3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person's accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks--they are open, live accounts that can be easily hijacked for un-authorized use.
4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there's a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.
5. Average time it takes to provision or de-provision a user. This shows how long a new user waits to get access to the resources they need to do their work. It has implicit productivity and ROI ramifications. Nine times out of 10, if someone doesn't get access to applications in a timely fashion, there are process issues behind the delay. This metric can flag a business process that needs to be reviewed and possibly adjusted.
6. Average time it takes to authorize a change. This metric can provide insight into the efficiency of an organization's approval processes. For example, if there are four people involved in approving a sales rep's access to Salesforce.com, but it takes two weeks for that approval to be granted, that's two weeks the sales rep is limited in his capacity to sell. Knowing how long it takes for approvals to be granted can help identify bottlenecks or out-of-date processes.
7. Number of system or privileged accounts without an owner. These are also known as orphaned accounts. They crop up when people who had the credentials to grant them access to important resources--making them privileged users--no longer need access to those resources but never had their privileges removed. This problem here is obvious--who wants privileged accounts that don't belong to anyone floating around?
8. Number of exceptions per access re-certification cycle. A high number of exceptions is expected for new applications or user sets being brought under governance, but over time this should trend toward zero. A consistently high number of exceptions is a strong indicator of poor identity data quality (that is, lots of users having access that they should not have), or of process problems (that is, the person requesting re-certification does not have all the information they need to complete the process.)