9. Number of reconciliation exceptions. Reconciliation exceptions are typically caused be the inability of an IAM platform to reliably tie an identity to an account in a target system. This is usually the result of manual entry errors (that is, user names or unique identifiers are not matched), or worse yet, of an account created by backdoor channels. These exceptions should trend toward zero over time, and any spikes should trigger a thorough investigation and further discussion.
10. Separation of duty violations. Examples of separation of duty violations include developers who have admin access to production databases and traders who can submit and approve their own transactions. These are more difficult to catch and measure, given their sophistication and cross-application nature, but are also the riskiest to miss, given the potential damage that could be inflicted if they're exploited. Exploitations of these problems are the kind that often make headlines. The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.
It's often hard to understand the scope and ramifications of these kinds of people and process breakdowns until you take concrete steps to address them. That is part of the reason IAM and identity governance are perceived as daunting and, at times, painful. But only with metrics can the organization measure its effectiveness and success in efficiently managing user access, and make the necessary adjustments to reap significant security, compliance and operational benefits. If you have started an identity governance initiative, do your best to track some of these metrics--you'll be glad you did.
Frank Villavicencio leads Identropy's Managed Identity Services business.