Scope: Vendor selection, not live monitoring. IAM Posture™ is an IAM vendor selection intelligence product. We evaluate which platform to buy — we do not connect to your directory, monitor your live identity environment, or replace ISPM tooling (Silverfort, Zscaler, Authomize).
How we score the
Identity Market.
Most IAM evaluations are black-box reports or pay-to-play rankings. IAM Posture™ uses a transparent, data-driven framework to evaluate vendors across 180+ dimensions — scored against your specific requirements, not the average buyer's.
For Busy Executives
IAM Posture™ works in three steps: you describe your organisation’s requirements through the LENS™ Assessment (15 questions across identity, compliance, budget, and risk tolerance). Our engine then scores each of 52+ IAM vendors across 180+ dimensions — weighting each dimension by how much you care about it. The result is a ranked shortlist with a percentage match score, a gap analysis, and a 5-year TCO estimate — in 24 hours, not 6 months.
The Analytics Hierarchy
Decision Intelligence &
Trust Architecture.
Beyond feature scoring, IAM Posture™ implements a governance layer to ensure reports remain accurate, neutral, and auditable under ISO 42001 and TPRM standards.
Trust Integrity Index (TII)
A 0–100% score representing the aggregate compliance of the assessment with the 16 IAM Posture™ Trust Rules. A score below 90% flags the report for manual analyst review or re-verification.
Integrity Threshold
90% Required
Protocol
ISO 42001 ALIGN.
Data Freshness Index (DFI)
A weighted measure of signal currency. We discount vendor scores in real-time if critical threat signals or M&A actions occur since their last verified technical audit.
Audit TTL
90-Day Expiry
Refresh Loop
Real-time Signals
Score Trace Example
Sample Vendor · Governance PillarAccess Certification Workflows
Product audit + IDPro BoK
Segregation of Duties (SoD) engine
Hands-on technical audit
Automated JML provisioning
SOC 2 Type II report
Role mining & entitlement analytics
Vendor documentation + OSINT
Audit log completeness (HIPAA-ready)
FedRAMP marketplace registry
Each dimension is sourced, weighted by your priorities, and rolled up into a pillar score — traceable from result back to primary evidence.
Want to see this applied to a real evaluation?
See a sample IAM Verdict™The 9+ Scoring Pillars
Every vendor is scored across 9+ pillars and 180+ dimensions. Pillar weights are not fixed — they are calibrated to your organisation's answers in the LENS™ Assessment. A PAM-heavy enterprise gets a different ranking than a CIAM-first scaleup evaluating the same vendors.
Identity Foundation
Core identity lifecycle management — JML provisioning, directory services, SSO, MFA, and passwordless authentication. The baseline every other pillar depends on.
Identity Governance & Administration
Access certification, role mining, SoD enforcement, automated provisioning/de-provisioning, and audit-ready entitlement reporting.
Privileged Access Management
Vault depth, session recording, just-in-time access, secrets management, and service account governance for both human and machine identities.
Customer IAM
B2C and B2B identity — registration, progressive profiling, consent management, social login, and CIAM-specific compliance (GDPR, CCPA).
Threat & Posture
Identity threat detection, anomaly scoring, risky authentication signals, ITDR integration, and continuous posture visibility across the identity estate.
NHI Readiness
Non-human identity governance — service accounts, API keys, OAuth tokens, AI agents, and machine credentials. The fastest-growing attack surface in IAM.
Agentic Readiness
AI agent identity — SPIFFE/SPIRE workload identity, agent credential issuance and rotation, MCP governance, and agent session auditability.
Zero Trust
Continuous verification posture, micro-segmentation support, device trust integration, and alignment to NIST SP 800-207 Zero Trust Architecture.
Platform Fit
Integration depth, connector library, deployment flexibility (SaaS, on-prem, hybrid), API standards (OIDC, SCIM, SAML), and admin/end-user experience.
Commercial Fit
5-year TCO, licensing model, implementation cost, vendor fiscal timing, discount ranges, and contract risk flags from the Negotiation Leverage Report.
The Scoring Algorithm
Our scoring algorithm is dynamic. Unlike static quadrants, results shift based on your exact requirements. A vendor that looks strong on paper can rank significantly lower if it fails your compliance gates or sits outside your budget ceiling — no amount of feature strength overrides a hard constraint.
Each vendor is evaluated through a weighted vector model: your LENS™ answers determine how much each pillar matters for your organisation. Hard compliance gates eliminate non-qualifying vendors before ranking begins — they cannot be overridden by feature scores.
Every data point is derived from technical product audits and verified hands-on testing. We do not accept sponsorship in exchange for score adjustments.
Live Score Simulator
Scores are illustrative. Real rankings use 180+ dimensions calibrated to your full LENS™ assessment.
Beyond the Algorithm
The Human Judgment Layer
Algorithmic scoring is the foundation. The decisions that matter — choosing a vendor, negotiating a contract, running a POC — require human intelligence on top. The IAM Verdict™ includes a full set of tools to capture and document that judgment.
Disqualifier Engine
Hard-gate rules that eliminate vendors who fail mandatory requirements before ranking begins — FedRAMP, on-premise, SLA floors, budget ceilings. No workarounds.
Stakeholder Lens Views
Reframe the same results for CISO, CFO, CTO, and Procurement — each with different priority weights and vocabulary. One evaluation, four audiences.
Scenario Presets
Switch instantly between pre-built evaluation profiles: Zero Trust Migration, Cloud-First, Merger & Acquisition, Compliance-Driven, and Cost Reduction. Rankings recalculate live.
