Over the past few years, compliance has generally always been identified as the prime driver for adoption of IAM solutions. The major analyst firms (Gartner, Forrester, Burton, etc) have all agreed that starting with Sarbanes-Oxley, and continuing with HIPAA, PCI, GLBA, and a number of other mandates, IAM solutions greatly simplified the compliance and audit process.
That trend seems to have diminished gradually over the past year or so, as many companies have implemented identity-related controls as the foundation of their IAM program. So, some IT managers have started to view compliance as a "been there, done that" business issue. This is a short-sighted approach.
First, more regulations will undoubtedly arrive over the next few years. But, more importantly, existing regulations are being strengthened both of their requirements and in their penalties. HIPAA/HITECH and the virtualization requirements of PCI are good examples of this trend.
In addition, compliance is not a one-time problem - existing controls must continually be updated, automated, and continuously monitored. Therefore, you may have "been there and done that," but IT organizations need to "keep doing it" better and more efficiently.
Not to pitch my own events, but if you are interested in these issues I will be doing a webcast on the topic of "Meeting the Ongoing Challenge of Identity and Access Compliance." This webcast will provide a maturity model for compliance controls, and highlight critical capabilities for identity-related compliance in enterprise and cloud environments. Here are the details. I hope to "see" you there:
Date: Tuesday, June 19
Time: 1:00pm EDT