IAM 101: The Questions You Should Be Asking About Access (Even If No One Has Said Them Out Loud Yet) 

Identity Problems Hide in Plain Sight 

Every organization has an IAM problem. Most just haven’t stumbled into it yet…

That’s why I want to start with a question – one most organizations avoid because they’re afraid of the answer: do you truly know who has access to what, and why? 

Let me speak to you directly, because this is one of those topics that often get buried under technical language and abstract frameworks. Identity and access management isn’t about systems. It isn’t about tools. It isn’t even about “security posture” or “controls” or any of the words we usually put around it. 

It’s about people. Your people. And the quiet, everyday struggles they face when access isn’t working the way it should. 

Most organizations I meet don’t realize they have an IAM problem until something painful happens. A new colleague can’t get the access they need. An auditor asks a simple question that no one can answer quickly. Someone discovers an account still active long after the person leaves.

Whatever the situation, there is always a moment – small, awkward, slightly unsettling – where someone asks, “Wait… do we actually know who has access to this?” 

If you’ve experienced anything like that, you’re not alone.

Identity touches everything yet rarely has a single owner. It sits between HR, IT, security, leadership, and every team that needs to get work done. Over time, it becomes something everyone assumes is working because it has to – until the day it doesn’t. 

When the Basics Aren’t That Basic 

The biggest IAM risks almost never come from malicious intent - they usually come from uncontrolled improvisation. 

You might know parts of it. A system here, a process there. But knowing it fully and confidently, without digging through old emails or unravelling years of “temporary” permissions, is rare. This uncertainty doesn’t happen because anyone is careless. It happens because identity decisions get scattered through years of growth, improvisation, and helpful shortcuts. 

Another question often comes up when someone leaves the company: how fast can you remove every part of their access? Minutes, hours, or days? For many teams, offboarding is a patchwork of checklists and manual tasks. People get busy. Systems get forgotten.

Before long, dormant accounts begin to appear like ghosts of past employees – unintended, untracked and quietly risky. 

Then there is the onboarding experience. A new hire arrives full of energy. But how long do they need to wait before they can do their job? How many times do they ask, “Who do I talk to about getting access to this?” Slow access onboarding is more than an inconvenience. It drains momentum and confidence from people who are trying to find their footing. Most organizations think their onboarding process is ok… until we show them how much faster it can be with role-based automation

The Quiet Accumulation of Risk 

Privilege tends to be built quietly. Someone gains elevated access for a project, then moves to another role, then takes additional responsibility. Access piles layer upon layer. Very rarely is it removed again. It’s no one’s fault; it’s simply how work happens under pressure. 

Audits bring this into sharper focus. The questions asked are simple but answering them often requires days of gathering scattered evidence. How is access granted? Who approved it? When was it last reviewed? These are reasonable questions, yet they can feel overwhelming when information lives everywhere and nowhere at the same time. 

Another subtle issue arises when every team invents its own way of managing access. Not because they want to break process, but because no unified approach ever fully formed. Access ends up depending more on who you know than on how the organization intends to work. 

And occasionally, you discover a new SaaS tool being used by a team that never mentioned it. That moment often reveals just how far access extends beyond the systems you officially manage. Shadow IT isn’t a failure; it’s a sign that people are trying to move faster than the processes around them. 

The Realization That Changes Everything 

If any of these questions feel familiar—if reading them brings back moments, you’d rather not relive—then you’re already close to recognizing the truth: IAM is not just a technical problem. It’s a human one, shaped by habits, assumptions, workload, and the simple need to get things done. 

Most organizations already have Microsoft Entra ID. It’s capable of bringing order and clarity to access, of automating the parts that frustrate people the most. But these capabilities only matter once they’re connected to the questions your organization is genuinely struggling with. 

Identity becomes powerful when it matches how people work, not how documents say they should. 

Where Fortytwo Fits In .

At Fortytwo, we take a different approach. We don’t begin with policies or configurations. We begin with you. What slows your people down? What worries about your leadership? What makes audits tense? What do new hires quietly complain about in their first week? What processes rely on “the person who knows how it works”? 

Once we understand the questions, the answers reveal themselves naturally. They’re often simpler, more human, and more achievable than expected. We help you untangle what’s grown messy, bring structure to what’s become improvised, and build an access model that makes sense for your organization—not for a theoretical one. 

The outcome is clarity. Predictability. A sense of confidence that the right people have the right access, at the right time, for the right reasons. 

A Conversation Worth Having 

Let me ask you a question, after reading this article: If you had one IAM problem you could fix tomorrow, what would it be? 

I’d love to have that conversation with you, so don’t hesitate to contact me if you want a chat!