It’s the Destination (and the Journey): A Proposed Maturity Model for Identity Governance and Analytics

“Caminante, no hay camino. Se hace camino al andar.”

Wanderer, there is no path. The path is made by walking.

The quote from a famous poem by Antonio Machado echoed in my head this past summer as I landed in Madrid, Spain. After stepping off the plane and finding my way to the subway that would take me downtown, I expected to intuitively know what my path forward was: which trains to take, what stations were for which connections, how to arrive at my destination. But I had underestimated the task: with 300+ stations and 13 different lines in the Madrid Metro, the logistics were sizable. I was initially frozen by the sheer volume of information. Not wanting to project the air of a foreigner (which, of course, I was), I glanced one more time at the subway map, chose a course of action, and decisively boarded my first train—in the wrong direction.

I’d thought — based on the vast amount of data available in the form of maps and station information—that I could easily forge a path to my desired destination. But the volume of information was too great, and it would take time for my understanding of the Metro to mature so that I could navigate the subway network wisely.

Businesses undertaking identity governance in today’s environment find themselves in a similar situation. With the rise of larger and larger data repositories, companies have been quick to leap into action, diving headlong into analytics. But this rush to analysis pushes some enterprises to assume too much, too quickly — and intimidates other organizations that do not know where to begin. A strong identity governance program resists both the rush to action and the paralysis of overthinking. Instead, it grows in understanding much the same way as a traveler in a new city does, in stages: from data acquisition to information assimilation to achieving goals efficiently with that information.

Exploring these stages forces a review of the preconceptions around identity governance and analytics and can provide a path forward for any organization that’s traveling along the path to “analytics enlightenment.” The following maturity model for identity governance (hereafter referred to as MMIG, because who doesn’t need more acronyms in their life?) identifies stages common to both a newly-arrived traveler in a foreign city and an organization undertaking identity governance.


Over the subsequent series, we’ll explore each stage of this proposed maturity model in detail, identifying a number of unique characteristics for each phase:

  • Data Context: What data is currently available?
  • Business Context: What business-focused use cases are being addressed?
  • Goals: What results are produced?
  • Questions to Ask: What high-level questions are being investigated?

As we wind our way through the maturity model, we’ll seek to establish a path for identity enlightenment that enterprises can follow to construct a coherent IGA program—one that leads them to enhance security, improve compliance, and promote efficiency rather than just managing infrastructure or creating a large data repository.

And by forging a clear path for identity governance, we can move forward with the confidence invoked by the poet Machado, eliminating both the impetuous rush to action and the inertia that grows from being overwhelmed by options (and the waste of time and resources that accompany them). Whereas my poor choice of a path in Madrid cost me only 45 extra minutes, the stakes for today’s organizations are much higher. Poor choices will bring immeasurably higher costs for a company and reinforce a sense of aimless wandering.