A Landscape of Incompatible Approaches

NEWSLETTER SERIES: WE STILL DON’T HAVE A STANDARD WAY TO MEASURE IAM MATURITY

Part 2 of 3

By Vidyaa Ganesh

This is Part 2 of a three-part series on IAM maturity measurement. Part 1 reviewed the published research showing that 60-70% of organizations remain at early-to-mid stages of IAM maturity. This installment examines the frameworks currently available and the structural reasons no standard has emerged.

If 60% to 70% of organizations are stuck at early-to-mid stages of IAM maturity, as five independent research sources consistently show, a natural question follows: why can’t they measure and track their way out? The answer is not that frameworks are absent. Several exist. The answer is that they are incompatible with each other and, in most cases, not designed for cross-organizational comparison.

CMMI and General-Purpose Maturity Models

The Capability Maturity Model Integration, now maintained by ISACA, provides a well-established framework for assessing process maturity across domains. Its five-level structure (Initial, Managed, Defined, Quantitatively Managed, Optimizing) has been widely adopted outside its original software engineering context. CMMI’s staged representation introduces an important concept: lower-level capabilities must be satisfied before higher levels can be claimed. An organization cannot skip foundational process areas and still achieve a high maturity rating.

CMMI’s limitation for IAM is that it is domain-agnostic. It provides structure and principles, but it does not define what IAM-specific capabilities should be measured, how they should be weighted, or what constitutes a reasonable benchmark for a given industry.

Gartner IAM Program Maturity Model

Gartner’s IAM Program Maturity Model, published in September 2025, defines six dimensions of IAM maturity across five levels. It is perhaps the most authoritative vendor-neutral reference available, and its dimension structure (covering governance, identity lifecycle, access management, privileged access, and related areas) reflects a comprehensive view of what IAM programs should include.

However, the model is paywalled, which limits its utility as a shared community standard. It also does not publish empirical benchmark data showing where organizations in specific industries typically fall on its scale. Without that benchmark layer, an organization can assess itself against the model’s definitions but has no way to know how it compares to its peers.

SailPoint Horizons Framework

SailPoint’s Horizons framework is notable because it publishes actual empirical data. The five-horizon model is based on annual surveys, uses a clustering algorithm to assign organizations to maturity levels, and breaks results out by industry, geography, and organizational size. It also explicitly incorporates the concept of capability prerequisites: to be placed in a given horizon, an organization’s capabilities must cover most environments and identity types.

The limitation is that SailPoint is a vendor with commercial interests in the identity governance space. While the research methodology appears sound, a vendor-published framework will always face questions about objectivity, particularly when the recommended path to higher maturity runs through capabilities that the vendor sells.

CISA Zero Trust Maturity Model

The Cybersecurity and Infrastructure Security Agency published a Zero Trust Maturity Model that includes an identity pillar with explicit maturity levels. It is publicly available and government-backed, which gives it credibility. The model explicitly states dependencies between pillars: identity capabilities must be established before device trust or network trust can be meaningful.

The model is scoped to zero trust architecture, not IAM broadly. It does not cover domains like identity governance and administration, customer identity, or the operational and organizational dimensions of an IAM program. It is useful as a reference but incomplete as a general-purpose IAM maturity standard.

Vendor-Specific Models

Several vendors have published maturity models specific to their market segment. Okta published a four-stage CIAM maturity curve (Basic, Automated, Intelligent, Continuous). Auth0, now part of Okta, published an Identity Maturity Framework with six assessment dimensions. WSO2 published a five-level CIAM maturity model.

These models are useful for understanding capability progression within a specific domain, but they share a common limitation: none publishes empirical data about where organizations actually fall on their respective scales. They define the levels but do not populate them with benchmark data.

The Comparability Problem

The fundamental issue is not that frameworks are absent. It is that they are mutually incompatible. An organization assessed using SailPoint’s five-horizon model cannot compare its results to one assessed using Bravura’s four-level model or Gartner’s six-dimension framework. The scales differ, the dimensions differ, the weighting logic (where it exists) differs, and the definitions of what constitutes each level differ.

