Author: Veli-Pekka Vähälummukka, Program Director at Trivore
When logic says “IAM”, but the environment says “not yet”
In many organisations, identity and access management (IAM) issues are plain to see: granting access rights is slow, offboarding is often forgotten or delayed, and audits repeat the same findings year after year. Everyone knows that IAM needs to be fixed. Yet, the decision remains on the table.
The most common reason is likely this: the environment contains numerous legacy systems that the IAM should connect to – systems that have had all sorts of “unique” customisations built into them over the years. This raises a justified question: is this going to be a massive, years-long project?
Why traditional IAM stalls exactly when it’s needed most
Large IAM products on the market are excellent when the environment is modern and clear-cut. When access logic and organisational processes follow standard models, the project progresses smoothly. However, if legacy systems, bespoke solutions, and industry-specific applications are involved, two things usually happen: timelines stretch and costs soar. This isn’t due to poor planning – it’s because off-the-shelf products aren’t built around the client’s quirks. This is why a large portion of IAM initiatives stall just before the final decision, even when the need is undeniable.
When the solution adapts to the environment, not vice versa
From a CIO’s perspective, it is essential that an IAM project does not turn into a technology-driven giant. It should be a way to reduce risk, improve visibility, cut manual work, and lighten the burden of audits. In these cases, a solution that can adapt to the organisation’s actual environment holds the upper hand. In practice, this means identity management can be implemented in stages – without massive structural reforms.
Concrete benefits seen in daily life, not just on slides
When IAM is successfully integrated into legacy systems, the impact is immediate. A new employee can start working on their first day without delays. A departing employee’s rights are revoked automatically. Audits no longer require manual collection of access lists. And for IT, there are fewer tickets and less verification work. These are the things that truly lighten the daily workload – and what management looks at when deciding if an IAM project was a success.
How to implement IAM without the “big bang”
IAM is not a project that should be started with an “all or nothing” attitude. The best initiatives progress in small, clear steps. First, a brief assessment is conducted. Then, a single concrete process is chosen for improvement. Once the results are visible and the process works, it is expanded to the next target. This way, IAM is built in a controlled manner without heavy-handed changes.
Metrics that tell the CIO the truth
From a business perspective, the best IAM is one that produces measurable results. Good metrics include:
- How quickly a new employee receives all necessary access rights.
- How quickly rights are revoked upon departure.
- The volume of access-related support tickets.
- The number of audit findings caused by IAM.
When these figures improve, the IAM project pays for itself quickly.
Why a local partner has the advantage
Working with legacy environments requires agility, as well as the will and ability to customise the solution to the client’s situation, rather than forcing the client into the product’s rigid templates. A local partner can react quickly when something unexpected arises in the environment. Communication happens in the same language and time zone, without layers of support tiers. Furthermore, national security requirements – such as GDPR, NIS2, and local data management laws – are familiar from everyday practice, not just from contract papers. When the provider is also the developer of the product, adaptation does not depend on a global product roadmap or the decisions of a reseller chain – changes are made when the client needs them.
How to move forward with the decision
Getting an IAM project moving doesn’t require extensive preparation. A short workshop, a few weeks of assessment, and launching a pilot are enough to provide a concrete picture of the benefits. After that, the decision is based on metrics and visible results – not assumptions.