Why Identity Is The Hidden Keystone in Effective GRC Programs

Show Notes

Summary

This episode explores the critical relationship between identity and access management (IDAM) and holistic Governance, Risk, and Compliance (GRC) programs. Hosted by Santosh, it delves into how integrated identity management enhances security, compliance, and organizational resilience in the digital age.

Key Topics

The connection between identity and GRC
The evolution of IDAM and its role in security
Regulatory frameworks and compliance mapping
Risk management lifecycle and identity risk scoring
Future trends: Zero Trust, AI, decentralized identity

Chapters

00:00 The Importance of GRC and IDAM Integration
02:32 The Holistic Approach to GRC
07:50 The GRC Challenge Landscape
11:21 Defining Identity and Access Management (IDAM)
15:46 How IDAM Enables Governance
18:48 IDAM's Role in Risk Management
22:54 IDAM and Compliance
23:17 Compliance and IDAM: Meeting Regulatory Requirements
27:22 Maturity Levels of IDAM Programs
29:54 Common Pitfalls and How to avoid them
32:42 Key Performance Indicators for GRC and IDAM
35:19 The Future..
37:56 Conclusion: The Central Role of Identity in GRC

Keywords

IDAM, GRC, cybersecurity, identity management, compliance, risk management, zero trust, digital transformation, security architecture

