Data Quality in Identity and Access Management: From Research to Practice

Data Quality in Identity and Access Management: From Research to Practice

This article summarizes the results of my doctoral research on data quality in Identity and Access Management (IAM). The research was conducted in close collaboration with Nexis and focused on a central question: how can organizations maintain high-quality authorization structures over time?

Identity and Access Management (IAM) has become a central pillar of cybersecurity. Organizations invest heavily in role models, governance processes, and modern IAM platforms. At the same time, regulatory pressure is increasing, digital ecosystems are becoming more complex, and the number of identities, both human and non-human, continues to grow.

Despite these efforts, many organizations struggle to maintain effective and secure access control in the long term. In practice, IAM initiatives often start with a well-structured design phase, then gradually lose accuracy and transparency over time. Roles become outdated, exceptions accumulate, and access reviews turn into resource-intensive compliance exercises rather than effective risk mitigation.

These challenges formed the starting point of my research. In collaboration with Nexis, I examined how authorization structures evolve over time, and which factors influence their long-term quality and sustainability. The objective was to connect academic research with practical implementation in complex enterprise environments.

IAM as a Data Quality Problem 

One of the central assumptions of this research is that IAM is not primarily a technology problem. Instead, it is fundamentally an organizational problem, strongly linked to data quality. 

Access control decisions rest on data: 

• identities and their attributes 

• permissions and entitlements 

• role and policy definitions 

• segregation of duties (SoD) rules 

• organizational structures 

If this data is incomplete, outdated, or inconsistent, even the most advanced IAM system cannot produce reliable results. Inaccurate access control policies can lead to excessive privileges, security vulnerabilities, or operational disruptions. Over time, these effects accumulate and increase both risk and cost. 

Data quality is well established in other domains, such as business intelligence or master data management. IAM research, however, has not addressed it systematically. Existing work often focuses on initial policy design or algorithmic data optimization, and it pays much less attention to long-term maintenance and governance. 

Three Building Blocks for Sustainable IAM Data Quality 

To address this gap, my research explored data quality in IAM through three interconnected perspectives: assessment, improvement, and access reviews.

1 Quality Assessment

Improving data quality requires the ability to measure it, yet IAM has long lacked a consistent framework for assessing the quality of access control policies. My research addressed this gap by identifying a consolidated set of quality dimensions, including accuracy, redundancy, complexity, conflicts, and maintainability. A key insight is that these dimensions fall into two categories. Some directly affect authorization decisions, such as excessive or missing access. Others affect long-term sustainability, such as complexity or redundancy. The latter do not immediately change access outcomes, yet they strongly influence how well an organization can maintain access over time. A systematic review of IAM metrics complements this perspective. 

Another major challenge is assessing authorization accuracy, because the “correct” access state is rarely available in a structured form. To address this, my research explored the use of transaction logs, which capture how identities and access rights evolve through organizational processes. Analyzing these logs makes it possible to identify patterns and to detect inconsistent or suspicious authorizations at scale. Effective IAM quality assessment therefore combines structural metrics with contextual, process-driven data. This supports continuous monitoring and more targeted improvements instead of reactive clean-up efforts.

2 Continuous Quality Improvement

Quality assessment creates transparency, but it does not prevent a fundamental issue: access control structures deteriorate continuously over time. Organizational change, system evolution, and regulatory requirements constantly reshape identities and policies. As a result, even well-designed IAM models lose accuracy and maintainability. Much of the existing research concentrates on initial policy design. My work, by contrast, treats IAM as an ongoing governance challenge rather than a one-time optimization problem. 

To address this, I developed a framework for continuous policy improvement that combines automated analytics with structured governance and human decision-making. Rather than rely on algorithms alone, the approach integrates different stakeholder perspectives, monitors policy quality continuously, and generates targeted improvement recommendations that teams can validate and implement in a controlled way. In an empirical evaluation, I reduced the complexity and redundant access of a large financial services provider while maintaining auditability. Another study introduced semantic abstractions for segregation of duties (SoD) policies, which help organizations simplify policy management drastically without losing enforceability. In short, sustainable IAM depends on continuous governance, clear responsibilities, and the integration of business context.

3 Effective Access Reviews

Access reviews are a central control mechanism in IAM, yet in practice their effectiveness is often limited. Faced with massive scale and limited context, reviewers tend to approve most access and focus only on obvious anomalies. As a result, access reviews often fulfill compliance requirements without significantly reducing risk. A key challenge is the lack of a clear “ground truth” for correct access decisions. Reviews are also human-driven, which makes them subject to bias and inconsistency. 

My research addresses this by formalizing access reviews as a form of crowd-based decision-making. This perspective enables the use of machine learning to identify potentially low-quality review decisions and to introduce meaningful quality monitoring beyond simple completion metrics. In addition, digital nudges, such as highlighting risky access or providing contextual information, can significantly improve reviewer decisions. In the end, effective access reviews require a balanced approach that combines data-driven insights with targeted support for human decision-making. 

From Research to Practice at Nexis 

The collaboration with Nexis played a central role throughout this research. Practical insights from customer projects, access to real-world IAM data, and continuous exchange with experienced practitioners provided essential input for developing and validating the proposed concepts. At the same time, the results of the research contributed to the ongoing evolution of the NEXIS Platform. This close integration of academic work and practical experience aimed to ensure that the outcomes were not only theoretically sound, but also applicable in complex enterprise environments. 

This collaborative work produced seven peer-reviewed scientific publications, which we co-authored and presented at leading international conferences and journals in the fields of security, privacy, and information systems. These publications are publicly available and form the foundation of the results summarized in this article. 

The Future of IAM Data Quality 

IAM is entering a phase of increasing complexity. Cloud-native architectures, decentralized identity models, non-human identities, and automated machine-to-machine interactions are expanding the scope of access governance beyond traditional enterprise environments. At the same time, regulatory expectations are evolving, with a stronger focus on continuous controls, auditability, and demonstrable effectiveness rather than periodic compliance exercises. 

In this context, the challenge is no longer only to implement access control, but to maintain it in dynamic and heterogeneous environments. Static role models and periodic clean-up initiatives are increasingly insufficient. Organizations need continuous visibility into authorization structures, the ability to detect structural weaknesses early, and mechanisms to adapt policies in line with organizational change. This requires a stronger integration of data analytics, process context, and organizational knowledge into IAM operations. 

Future IAM strategies will therefore need to move toward continuous governance models that combine automated monitoring with structured human decision-making. This includes using contextual data such as audit logs systematically, evaluating policy quality indicators continuously, and designing decision environments that help domain experts make consistent, risk-aware choices. In addition, improving the quality and lifecycle management of identity and attribute data will become even more critical as access control increasingly depends on dynamic, attribute-driven models. 

 

Author Info: 

Dr. Sascha Kern is Team Lead in Software Development at Nexis and a specialist in Identity and Access Management (IAM) with more than a decade of professional experience in the field. Over the past years, Sascha has been working on his doctoral research in cooperation with the University of Regensburg, focusing on the role of data quality in IAM. He successfully defended his doctoral thesis in December 2025.