You do not always need a three-month security assessment to understand whether an organisation has serious identity and access management risk.
Often, you only need to ask the right seven questions.
In almost every IAM review, these are the questions that quickly expose the real state of identity governance, privileged access, authentication controls, and operational maturity. The answers rarely tell you everything, but they usually tell you where the biggest risks are hiding.
1. Do you have a complete and current list of all user accounts?
If the answer is “kind of,” the organisation almost certainly has orphaned, duplicate, inactive, or unmanaged accounts somewhere in the environment.
A reliable identity inventory is the foundation of IAM. Without it, it becomes difficult to know who has access, which accounts are still required, which identities belong to third parties, and which accounts should have been removed months ago.
2. What happens when someone leaves the company?
If there is no clear, automated, and consistently followed leaver process, former employees, contractors, or partners may still have access to business systems.
This is one of the most common IAM control failures. A strong joiner, mover, and leaver process should ensure that access is provisioned appropriately, updated when roles change, and removed quickly when someone exits the organisation.
3. Who has administrator access right now?
If it takes more than 30 seconds to answer this question, the organisation likely has too many privileged users, poor visibility, or both.
Administrative access should be limited, justified, monitored, and reviewed regularly. When privileged access is not clearly understood, it becomes difficult to detect misuse, respond to incidents, or prove control effectiveness during an audit.
4. Where are privileged passwords and secrets stored?
If the answer includes spreadsheets, Slack, Teams, email, shared drives, or a general-purpose password manager with broad access, there is a serious privileged access management gap.
Privileged credentials should be protected through a controlled PAM capability that supports vaulting, rotation, check-in and check-out, session monitoring, approval workflows, and audit trails. Shared administrative passwords are one of the fastest ways for risk to spread across an environment.
5. When did you last review who has access to what?
If the answer is “we try to do it annually,” access creep is almost certainly happening.
Access governance is not a once-a-year compliance activity. Business roles change, projects end, temporary access becomes permanent, and users accumulate permissions over time. Regular access reviews help confirm that access remains appropriate, especially for sensitive applications, privileged roles, and high-risk data.
6. Is MFA enforced across all systems?
If the answer is “on most systems,” the organisation still has critical gaps.
Multi-factor authentication is only as strong as its coverage. Attackers do not need every system to be weak; they only need one exposed entry point. MFA should be enforced consistently across cloud platforms, remote access, privileged accounts, business-critical applications, and third-party access paths.
7. Which security framework are you targeting?
Whether the organisation is working toward SOC 2, ISO 27001, the Essential Eight, NIST, or another framework, the answer reveals how structured and urgent the IAM program really is.
A target framework provides direction. It helps convert IAM from a collection of technical fixes into a measurable security program with defined controls, evidence requirements, ownership, and accountability.
| IAM Question | What It Reveals | Likely Risk if the Answer Is Weak |
|---|---|---|
| Do we have a complete list of user accounts? | Identity inventory maturity | Orphaned and unmanaged accounts |
| What happens when someone leaves? | Lifecycle management | Former users retaining access |
| Who has admin rights? | Privileged access visibility | Excessive or unknown admin access |
| Where are privileged passwords stored? | PAM maturity | Shared credentials and poor auditability |
| When was access last reviewed? | Access governance | Access creep and toxic combinations |
| Is MFA enforced everywhere? | Authentication coverage | Exposed entry points for attackers |
| Which framework are we targeting? | Compliance readiness | Unclear priorities and weak accountability |
These seven questions map directly to the core pillars of identity security: identity lifecycle management, privileged access management, access governance, authentication security, and compliance readiness.
In many organisations, these risks remain hidden until an audit, breach, or internal incident forces them into view. The better approach is to ask the uncomfortable questions early, identify the gaps honestly, and prioritise the controls that reduce the most risk.
Because in IAM, maturity is not measured by how many tools an organisation owns. It is measured by how quickly and confidently it can answer fundamental questions about who has access, why they have it, and whether that access is still appropriate.
Which IAM question do you ask first when assessing an organisation’s identity security posture?