15 min read
“One technical mentor to show me how things work, and one cultural mentor to show me how things really work.” — Amy Bogac
That mindset is from Amy Bogac, a seasoned CISO with over two decades of experience leading global cybersecurity, infrastructure, and risk management programs. Her background spans both public and private sectors, where she’s led strategic identity transformations and built high-impact security teams, setting the tone for a different kind of IAM adoption conversation, one rooted in people, trust, and context. In a recent episode of Security Posture Management, host Laura Hees and guests Amy Bogac, Jacob Vetere, and Kyle Hanfland explored what it takes to build IAM programs that last.
The discussion wasn’t just about tools or controls; it was about strategy, buy-in, and how culture can make or break identity programs.
The conversation uncovered several practical strategies that can help security teams move their IAM adoption efforts forward with greater clarity and impact.
IAM Starts With People, Not Just Tools
When launching an IAM program, starting with people, not policies, can make the difference between slow starts and real traction. Identifying key mentors, both technical and cultural, gives teams a head start in understanding how change truly happens inside an organization. It’s this blend of insight and influence that makes adoption stick.
These mentors also serve a strategic purpose: technical mentors help navigate legacy systems and identify hidden dependencies, while cultural mentors expose roadblocks and informal networks of influence that often don’t appear on org charts. Both are critical for aligning identity efforts with operational reality.
IAM leaders who ignore these dynamics risk building systems that may look good on paper but fail to gain traction in practice. Listening early, mapping influence, and adapting the strategy to match how people actually work are core to a successful rollout.
IAM, like any security function, succeeds when it's embedded in the organization's human reality.
Technical Debt Isn’t Just Code, It’s Identity Too
Many organizations are still digging out of IAM debt, unfinished role designs, overlapping access models, or decades-old Active Directory configurations. This kind of identity debt is often ignored because it doesn't directly accelerate business, but it can quietly erode security posture.
Cloud migrations have often left legacy issues unresolved, creating even more complexity. Health checks are a practical step for uncovering and remediating these gaps, especially in hybrid environments where IAM sprawl is common.
Technical debt in IAM doesn't just live in outdated systems; it also lingers in unclear ownership, inconsistent access reviews, and policies that no longer reflect the way teams work. These legacy practices create blind spots and access creep, weakening the integrity of your identity infrastructure over time.
Taking the time to clean up and document roles, permissions, and dependencies can provide lasting clarity and make future initiatives, from PAM to Zero Trust, much easier to implement.
Adoption Is the Real Challenge in PAM
Even the most advanced PAM solution fails if no one uses it.
“In factories, you need local leaders on board. Even the best tools won’t work without their support.” — Amy
In environments like manufacturing, where users often view PAM as disruptive, real adoption happens when training is targeted and local leadership is engaged. It’s not enough to configure the system; the people using it need to understand its value.
For IAM adoption to work in high-resistance environments, organizations need to consider how access changes affect daily workflows. If PAM processes are too complicated, users will look for workarounds, weakening the security program. That’s why ease of use, clear role definitions, and timely communication are just as important as technical configuration.
Security leaders should also avoid one-size-fits-all rollouts. Each facility, team, or business unit may have different readiness levels, priorities, or operational pressures. A flexible rollout plan that balances standardization with empathy can dramatically improve engagement and long-term adoption.
Frameworks Help, But Can Also Stall Progress
Too much assessment can lead to analysis paralysis. IAM efforts often get bogged down trying to meet every framework or checklist before making meaningful changes. A risk-based approach is more effective, focusing on business priorities and where real exposure exists.
Frameworks like NIST’s Digital Identity Guidelines provide structure, but without action, they can become more of a barrier than a guide.
Many IAM programs stall not because of poor intentions, but because teams over-assess and under-execute. While frameworks and readiness checklists offer useful structure, they shouldn’t delay forward movement. The key is to identify where the real exposure is, prioritizing the areas that pose the most immediate risk to the business and building from there.
This is where practical, execution-focused support becomes essential. Learn how organizations are moving past planning gridlock and into risk-driven IAM execution.
Trust Is the Foundation of Sustainable IAM
IAM is ultimately a trust-driven function. When users understand changes and when leadership sees identity as an enabler, not just a control, alignment happens.
Communication and advocacy are just as important as configuration. Department heads and application owners aren’t just stakeholders, they’re critical enablers. When they’re engaged early, IAM shifts from a security task to a business enabler.
Trust also helps reduce friction. When IAM changes are introduced in an environment where security teams already have strong relationships, users are more likely to ask questions, raise concerns, and adopt new processes willingly. This makes implementation faster, smoother, and more effective.
Building trust takes time, but the return is worth it: sustainable programs that users engage with and support.
IAM programs succeed when relationships are prioritized alongside technology. Trust builds momentum.
IAM programs don’t fail because the technology isn’t good enough. They fail when the people side is ignored.
Adoption doesn’t come from perfect configurations; it comes from clear communication, stakeholder alignment, and understanding how people actually use and engage with identity systems. When organizations embed IAM into the rhythm of the business, it becomes not just a tool for access but a foundation for operational resilience and security maturity.
From onboarding and offboarding to managing privilege and navigating cloud migrations, trust must be built into every layer of the identity strategy. Teams that focus on relationships alongside risk see better outcomes, not just in adoption, but in long-term program sustainability.
To learn more about how identity leaders are navigating trust, culture, and adoption, listen to the full Security Posture Management podcast episode here.
Want more? Read about...