Let’s Stay Connected

📧 Email: santosh@getitrightsoln.co.uk

🔗 LinkedIn: linkedin.com/in/kssantosh

Transcript

SPEAKER_00 0:18

Most organizations have a GRC program. Most of them also have an identity and access management program. And almost none of them have connected the two in any meaningful way. That's not a technology problem, it's a thinking problem. Because here's the uncomfortable truth. You can have the most sophisticated risk framework on paper, the most comprehensive compliance program your auditors have ever seen, and a governance structure that looks immaculate in a board presentation and still be profoundly exposed. Because if you don't control who has access to what, none of the rest of it holds. Identity is not a supporting act in your GRC story. It is the plot. Welcome to Secured by Design, the podcast where we explore how identity and vital cybersecurity shape the foundation of our digital world. I'm Santosh, and in each episode I'll share insights and practical perspectives on how we can build security into every layer of technology and business. From identity governance and zero trust to the latest in cloud and compliance. Let's dive into what it takes to design security that lasts. Today we are tackling one of the most important and most misunderstood relationships in enterprise security. The role that Identity and Access Management plays within a truly holistic GRC program. We'll start with what GRC actually means when it's done right. Not as three separate disciplines bolted together, but as a unified management system. Then we'll get into IDAM, what it is, what it's become and why it deserves a seat at the GRC table, not just the IT table. And then we'll connect the dots, governance, risk, compliance, showing exactly how identity threads through all of it. We have a comprehensive discussion ahead, so feel free to settle in with a coffee. Let's start at the beginning. GRC stands for governance, risk and compliance. Three words that individually most people in business understand. But together they represent something much bigger. They represent the entire management system an organization uses to pursue its objective reliably, handle uncertainty and act with integrity. Let me break each one down quickly. Governance is about who decides what and how. It's the structures, policies, roles and accountabilities that ensure an organization is directed and controlled effectively. Think board oversight, executive accountability, policy frameworks, codes of conduct, governance answers these questions. Are we doing the right thing? Risk is about uncertainty and its impact on objectives. Risk management is the process of identifying, assessing and responding to risks, whether they are strategic, operational, financial, legal or reputational. Risk asks, are we doing things right and what could go wrong? Compliance is about meeting obligations. Those obligations could be regulatory, think GDPR, SOX, HIPAA, NIST, or they could be contractual or internal policy based. Compliance asks, are we following the rules? Let me explain this using an analogy of, say, a pre-flight meeting from the airline industry, a highly regulated one. It's 5 45 a.m. flight deck, two hours before the departure. The captain and the first officer sit down together. They review the flight plan, the weather, the no tamps, any known hazards on the route. They check their aircraft technical log, they review the fuel calculation, they discuss contingencies, they confirm roles and responsibilities for every phase of the flight, including abnormal procedures. That briefing is governance. It establishes the command structure, decision authority, and shared situational awareness before the operation begins. The risk assessment running underneath, like weather avoidance routing, alternate airport selection, minimum fuel calculations, crew fatigue management, etc. That's risk. It's systematic, documented, and signed off. The fact that every item on the pre-flight checklist is completed, recorded and retained, that the aircraft's airworthiness certificate is current, the crew's medical are valid, the airline's operating license is in good standing, that's compliance. Evidence generated as a byproduct of doing things correctly, not assembled under pressure after the fact. Now here's the thing. In most organizations, these three disciplines are developed separately. You got a legal and compliance team over here, a risk management function over there, and an IT security team somewhere else entirely. They might all be doing good work individually, but without integration, you end up with duplicated efforts, blind spots, inconsistent controls, and critically no single source of truth about the organization's risk and control posture. Here's where Holistic GRC comes in. Holistic GRC means treating governance, risk and compliance not as three separate disciplines, but as a unified, integrated management system. It means your risk register informs your controls, your controls are mapped to your compliance obligations, your governance structures provide oversight across all of it, and your data flows freely between these domains so that leaders can make informed, real-time decisions. Think of it like a car. Governance is the steering wheel, it sets direction. Risk management is the dashboard, it tells you what's happening under the hood. Compliance is the seatbelt, it keeps you within the rules of the road. Now, you wouldn't design a car where those three systems don't talk to each other. But that's exactly how most organizations run their GRC program. Holistic GRC changes that. It says everything is connected. And when you adopt that lens, you start to realize that the connective tissue, the thing that runs through every governance decision, every risk assessment, every compliance control is identity. Who has access to what? Who did what and when? Who should have access and who shouldn't? These are identity questions, and that's exactly why IDAM is not just an IT function, it's also a GRC function. Before we get into IDAM specifically, I want to spend a few minutes painting the picture of the GRC challenge landscape because I think context matters enormously here. The world that GRC programs operate in has changed