-content/uploads/2026/05/image-4-150x150.png 150w" sizes="auto, (max-width: 321px) 100vw, 321px" /></figure>
</div>
</div>



<p class="wp-block-paragraph">Nishad Sankaranarayanan is a cybersecurity executive with 20+ years of experience building and leading enterprise security programs in complex, regulated environments. He serves as Global Director of Cybersecurity at Genuine Parts Company — a Fortune 200, $20B+ global enterprise — where he leads a program spanning workforce and customer identity, cloud security, AI governance, and cyber defense across 17 countries. Previously, he was part of the post-breach security transformation at Equifax, contributing to FedRAMP authorization and NIST 800-53 compliance across a large-scale financial data environment. Nishad holds a CISO Executive Certificate from Carnegie Mellon University, serves on advisory boards for several cybersecurity startups, and founded the Atlanta IAM User Group. He is a recognized speaker at Gartner IAM Summit and Identiverse, a 2025 Constellation Research SuperNova Award recipient for Cybersecurity Leadership, and a three-time Ping Identity Excellence Award winner.</p>



<p class="wp-block-paragraph"></p>



<figure class="wp-block-gallery has-nested-images columns-2 is-cropped wp-block-gallery-3 is-layout-flex wp-block-gallery-is-layout-flex">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="346" height="350" data-id="2898" src="https://idpro.org/wp-content/uploads/2025/11/image-2.png" alt="" class="wp-image-2898" srcset="https://idpro.org/wp-content/uploads/2025/11/image-2.png 346w, https://idpro.org/wp-content/uploads/2025/11/image-2-297x300.png 297w" sizes="auto, (max-width: 346px) 100vw, 346px" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="600" data-id="2390" src="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png" alt="" class="wp-image-2390" srcset="https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author.png 600w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-300x300.png 300w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-150x150.png 150w, https://idpro.org/wp-content/uploads/2023/10/IDPro_BoK_Badges_R5__Newsletter_Author-320x320.png 320w" sizes="auto, (max-width: 600px) 100vw, 600px" /></figure>
</figure>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://idpro.org/most-regulatory-frameworks-are-built-on-top-of-graves/">Most Regulatory Frameworks are Built on Top of Graves</a> appeared first on <a href="https://idpro.org">IDPro</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/?utm_source=w3tc&utm_medium=footer_comment&utm_campaign=free_plugin

Page Caching using Disk: Enhanced 
Lazy Loading (feed)
Minified using Disk

Served from: idpro.org @ 2026-07-11 20:49:50 by W3 Total Cache
-->