Building a 12-Month IAM Roadmap

An IAM roadmap transforms good intentions into executable plans. Without one, IAM improvements happen reactively — driven by audit findings, security incidents, or vendor sales cycles rather than by deliberate strategy. A well-constructed 12-month roadmap breaks the journey into manageable phases, builds credibility through early wins, and provides the executive visibility needed to sustain investment and organisational commitment.

This lesson provides a practical, proven framework for building a 12-month IAM roadmap that works for organisations of any size. It draws on real-world implementation patterns from organisations that have successfully transformed their identity posture from ad-hoc to governed.

The Four-Phase Framework

A 12-month IAM roadmap works best when structured in four phases. Each phase builds on the previous one, and each delivers tangible, demonstrable value — which is critical for maintaining executive support and budget approval for subsequent phases.

Phase 1: Foundation (Months 1–3)

Phase 1 is about understanding your current state, establishing governance, and delivering quick wins that build momentum. You cannot plan a journey without knowing your starting point.

Key activities:

• IAM maturity assessment: Evaluate your current capabilities against a recognised framework (such as the NIST Cybersecurity Framework or a vendor-neutral IAM maturity model). Document where you are across each dimension: identity lifecycle, authentication, access governance, monitoring, and privileged access.
• Asset and application inventory: Catalogue every application, system, and data repository that requires identity and access management. For each, document the current authentication method, user population, and business criticality.
• Governance establishment: Appoint the executive sponsor, form the IAM working group, create the RACI matrix, and establish the governance cadence (monthly or quarterly meetings).
• Quick wins: Enable MFA for all administrative accounts immediately. Disable or remove all orphaned accounts identified during inventory. Document the onboarding and offboarding process, even if it’s manual.
• Baseline KPIs: Measure your starting position across the KPIs defined in the governance lesson — SSO coverage, MFA adoption, time to provision/deprovision, orphaned accounts.

Phase 1 deliverables: Maturity assessment report, application inventory, IAM programme charter, RACI matrix, baseline KPI dashboard, evidence of quick wins (MFA for admins, orphaned accounts removed).

Phase 2: Core Controls (Months 4–6)

Phase 2 focuses on deploying the foundational technical controls that deliver the largest security improvement for the investment.

Key activities:

• SSO rollout: Integrate your top 10–20 SaaS applications with your IdP for single sign-on. Prioritise by user count and business criticality. Use SAML or OIDC based on application support.
• MFA enforcement: Extend MFA from administrative accounts to all users across all SSO-integrated applications. Define your MFA policy: which methods are accepted (authenticator app, hardware key, push notification), what are the fallback procedures, and under what conditions is step-up authentication required.
• Lifecycle automation: Implement SCIM provisioning for your highest-priority applications. Connect your HR system to your IdP so that new hire and termination events automatically trigger account creation and deactivation. Even partial automation (automated deactivation on termination, manual provisioning for new hires) delivers significant risk reduction.
• Conditional access policies: Configure policies in your IdP that enforce contextual security: block sign-ins from untrusted locations, require MFA for risky sign-ins, restrict access to sensitive applications from unmanaged devices.

Phase 2 deliverables: SSO integration for top 10–20 applications, universal MFA enforcement, SCIM provisioning for priority applications, documented conditional access policies, updated KPI dashboard showing improvement from baseline.

Phase 3: Governance and Oversight (Months 7–9)

Phase 3 shifts focus from deploying controls to governing them. Controls without oversight degrade over time — permissions accumulate, exceptions become permanent, and new applications are added without integration.

Key activities:

• Access certification campaigns: Launch your first formal access review cycle. Application owners and line managers review who has access to their systems and confirm or revoke. Start with your most sensitive systems (finance, HR data, customer data) and expand in subsequent cycles.
• Role-based access control (RBAC) design: Define standard access bundles (roles) for common job functions. Instead of granting individual permissions application by application, assign a role that includes all the access a particular job function needs. This simplifies provisioning, reduces errors, and makes access reviews more meaningful.
• Monitoring and alerting: Configure your IdP and SIEM to alert on identity-related events: impossible travel (logins from two countries within an hour), brute-force attempts, MFA bypasses, privileged account usage outside business hours, and bulk permission changes.
• Policy formalisation: Document your IAM policies formally: access control policy, privileged access policy, password and MFA policy, offboarding procedure. These documents are both operational guides and compliance evidence.

