From Identity Activity to Identity Intelligence
A recap of our recent live session with YouAttest, featuring Duane Clouse, Senior Manager, IAM & Zero Trust at RKON, alongside Garret Grajek and Kashif Mehmood of YouAttest.
Thank you to everyone who joined us live for our recent webinar. If you did not join us live, the replay is available here.
Identity programs do not fail because teams lack activity; they fail because activity is not translated into measurable, defensible risk identity intelligence. RKON and YouAttest discussed the value and methods of giving security leaders one evidence-backed view of identity exposure, program hygiene, and improvement velocity so they can prioritize what matters, defend investment, and turn identity governance into an operational roadmap.
The conversation kept circling back to one uncomfortable question that most identity programs cannot answer cleanly: what is your identity risk right now? Tools get deployed, MFA gets switched on, access reviews get completed, and yet leadership still struggles to translate all of that activity into a clear, defensible picture of risk.
That gap is exactly what RKON set out to close with the IAM Maturity Intelligence Center. Below we have pulled together the heart of Duane’s answers from the session, so registrants and attendees have something concrete to revisit.
The origin: why we built it
We have been delivering identity assessments for years, and the same problem showed up on every engagement. As Duane put it:
“Every engagement seemed to get reinvented in PowerPoint and Excel. No two consultants scored the same way, and clients couldn’t compare findings year over year.”
The traditional model was one or two consultants running a workshop, going away to build a report, and handing it off. There was little accountability and little ownership once the document landed. We wanted one place that scored, prioritized, planned, and tracked identity work consistently. So we built it for our own delivery teams first; when clients started asking to license it, that confirmed we had hit the right gap. Nobody was sitting between the framework and the operational tool, and that is the space the IAM Maturity Intelligence Center occupies.
Where identity programs fall short today
Duane’s framing of the core problem was direct:
“The biggest issue most identity programs have is that they’re operationally busy but strategically blind.”
There is plenty of activity: tickets closed, audits passed. What is missing is a maturity narrative underneath it. Organizations routinely confuse activity metrics with risk metrics. Completing twelve thousand access reviews sounds impressive, but it says nothing about whether the right people were actually reviewed. And because legacy assessments are a one-time snapshot, nobody can answer the question leadership actually cares about: are we better this year than we were last year?
Three KPIs That Actually Signal Risk: Exposure, Hygiene, and Velocity
Not all identity data is useful. Duane grouped the metrics that matter into three buckets, and these are the three the portal is built around.
Exposure is how much risk you carry today, surfaced through domain-level risk scores on the dashboard. Hygiene is how reliably you handle the basics, measured through 100 maturity questions across ten domains, covering areas like joiner-mover-leaver processes, SLA tracking, and governance. This is where the YouAttest integration plugs in, delivering real reviewer-engagement data rather than checkbox-completion stats. Velocity is whether you are improving over time, addressed through a CMMI maturity score per domain, gap-to-target by domain, and snapshot-based history that lets you trend each domain quarter over quarter.
From “What’s Broken” to “What to Do Monday”: How a Single View Changes Decisions
Putting this into a single view changes the conversation for two different audiences.
For security teams, the shift is from “what’s broken” to “what to do on Monday.” A Tasks view sequences and scopes every action by risk and effort, while Roadmap and Gantt views make the timeline defensible: what will happen, why, and in what order.
For leadership, it is the first time they can answer three questions they could not before. Are we getting better? Where is the next dollar best spent? Can we defend our program to the board and to auditors? The portal becomes the single source of truth for identity strategy.
Where YouAttest Fits: Replacing Self-Reported Scores With Real Evidence
Access governance and certification is one of the ten domains we measure, and one of the highest-signal domains for actual risk. The challenge is that most maturity scores are self-reported, and we wanted ours to be evidence-backed. Duane explained the value of the integration simply:
“YouAttest brings the campaign data: who has access, who reviewed it, how engaged the reviewers were. That’s real evidence, not a checkbox.”
The Next 12 to 24 Months: Board-Level Risk, Non-Human Identities, and Regulation
Looking ahead, Duane pointed to three forces converging quickly.
First, identity is becoming the new SIEM at the board level. Boards already ask about identity; soon they will ask about identity risk quantification, not “do we have MFA” but “what’s our blast radius in dollars.”
Second, non-human identities will outnumber humans. Service accounts, agents, and AI workloads are multiplying, and the identity model we built for humans does not survive autonomous workloads.
Third, cyber insurance and regulators are catching up. Underwriters already demand identity evidence, and regulators are next, asking for measured maturity rather than attested controls.
“Identity is becoming the first cybersecurity domain the board actually understands. Either we measure it well, or someone else measures it for us.”
The bottom line
What we built is not another tool in your stack; it is the intelligence layer on top of the stack you already have. It scores your IAM program across ten core domains on the CMMI 1-through-5 model, aligned to the NIST Cybersecurity Framework, and shows you where you are, where risk concentrates, and what to fix first based on risk and effort.
Duane closed the session with the line that sums up the whole approach: if you can measure it, you can defend it; if you can defend it, you can fund it; and if you can fund it, you can actually fix it.
Want to see the IAM Maturity Intelligence Center applied to your own environment? Reach out to the RKON team to continue the conversation.
