Identity & Access Management Research

Identity and access management sits at the intersection of technical security architecture and organisational governance. Getting it wrong — whether by implementing controls that employees route around, or by accumulating access entitlements that no one reviews — creates the conditions for the majority of modern data breaches. Getting it right requires not just the right tools, but the right organisational model, measurement approach, and regulatory alignment.

This program focuses on the practical realities of IAM at Canadian enterprises — financial institutions, healthcare organisations, and government agencies — where the consequences of failure are most severe and the regulatory context is most demanding.

Why IAM Remains a Hard Problem

The persistence of these numbers — despite two decades of IAM vendor investment — reflects a fundamental challenge: IAM failures are rarely technology failures. They are governance failures, process failures, and culture failures that manifest through technology. A PAM tool that nobody uses is not a PAM programme. Access certifications that managers approve in bulk without reading are not access reviews.

The Zero-Trust Imperative

Zero-trust architecture — the principle that no user, device, or network segment should be implicitly trusted, and that every access request should be explicitly verified — has moved from a conceptual framework to a regulatory expectation in many Canadian sectors. OSFI's B-13 Technology and Cyber Risk Management guideline, updated in 2023, effectively mandates zero-trust principles for federally regulated financial institutions. The Treasury Board's Government of Canada Zero Trust Security Architecture Strategy extends similar expectations to federal departments.

Our research examines the gap between this regulatory expectation and operational reality. Based on structured interviews with IAM practitioners at 23 Canadian organisations conducted in Q4 2024, we find that:

• Only 31% have a documented zero-trust implementation roadmap aligned to their risk register.
• The dominant barrier to zero-trust adoption is not technical — it is the absence of executive sponsorship that treats IAM as a business risk rather than an IT project.
• Organisations that have made the most progress on zero-trust typically did so in response to a specific breach or near-miss — not proactively.
• Legacy application estates — particularly on-premises ERP systems and mainframe environments — are the most frequently cited technical barrier.

Regulatory Framework Mapping

Canadian organisations face overlapping regulatory requirements that touch on identity and access. We have developed a mapping of these requirements to specific IAM controls:

AI-Assisted Identity Security

Machine learning is being embedded into IAM platforms at an accelerating rate. User and Entity Behaviour Analytics (UEBA) — systems that build baseline behavioural profiles for each user and flag deviations — are now standard features in platforms like Microsoft Entra ID Protection, Okta ThreatInsight, and SailPoint's Access Risk Management module.

Our evaluation of these systems in enterprise deployments finds a more nuanced picture than vendor marketing suggests:

• True positive rates are highly context-dependent. UEBA performs well for detecting brute-force attacks and impossible-travel anomalies, but struggles with insider threats that follow plausible usage patterns.
• Alert fatigue is a serious operational risk. Poorly tuned UEBA deployments generate volumes of low-confidence alerts that analysts cannot meaningfully triage, effectively rendering the system counterproductive.
• The "cold start" problem is underappreciated. ML-based anomaly detection requires weeks to months of data to build reliable baselines — a vulnerability window that organisations rarely plan for during deployment.

The Modern IGA Platform Landscape

Identity Governance and Administration (IGA) — the sub-discipline of IAM focused on managing the full lifecycle of identities and their entitlements — is undergoing significant technology disruption. Legacy platforms built in the 2000s and 2010s (IBM Security Identity Governance, Oracle Identity Governance) are being challenged by cloud-native alternatives that offer faster deployment, lower administrative overhead, and better integrations with modern SaaS environments.

We are conducting comparative analysis of the leading modern IGA platforms across four dimensions: deployment complexity, connector ecosystem depth, access certification quality, and total cost of ownership over a five-year horizon. Early results will be published in Working Paper WP-2025-04.