For IAM practitioners, this means that changing consultants often means starting the measurement process from scratch. For CISOs reporting to boards, it means that year-over-year comparisons are only valid if the same assessment approach is used each time. For the industry as a whole, it means there is no aggregate data pool that could raise the bar for everyone.

Table 2. Comparison of existing IAM maturity frameworks

FrameworkScaleEmpirical Data?Vendor-Neutral?Cross-Org Comparable?
CMMI5 levelsN/A (domain-agnostic)YesWithin CMMI adopters
Gartner IAM Maturity6 dim, 5 levelsNo (paywalled)YesNo public benchmarks
SailPoint Horizons5 horizonsYes (375 respondents)No (vendor)Within SailPoint data
CISA ZT Maturity4 levels, 5 pillarsNoYesNo benchmarks
Okta CIAM Curve4 stagesNoNoNo
Auth0 IMF6 dimensionsNoNoNo

Why No Standard Has Emerged

Given the clear need for standardized measurement, it is reasonable to ask why one does not already exist. Several structural factors have worked against the emergence of a shared standard.

Vendor incentives cut against standardization. Identity vendors benefit from publishing their own maturity models because it frames the conversation in terms of their product capabilities. A vendor’s maturity model will, almost by definition, position the vendor’s strongest features as markers of advanced maturity. This creates a structural incentive against converging on a shared, vendor-neutral standard.

IAM spans too many domains. IAM encompasses identity governance and administration, privileged access management, workforce authentication, customer identity, cloud identity, identity threat detection, and governance and strategy. Each has its own maturity curve, vendor landscape, and regulatory drivers. Building a single model that meaningfully covers all of them requires significant domain expertise and difficult weighting decisions.

No governing body has taken ownership. Unlike financial accounting (which has GAAP and IFRS) or software process maturity (which has CMMI), identity management does not have a single governing body that has taken responsibility for defining and maintaining a measurement standard. Organizations like IDPro, IDSA, NIST, and ISACA each contribute pieces of the puzzle, but none has published a comprehensive, empirically-grounded IAM maturity standard.

Measurement requires difficult methodological choices. How should domains be weighted against each other? Should privileged access management carry more weight than governance? How do you handle the scenario where an organization scores highly in advanced areas but has gaps in foundational controls? These are not trivial questions, and without empirical data to validate different approaches, any methodology choice can be challenged.

The CIAM measurement gap. While workforce IAM has at least some benchmark data available, the CIAM space has essentially none. Gartner’s 2025 research found that over 50% of organizations still use homegrown or no CIAM solution at all. Multiple vendors have published CIAM maturity models, but none has published empirical data about where organizations actually fall on those models.

Endnotes

9. ISACA, CMMI Version 3.0 (CMMI Institute/ISACA, 2023).

10. Gartner, Inc., Identity and Access Management Program Maturity Model (September 2025), Document ID: 1203314.

11. SailPoint, Horizons 2025-2026, Appendix, p. 44.

12. Cybersecurity and Infrastructure Security Agency, Zero Trust Maturity Model (CISA, 2023).

13. Okta, Inc., From Zero to Hero: The Path to CIAM Maturity (Okta eBook).

14. Auth0/Okta, Auth0 Identity Maturity Framework (IMF) (Auth0, 2021).

15. WSO2, A Maturity Model for Customer IAM (WSO2 Blog).

16. Gartner, Inc., Innovation Insight for Customer and Partner IAM (April 2025).

NEXT IN THIS SERIES

Part 3: What Good Measurement Looks Like

If the IAM community is going to move toward standardized measurement, what would a credible framework need to include? Seven design principles, the open questions that remain, and a call to action.



About the Author

Vidyaa Ganesh is a Senior IAM Engineer and a solutions architect with over six years of experience delivering identity governance programs for financial services, energy, telecommunications, and public sector clients. She holds a Master of Engineering from Concordia University, is a member of IDPro, and is the creator of AXIS (axis.identara.ca), an open IAM maturity assessment framework.

Lets get in touch ...

Please use the below contact form to leave your message with us. We will be pleased to respond as soon as possible.

Contact Us

Name(Required)
You may contact us by filling in this form any time you need professional support or have any questions. You can also fill in the form to leave your comments or feedback.