Phase 3 deliverables: Completed first access certification cycle with evidence of revocations, documented RBAC model for at least five key job functions, active identity monitoring and alerting, formalised IAM policy documentation.

Phase 4: Maturity and Continuous Improvement (Months 10–12)

Phase 4 is about hardening what you’ve built, addressing remaining gaps, and establishing the cadence for ongoing improvement.

Key activities:

• Privileged Access Management (PAM): If not already addressed, implement controls around administrative and privileged accounts: just-in-time access elevation, session recording for critical systems, separate privileged accounts from daily-use accounts, and regular privileged access reviews.
• Identity analytics: Move beyond rule-based alerting to analytics-driven detection. Many IdPs now offer identity protection features that use machine learning to detect anomalous behaviour — unusual application access patterns, risky sign-in behaviour, or accounts accessing resources they’ve never accessed before.
• Expand SSO and SCIM coverage: Continue integrating the long tail of applications. Set a target (e.g., 90% of applications under SSO by month 12) and track progress actively.
• Programme review and Year 2 planning: Conduct a formal programme review. Compare KPIs against baseline. Document lessons learned. Present results to the executive steering committee. Build the business case for Year 2 investments based on demonstrated progress.

Phase 4 deliverables: PAM controls for privileged accounts, identity analytics enabled, SSO coverage above 90% target, Year 1 programme review with KPI comparison, Year 2 roadmap draft.

Common Roadmap Pitfalls

• Trying to boil the ocean. A roadmap that tries to solve every identity problem in twelve months will solve none of them. Phase ruthlessly. Deliver value incrementally. Each phase must stand on its own — if the programme is paused after Phase 2, you’ve still delivered meaningful security improvement.
• Front-loading technology, back-loading governance. Organisations that deploy SSO and MFA without establishing governance first end up with technology that degrades because nobody is accountable for maintaining it. Governance in Phase 1 is not optional.
• Ignoring change management. Every phase changes how people work. MFA introduces new steps in the login process. SSO changes how people access applications. Access reviews require managers to invest time. Communicate early, provide training, and build feedback loops.
• Not celebrating quick wins. The executive sponsor needs to demonstrate progress to maintain budget and organisational support. “We removed 47 orphaned accounts in Phase 1” is a concrete, communicable win. Report it loudly.

Why This Matters

An IAM roadmap is your organisation’s commitment to moving from reactive to proactive identity management. Without a roadmap, improvements are random — driven by the last audit finding or the latest breach headline. With a roadmap, every investment is part of a coherent strategy that compounds over time. Twelve months is enough to transform an organisation’s identity posture from ad-hoc to governed, if the work is phased correctly and the governance structure supports execution.

What to Do Now

• Conduct (or commission) an IAM maturity assessment to establish your starting point across all dimensions.
• Build your Phase 1 plan in detail — the first 90 days determine whether the programme gains momentum or stalls.
• Present a draft roadmap to your executive sponsor for feedback and endorsement before socialising it more broadly.
• Identify the quick wins you can deliver in the first 30 days to demonstrate value and build credibility.
• Establish your KPI baseline immediately so you can demonstrate improvement at every phase gate.

Evidence to Collect

• A completed IAM maturity assessment with scores across each dimension.
• The 12-month roadmap document, endorsed by the executive sponsor.
• Phase gate review documentation showing deliverables completed, KPI movement, and decisions made.
• Change management artefacts: communications sent, training delivered, feedback collected.
• Year 1 programme review presentation with before/after KPI comparison.

Common Mistakes

• Building the roadmap in isolation. If IT builds the roadmap without input from HR, Legal, and business units, it won’t reflect operational reality and stakeholders won’t support execution. Co-create the roadmap with your IAM working group.
• Setting unrealistic timelines. SSO integration for 50 applications in three months is not realistic unless you have a dedicated team. Be honest about capacity and sequence work accordingly.
• Skipping the maturity assessment. You cannot plan a meaningful roadmap without understanding your starting point. The assessment is not overhead — it is the foundation of credible planning.
• Forgetting to budget for Year 2. Many organisations exhaust their IAM budget in Year 1 and then have no funding to maintain what they built. Include operational sustainment costs in your initial business case.

---

Knowledge Check

---