dramatically over the last decade. Let me give you five forces that have fundamentally shifted the game. Number one is regulatory explosion. The number of regulations that touch data, privacy and security and business conduct has grown exponentially. GDPR in Europe, CCPA in California, Dora for financial services in EU, SOC2 for cloud service providers, HEPA for healthcare, PCI DSS for payments, ISO 27001 as a global benchmark, the list goes on and grows every year. Organizations operating across industries or geographies are often juggling 10, 15, even 20 different compliance frameworks simultaneously. The compliance burden is enormous. Number two is digital transformation and cloud. Most organizations have moved significant product of their infrastructure to the cloud or they are in the middle of doing so. That means data is distributed, applications are SaaS-based, and the perimeter that used to define inside and outside the organization is essentially gone. The attack surface is dramatically larger. The number of identities, human and machine, has exploded. 3. The insider threat reality. Study after study shows that a huge proportion of data breaches involve insiders, either malicious insiders, which is generally lower, but the bulk of it involves compromised credentials. Verizon's data breach investigation report has consistently shown that stolen or misused credentials are involved in the majority of breaches. This is not an external threat story, it's an identity story. Managing that extended ecosystem of identities is a GRC challenge of enormous complexity. Demonstrating compliance is not just about having controls in place. It's about being able to prove those controls work. Auditors want evidence, regulators want logs, and the expectation of real-time continuous compliance monitoring is growing. That requires systems that can generate, store and report on control activity automatically. When you look at all five of these forces together, a pattern emerges. The common thread is identity. Who accessed what cloud environment? Whose credentials were compromised? Which third-party vendor had excessive permissions, who approved that access, can you prove it was reviewed in the last 90 days? Every single one of those questions is an identity question. Which brings us to IDAM. Let's define our own term. IDAM, identity and access management, is the framework of policies, processes and technologies that ensures the right individuals and the systems have the right access to the right resources at the right time for the right reasons and no more. That definition is worth unpacking because every clause matters. Right individuals, this is about authentication. Verifying that the person or system claiming an identity actually is who they say they are. Multifactor authentication, biometrics, certificate-based authentication, all of this falls here. The right access. This is about authorization. What are you allowed to do once we know who you are? This covers role-based access control, attribute-based access control, privileged access management, and the principle of least privilege. The right resources. This speaks to the breadth of IDEM. It's not just your corporate active directory anymore. It's your cloud platforms, your SaaS applications, your databases, your APIs, your physical access systems. At the right time, access is not permanent. Provisioning and deprovisioning matters. Temporary access, time bound permissions, just-in-time access, these are all tools for ensuring access is granted only when needed and revoked when it is not. Next, for the right reasons. This is where governance comes in. Access should be tied to a business justification approved by the right authority and reviewed periodically. And finally, no more. This is the principle of least privilege. One of the most fundamental concepts in information security. You give people exactly what they need and nothing else. Excess privilege is excess risk. Adding to that airline analogy we made earlier, the fact that only those two crew members with their specific credentials and certifications are sitting in their cockpit. Not the engineer, not the gate agent, not the curious passenger who knocked on the flight deck door. That's IDAM. Access control as a fundamental safety mechanism, not an IT afterthought. Remove any one of those four elements and the flight becomes dangerous. Remove all four and you don't have an airline. You have chaos with wings. The same applies to organizations too. Now, IDAM as a discipline has evolved enormously. What started as simple username and password management has grown into a sophisticated domain that includes identity governance and administration, or IG in short, managing the life cycle of identities and their entitlements. These identities include human as well as non-human identities like service accounts, APIs, bots, IoT devices. We have already covered identity governance and non-human identities in detail in episodes number 2 and 4 respectively. If you are new to this podcast or have not heard those episodes, I suggest you listen to them when you get the time. The next one is Privileged Access Management, which deals with securing and monitoring high-risk, high-privileged accounts. This is a huge topic by itself, and I plan to have a dedicated episode in the future for this. Single sign-on and federation. This deals with simplifying access while maintaining security across systems. And then comes zero trust architecture, the principle that no identity is inherently trusted, and access must be continuously verified. This is a rich and complex domain, and every element of it has direct implications for GRC. Now let's get into the meat of it. How does IDAM actually enable governance? Governance is about accountability, oversight, and the structures that ensure an organization does what it says it's going to do. And IDAM provides three things that governance requires above almost everything. Visibility, accountability, and control. Visibility, you cannot govern what you can't see. One of the foundational challenges in large organizations is simply knowing what access exists. Who has access to the financial systems? Does marketing have access to customer PII? Are there orphaned accounts from