Comment by Eumenes
2 years ago
The problem with IAM from my experience is it's never truly owned by a single entity. If you have an IT team, its sometimes them. Sometimes its devops, sometimes security. However as a startup grows, the owners change. Policy is rarely developed from the ground up and more patchwork to accomodate teams or timelines
Yes. Good points. Agreed with patchwork as sometimes IAM can take a backseat to different priorities such as application development or feature development.
There's a couple different models for IAM ownership. At some places, the application teams own IAM along with the application. Sometimes, it's owned by central teams (such as security).
And agreed, with companies growing and changing, ownership changes as well.
Those factors can all complicated IAM development and policy maintenance as it becomes more difficult to find the right fit for IAM to application. For that, it would require someone who knows exactly what the application needs access to and the IAM actions taken as well as how to configure IAM.