1 Executive Summary

A single tool for all employee service requests is an attractive proposition to most medium to large organizations because of improved end user experience through convenience and familiarity, and the business’s desire to get additional value out of the ITSM system. As a result, many organizations are building functionality into their ITSM systems to respond to employee requests for anything and everything, including identity provisioning and access to the IT resources they need to do their jobs. Although this may appear to be a good idea and keep employees and the bean counters happy in the short term, this is a risky strategy because IAM/IGA functions are extremely important when it comes to information security and compliance.

Failure to fulfil all IAM/IGA-related service requests through dedicated IAM/IGA systems will inevitably lead to failures to document, log, monitor and manage these activities adequately. This in turn will lead to security and compliance risks. Another long term risk is that maintaining highly customized ITSM configurations to provide non-core IAM/IGA functionality could be challenging and costly, especially when the original developers and system integrators who were responsible for the modifications and understand how the code works are no longer available to provide support. This Leadership brief outlines how a middle ground might be achieved without exposing an organization to security and compliance risk.