employees who left six months ago? That visibility is a precondition for any meaningful governance conversation. Then comes accountability. Governance requires clear lines of accountability. Who owns this system? Who is responsible for reviewing access to this application? IDAM programs formalize this through the concept of access owners and entitlement owners, business leaders and system owners who are accountable for the access granted under their remit. Access certification and attestation campaigns where managers and data owners regularly review and certify that access is still appropriate are a core governance mechanism. They create a documented, auditable chain of accountability. Then we have control. Governance is ultimately about ensuring decisions get made and executed consistently. IDAM automates and enforces governance decisions. When a governance policy says no user should have both the ability to create vendor and approve a payment, that's a segregation of duties control. IDAM systems can enforce that automatically, flag violations in real time, and generate remediation workflows. The governance decision gets built into these systems, not left to human memory or goodwill. There's also the dimension of policy lifecycle management. Governance requires that policy exists, are communicated, are understood and are enforced. IDAM is the enforcement layer for access related policies. When your policy says privileged accounts must use MFA, your PAM solution enforces it. When your policy says contractors get time-limited access, your IGA platform enforces it. Policy becomes operational through IDAM. Now let's talk about risk. Risk management is fundamentally about identifying what could go wrong and taking steps to reduce the likelihood or impact of those things happening. Access risk is one of the most significant and pervasive risk categories in any organization. And IDAM is the primary mechanism for identifying, assessing and mitigating access risk. Let me walk through the risk management lifecycle and show you how IDAM maps to each stage. Number one, risk identification. How do you know if access risk exists in your organization? Through access reviews, entitlement analytics, and role mining. IDAN tools can analyze the access landscape and surface risks, accounts with excessive privileges, users with access to sensitive data who don't need it, dormant accounts, conflict of interest, toxic combinations of permissions. These are access risks, and without IDAN tooling, most organizations simply don't know they exist. Number two is risk assessment. Once you have identified the risks, you need to understand their potential impact. A segregation of duties violation in a low-risk system is different from one in your financial reporting system. IDAM platforms allows you to classify risks by severity, tie them into business context, and prioritize remediation accordingly. Privileged access management tools, for instance, help you understand exactly which accounts, if compromised, could cause catastrophic damage. That's risk assessment in action. Then comes risk treatment. This is where IDAM really shines. The primary risk treatment strategy in access management is reduction, reducing the risk by removing or limiting access, remediating SOD violations, implementing just-in-time access for privilege accounts, enforcing MFA on sensitive systems, deprovisioning stale accounts. Every one of this is a risk reduction action executed through IDAM capabilities. Then we move to risk monitoring. Risk is not static. New applications get deployed, business processes change, IDAM provides continuous monitoring of these access environments, automated alerts when high-risk access is granted, real-time dashboards of the risk posture, and integration with CM platforms to detect anomalous access behavior. Risk monitoring becomes continuous rather than point in time. There's also the increasingly important concept of identity risk scoring, where organizations use analytics and AI to assign. A risk score to each identity based on behavioral patterns, access profile, and contextual signals. This allows risk management to be truly dynamic and intelligence driven. One more thing I want to mention here: third-party risks. Managing the identities of vendors, contractors, and partners is one of the most challenging risk management problems organizations face. A strong IDAM program includes governance over the entire identity population, not just employees. That means onboarding workflows, access scoping, time-limited credentials and deprovisioning when the relationship ends. Third-party access without IDAM governance is a risk exposure that organizations cannot afford. Now come to compliance. This is where IDAM often gets the most immediate attention because regulations explicitly require access controls. Let me give you a tour of some major frameworks and how IDAM maps to them. First, let's see GDPR, the EU's General Data Protection Regulation. GDPR requires that personal data is protected, access to it is controlled and limited, and organizations can demonstrate compliance. Article 25 Data Protection by Design and By Default essentially mandates that access minimization is built into systems from the start. That's least privilege. That's IDAM. GDPR also requires audit trials of who accessed personal data and when. That's logging and monitoring, core IDAM capabilities. Next, let's see SOCS or Sarbanes Oxley Act, which is relevant for publicly listed US companies. SOX requires robust internal controls or financial reporting. Section 404 specifically requires that companies assess and attest to those controls annually. Segregation of duties is a foundational SOX control, and IDAM is the primary mechanism for implementing and evidencing it. Access reviews and certification campaigns are directly driven by SOX requirements. Next is NYDFS, the New York Department of Financial Services Cybersecurity Regulation. Part 500 applies to every financial service company licensed to operate in New York State, significantly strengthened in 2023. It mandates privileged access management, MFA for all internal system access, and six years of audit trails covering access to sensitive systems. The CISO must certify compliance annually, material