You can’t automate what you don’t understand.
That’s the core message from a recent podcast with Concord’s Cybersecurity Practice Director, Rob Peterson, and Security Architect Sam Azzone. Together, they unpacked why so many Identity and Access Management (IAM) initiatives fall short, even when organizations have solid tools and talented teams behind them.
Because while IAM isn’t new, that doesn’t make it easy. Getting it right takes upfront work, clear strategy, and a willingness to slow down before speeding up.
IAM architecture has evolved dramatically. “In the beginning, all systems were essentially centralized,” Rob explains. “One big machine, everybody had an account on that machine, and you were good.” Access control was simpler and easier to enforce.
Sam adds, “All of your access requirements, passwords, identities, and role assignments—if you had roles back then—existed right there on the mainframe.”
That shifted with the rise of distributed systems. “We went from centralized to distributed,” Sam continues. “At scale, we can’t keep track of who has what access—especially with shadow IT owned by independent departments.”
Eventually, organizations began to centralize again, this time using federation standards like Active Directory Federation Services (ADFS), Security Assertion Markup Language (SAML), and OpenID Connect (OIDC). These provided a unified identity and access layer that could span both legacy and modern systems.
Despite a booming market for identity tools, many IAM projects fail. Not because of the technology, but because of the lack of strategy behind it.
“One of the reasons why IAM is seemingly hard again goes back to this lack of planning, lack of strategy,” says Sam. Too often, teams rush into implementation without fully understanding the current state of access in their organization.
“IAM processes work in your organization before automation—because you have help desk folks who run down the hall, ask a question, call a manager on the phone,” he says. “That process is plenty adequate when there are humans involved. That process is not adequate at all for automation.”
Rob echoes this point: “Too often people get right into the implementation phase. They don’t take the time upfront to assess and document all of the as-is workflows.”
These undocumented, informal processes don’t translate to Identity Governance and Administration (IGA) tools or automation platforms. “That may work manually,” Sam explains, “but hand that same workflow to an IGA tool, and it breaks.”
The fix? A strategy-first approach. “Not having a documented, guiding-principles-level IAM strategy before biting off an IAM roadmap—that is a recipe for disaster every time,” Sam warns.
Planning starts with inventory, and most organizations underestimate this step.
“What I see most commonly fail IAM projects is people think that because they have existing IAM processes, they just want to automate them,” says Sam. “In reality, they don’t have a process that is mature enough.”
He’s seen it repeatedly: inventories that are incomplete in both scope and effort. “Almost every single inventory I’ve seen from an admin—whether from network engineers, system admins, or global admins—is highly incomplete,” he says.
Skipping inventory leads to tools being implemented on top of broken or undocumented systems. Rob reinforces the risk: “What are all the systems and platforms we need to control, and what do those processes look like today? Because we’re going to slap a technology on it.”
Sam adds, “Going back to that requirement stage and replanning stage is something there’s quite a bit of reluctance to do. But it will fail the implementation of an IGA tool.”
Even mature organizations face IAM challenges, often stemming from old decisions that quietly became liabilities.
“If you have group nesting going on in your organization, I have no idea why you would go on to bite off a Privileged Access Management (PAM) project,” Sam warns. “Your privileged access is already fully escalatable without governance or controls over it.”
He describes scenarios where overly complex group hierarchies and invisible escalations allow domain admins to gain access in ways no one expects. “You see this where people bring in PAM... but if you have a domain admin that’s in a group, that’s in a group, that’s in a group... and one of those groups is nested inside another group, all of a sudden you have domain admin in a place you don’t expect.”
Rob has seen this play out too: “I dealt with that back with Active Directory years ago, and the complexities that introduced with nested permissions.”
This kind of technical debt creates long-term maintenance traps. “When you start programming around these edge cases, now you’re thinking about sustainability and future releases,” Sam explains. “That stuff becomes expensive—and it becomes a long-term maintenance trap that most of us forget about.”
IAM projects also suffer when teams focus too much on features and not enough on scale or integration.
“As an enterprise matures, scale becomes one of those non-functional requirements that needs to be discussed,” says Sam. “If your system can’t handle your environment or integrate with your broader architecture, no amount of features will save it.”
The biggest takeaway? Start with planning, not tools.
“Go take a real inventory of what you have and make sure that you have some process for all of the things you want to do,” Sam advises. “Then make sure the requirements that you're collecting in that planning phase are usable in product selection and architecture.”
And don’t wait to bring in experts.
“Consult an expert sooner,” Sam says, “because that saves you a lot of time and effort down the road… You prevent making all these mistakes that become six- or seven-figure projects, which could have been avoided with a five-figure investment at the start.”
As Rob puts it: “Proper architecture and proper planning up front saves a lot of pain.”
IAM isn’t easy, but it doesn’t have to be so complicated. The key is understanding your environment, clarifying your needs, and aligning systems accordingly.
As Sam puts it: “IAM is hard—but it’s a lot easier if you start with strategy.”
By focusing on fundamentals—centralizing identities, defining processes, and preparing before automating—you lay the foundation for lasting IAM success.
Want to learn more? Check out the full podcast or connect with our team to start building a stronger, smarter IAM approach today.
Not sure on your next step? We'd love to hear about your business challenges. No pitch. No strings attached.
