Those who don't control IAM are controlled by IAM.

Deutsche Bank — IAM Strategy and Governance

In large organizations, IAM rarely grows through decisions. It grows through incidents. An audit arrives. A system needs to be replaced. A regulatory requirement comes in. And each time a concept is created that supplements the last one, without anyone knowing whether the direction is still right. At Deutsche Bank, that was meant to change.

Where IAM strategies fail before they begin.

Many organizations have IAM concepts. Not many have a strategy that works in everyday practice. The difference does not lie in the quality of the documents. It lies in whether the people who manage IAM on a daily basis understand the strategy as their own.

For an international financial services provider like Deutsche Bank, this means that target pictures alone are not enough. It takes a roadmap that makes priorities clear. Governance structures that enable decisions. And stakeholders who are involved from the start, not informed once the outcome has already been determined.

Vision, mission, and three years of direction.

The starting point was developing a clear vision and mission for the group's IAM. Not as a declaration of intent, but as a reference framework that makes strategic decisions across systems, processes, and budgets traceable.

Strategic goals were defined for a three-year period. These goals were not oriented toward technical wish lists but toward the concrete requirements of the organization: regulatory resilience, operational efficiency, and group-wide consistency.

The foundation for this was intensive coordination with the relevant stakeholders. Business units, IT organization, CISO function, and compliance were brought in early. The result was not a strategy developed over the heads of those who implement it, but one that knew their reality.

A roadmap that shows the way.

Alongside the strategic direction, a detailed IAM roadmap was developed. This roadmap translated the strategic goals into concrete initiatives, dependencies, and time horizons.

The roadmap was not a static planning document. It served as a management tool: for executive decisions, for prioritizing resources, and for communicating with stakeholders at various levels. Management presentations were prepared regularly to make progress visible and justify adjustments. Key steps were not delayed as a result but accelerated.

CISO advisory on technology harmonization.

One of the central questions in the project was not which systems should be introduced. The question was: how will the existing systems work together going forward?

Targeted advisory work on the technological harmonization of the tool and platform landscape was carried out for the CISO function. The goal was to identify redundancies, clarify interfaces, and define an architecture in which IAM systems interact consistently.

The result was not a new system landscape. It was a clear picture of which systems take on which role, where consolidation makes sense, and which integrations need to be prioritized.

Global rollout of entitlement concepts.

Alongside the strategic direction, the project included the global rollout of entitlement concepts for critical IT infrastructure and applications. The goal was to establish uniform and secure access policies across the group.

To this end, existing access rights were evaluated and group-wide standards harmonized. Concepts tailored to the specific requirements of each context were developed for different application classes and infrastructure components, while ensuring group-wide consistency. Implementation was carried out in stages, accompanied by training and the provision of appropriate tools so that integration into ongoing operations was possible without disruption.

Uniform does not mean the same for everyone. Uniform means consistent in principles.

What changed as a result.

Deutsche Bank now has an IAM strategy that is more than a document. It is a basis for decision-making, for questions of system architecture just as much as for governance decisions and regulatory requirements.

The roadmap provides orientation on which initiatives are to be implemented when and with which dependencies. The governance structures ensure that decisions are made where they belong. The global rollout of entitlement concepts has created uniform access standards across the group. New requirements can be integrated into the existing structure without having to start from scratch.

When is the right time for an IAM strategy?

In most organizations, the honest answer is: before the next incident arrives. But that is rarely what happens. IAM grows reactively for as long as no one has decided that it can work differently.

The project at Deutsche Bank shows what is possible when that decision is made deliberately, with the right stakeholders, a clear time horizon, and the expectation that the strategy holds up not on slides but in operations. Which decisions are being made in your IAM landscape today without a shared direction behind them?