incidents must be reported within 72 hours, and the board must be formally briefed on cybersecurity risks. IDAM programs, access reviews and continuous identity monitoring are not optional under NYDFs. They are explicitly required and actively enforced. HIPAA for healthcare organizations handling protected health information. HIPAA's security rule requires access controls, audit logs, and automatic logo. These are all IDAM capabilities. Demonstrating HIPAA compliance without a strong IDAM program is extraordinarily difficult. Next is ISO 27001, the International Standard for Information Security Management Systems. Control Domain A.9 covers access control comprehensively. User access management, user responsibilities, system and application access control, to name a few. IDAM is the operational expression of almost every A.9 control. Then comes NIST Cybersecurity Framework. The identify and protect functions both heavily reference access management. The framework's emphasis on privileged access, identity management, and authentication directly maps to IDAM capabilities. We will cover this in detail on a separate podcast episode of its own. The key insight here is this. Compliance controls don't manage themselves. Regulations say what must be done. IDAM is a primary mechanism for how you do it and critically how you prove you've done it. Audit evidence is everything in compliance. Access logs, certification records, provisioning and deprovisioning history, privileged session recording, all of this is generated by a mature IDAM program. When the auditor comes knocking, a well-implemented IDAM platform can produce evidence at scale automatically. Organizations without that capability spend enormous amount of time and money manually gathering evidence and often still can't fully demonstrate compliance. Let me take a moment to talk about maturity because this is a journey, not a switch you flip. Most organizations sit somewhere on an IDA maturity curve, and where they sit directly affects the quality of their GRC program. Level 1, or what we call as ad hoc. In this, the access is managed manually. There is no central directory, no defined provisioning process, and access reviews, if they happen at all, are spreadsheet-based, infrequent and painful. Compliance evidence is nearly impossible to produce. Risk is largely invisible. At level 2 is what we call as defined. The organization has a centralized directory now, basic provisioning workflows and some access governance processes exist, policies exist, but the processes are still largely manual, and the connection between IDAM and the broader GRC program is very weak. At level 3, what is called managed, the IDAM tooling is in place, an IGA platform, possibly a PAM solution, MFA broadly deployed, access certification campaigns run on a regular schedule. There is an integration with HR systems for join and move processes. Compliance reporting is automated for key frameworks. This is where many mature organizations sit today. At level 4, what we call is optimized. This is where IDAM becomes truly strategic. Risk-based access controls, real-time identity risk scoring, zero trust architecture, machine identity management, AI-driven anomaly detection, IDAM is fully integrated with the GRC program, which means risk assessments reference access data, compliance evidence is continuous and governance decisions are data driven. The IDAM program actively reduces business risk rather than just fulfilling a compliance checkbox. The goal of every organization should be progression along this maturity curve, and for this progression to be successful with lesser friction, this should be driven by IDAM teams in tandem with GRC. That's where the business requirement, risk appetite, and compliance obligations live. I will be doing you a disservice if I didn't talk about where organizations go wrong. Pitfall number one is treating IDAM as an IT problem. This is probably the most pervasive issue when IDAM is treated as an IT problem. It gets optimized for operational convenience rather than business risks and compliance. Access is granted because someone asked for it, not because there's a governance process. Reviews happen because the auditors asked, not because there's a business-owned accountability model. IDAM needs to be driven as a business enabler. Pitfall number two is focusing on provisioning and forgetting deprovisioning. A highly optimized joiner process is seen as a productivity improvement. Getting access set up when somebody joins is the easy part. Removing it when they leave, when they change roles, or when a project ends. That's where most organizations fall down. Orphaned accounts and entitlement creep where users accumulate access over time without ever having anything removed are among the biggest access risks in any enterprise. Pitfall number 3 is treating access reviews as a compliance exercise rather than a risk exercise. If your access reviews are just about getting certifications signed off before the audit, you're missing the point. Review campaigns should be intelligence driven, surfacing the highest risk access for the most scrutiny, not just rubber stamping thousands of entitlements. Pitfall number four is ignoring non-human identities. Service accounts, API keys, certificates, bots, these are often completely invisible to the governance program. And yet they have enormous privileges and if compromised can cause catastrophic damages. A holistic GRC program must include machine identity management. Pitfall number five is building in silos. IDAM, GRC tools, CM, HR system, ITSM platforms, they all need to talk to each other. An IDAM system that doesn't integrate with your risk management platform means risk data doesn't flow. One that doesn't connect to your HR system means levers don't get deprovisioned automatically. Integration is not a nice to have, it's the foundation of a holistic program. To track the effectiveness of how GRC and IDAM are working together in your organization, we track a few health signals that tell the real story of your security. We call them KKPIs. The list is exhaustive, but a few to give you a taste are the Ghost account, also known as dormant or often account rate. These are accounts for people who already left the company but still have keys to the castle. If this number is high, it means your GRC policies aren't talking to your IDAM systems and you have left the backdoor open. Speed to productivity or mean time to provision access. Think about day one for new hire. Does it take them two hours or two weeks to get the access they need? Tracking time to productivity tells us if our integrated GRC IDAM process is a business enabler or just a bureaucratic speed bump. Toxic combo or segregation of duties violation rate. We track toxic combinations. This is where one person has the power to say both create a vendor and pay that vendor. A holistic program catches these overlaps automatically before an auditor or a fraudster does. Audit fatigue index or access certification completion rate. Are your managers actually reviewing access or are they just rubber stamping spreadsheets at midnight because they are overwhelmed? If our completion rates are low, it's a sign that our GRC IDAM integrations is too manual and needs more automation to save everyone's sanity. Privileged account usage monitoring. We monitor the super users. These are the admins with the most power. If we aren't tracking 100% of the sessions, we are essentially flying blind. This KPA tells us if our governance is actually watching the people who hold the most risks. And then another one which we can track is the adaptive authentication block rate. We track how many times our systems automatically blocked a login because something felt off. Like a login from a new device in a different country. This is the invisible shield at work. It shows our GRC rules are being enforced in real time by our IDAM tech without a human ever having to click a button. Let's look forward. Where is all this heading? The most significant architectural shift in IDAM and GRC space right now is zero trust. Zero trust is a security model built on the principle that no identity inside or outside the network should be inherently trusted. Every access request must be verified, every session must be monitored, and access must be continuously re-evaluated based on context. Zero trust is in many ways the architectural expression of everything we have been talking about. It operationalizes least privilege, it treats every identity as a potential risk. It requires continuous verification rather than periodic reviews, and it demands the kind of real-time visibility and control that only a mature IDAM program can provide. If GRC is the management system that keeps an organization honest and resilient, Zero Trust is a technical architecture that enforces it at identity level. Then comes AI and machine learning. AI and machine learning are transforming IDAM in several important ways. Identity analytics platforms are using AI to detect anomalous access behavior, flagging when a user suddenly starts accessing systems they've never accessed before or accessing data at unusual times. AI is being used to recommend access entitlements based on peer analysis. If everyone in your role has access to X and Y and Z, but you also have access to W, that's a signal worth investigating. And AI is helping automate the prioritization of access certification reviews, ensuring reviewers focus their attention on the highest risk entitlement. Then another one which is emerging is the decentralized identity. The idea that individuals and organizations can own and control their digital identities without relying on centralized authority. This has significant implications for how we think about identity verification and access in the future. And finally, convergence of physical and digital identity. As organizations integrate physical access control with their digital IDAM programs, the concept of holistic identity becomes even richer and the GRC implications even more profound. The direction of travel is clear. Identity is becoming the central control plane for everything security, risk, compliance, and governance. Organizations that invest in IDAM as a strategic GRC capability today will be dramatically better positioned to handle the complexity of tomorrow. Let me bring this home. GRC is not a compliance checkbox. It's not a set of spreadsheets and audit reports. Done right is the management system that allows an organization to pursue its objectives confidently, manage uncertainty intelligently, and demonstrate integrity to every stakeholder, regulators, customers, employees, and shareholders. And at the heart of the system, threading through governance, risk and compliance like a golden thread is identity. Who has access? Who approved it? Who reviewed it? Who did what? When? Can you prove it? These questions are not ID questions. They are not security questions in isolation. They are governance questions. They are risk questions, they are compliance questions. IDAM and GRC are two intertwined disciplines in cybersecurity. A GRC program is not holistic if it does not intermingle with the organization's IDAM programs. The organizations that understand this and build governance structures around identity use identity data to drive risk reductions, lean on IDAM automation to generate compliance evidence, those organizations are building something genuinely resilient. The ones that don't are leaving an enormous gap in their control framework. And increasingly, that gap is exactly where breaches happen and where regulators focus. So whether you are a CISO, a CRO, a compliance officer, a board member, or someone just trying to figure out how all of this fits together, I hope today's episode gave you a clearer picture of that connection. IDAM is the heartbeat of Holistics GRC. Make sure yours is beating. Thanks for listening to Secure by Design. If today's episode gave you something to think about, subscribe and follow on your favorite streaming platform for more discussions on identity and cybersecurity. Please do consider taking your time to rate this show. I would really appreciate that. That is one of the best ways for you to support this podcast and help grow this by providing feedback. Please feel free to share it with your team. You can also connect with me on LinkedIn for updates and new episode releases. Until next time, stay secure, stay resilient, and stay secured by design.