Expert Override Layer
Override algorithmic rankings with documented human judgment — reason codes, notes, and a full audit trail. Preserved alongside the original score.
POC Scoring Module
Structured 6-criteria weighted scorecard for your proof-of-concept. Rate setup speed, admin UX, integration depth, performance, support quality, and claims vs. reality.
Reference Check Capture
Log real buyer reference calls directly against your shortlisted vendors — sentiment, key insight, role, industry, and months in production.
Negotiation Leverage Report
Vendor fiscal year-end dates, typical and max discount ranges, leverage clauses, and red-flag contract terms — generated as a procurement brief for contract negotiation.
IAM Posture™ Trust Framework
We hold the IAM industry to a high standard, beginning with our own data collection. IAM Posture™ is a data platform. We do not accept payment for ranking placements, and our badges require strict evidentiary proof.
Vendor-Neutral by Structure
No vendor pays for placement, higher scores, or access to our methodology. Revenue comes exclusively from buyers.
Evidence-Based Scoring
Every score is traceable to a primary source — SOC 2 reports, FedRAMP registry, hands-on product audits, or IDPro BoK citations.
Continuously Refreshed
Vendor profiles are reviewed on a regular cycle. M&A events and material security incidents trigger out-of-cycle updates.
Practitioner-Defined Scoring
Scoring methodology, pillar weights, and vendor evaluation criteria are defined and maintained by IAM practitioners. Human expertise is embedded in the model — not applied as a post-hoc override.
Privacy-First
Your assessment inputs are never shared with vendors or used for lead generation. What you tell us stays with us.
Accuracy Accountability
If a data point in your report is materially wrong, you can dispute it. We investigate and respond within 10 business days.
Badge Standards
Vendor compliance badges are not granted via "claims". A badge is only awarded if traceable proof exists.
- FedRAMP: Must be listed on marketplace.fedramp.gov.
- SOC 2 Type II: Report must be issued within the trailing 12 months.
- GDPR: Explicit DPA availability and valid SCCs.
- ISO 27001: Current certificate issued by an accredited certification body, verifiable via the issuer’s public register.
Corroboration requirement: No single practitioner report, Reddit thread, or G2 review can change a vendor score in isolation. Practitioner signals require corroboration from at least two independent sources before influencing scoring.
Conflict of Interest
Zero Paid Placements. We do not operate a "pay-for-play" research model. Visibility across the platform is organically determined by the LENS algorithm based on mathematical fit to the buyer's query.
Data is updated via automated sweeps and vendor submissions. A "Data Currency" timestamp ensures buyers know the exact as-of date for each evaluation profile.
Data Sources & Freshness
Every data point in our scoring engine is traceable to a specific source and timestamp. We do not accept vendor-supplied data without independent, evidence-based verification.
Primary Sources
- NIST SP 800-63 (Digital Identity Guidelines)
- NIST SP 800-207 (Zero Trust Architecture)
- IDPro Body of Knowledge (BoK)
- Official Vendor SOC 2 & FedRAMP registries
- Major analyst market guides (Gartner, Forrester, KuppingerCole — Annual Research)
Validation Layer
- Firsthand IAM deployments across pharma, healthcare, automotive, and telecom
- Hands-on technical product audits
- Feedback from CISOs and IAM leads actively evaluating vendors
- Practitioner signals (r/netsec, Security StackExchange)
- Open Source Intelligence (OSINT) sweeps
Freshness Policy
- Quarterly review of all 52+ vendor profiles
- 90-day hard TTL — reports older than 90 days flagged as stale
- M&A and breach updates within 72 hours
- Evaluation date stamped on every IAM Verdict™
Data Freshness Policy
Every IAM Verdict™ report stamps the evaluation date on each vendor profile. Assessments have a 90-day hard TTL. Reports older than 90 days are flagged as STALE / AUDIT WARNING and should be re-run to ensure capture of recent product updates and threat signals. For M&A events and security incidents, profiles are updated within 72 hours regardless of the quarterly cycle.
Vendor-Neutral by Structure, Not Just Policy
We charge buyers. We never charge vendors. No vendor can purchase a higher score, a featured placement, or access to our scoring methodology. Revenue comes exclusively from buyer subscriptions and one-time report purchases — not from the vendors being evaluated. Our methodology is published. Every score maps to a cited source. You can open any dimension and trace it back to its origin.
What You Receive
Three Audit-Ready Artifacts
Every IAM Verdict™ report includes three deliverables you can take directly to your board, procurement team, or auditor.
Ranked Shortlist
All 52+ vendors scored and ranked against your exact requirements. Pillar-by-pillar breakdown with source citations for every dimension. Designed to justify a finalist list to a procurement committee.
Gap Intelligence Brief
Per-vendor gap analysis: what capabilities are missing, what workarounds exist, and what the implementation risk is at your org size. Built to survive a CISO review.
5-Year TCO Projection
Licensing, implementation, and operational cost modeling across your finalist vendors — factoring your headcount, deployment model, and integration footprint.
$499 · Never expires · Accuracy disputes reviewed within 10 business days
Zero Trust Architecture
You cannot have Zero Trust
without knowing your IAM posture.
Zero Trust requires continuous verification of identity — which requires continuous visibility into who has access to what, whether that access is appropriate, and where the gaps are. Most ZTA implementations stall at the identity layer because teams have no verified posture baseline to build from.
IAM posture visibility is the prerequisite for any Zero Trust roadmap
Non-human identity (NHI) governance is the fastest-growing ZTA gap — service accounts, AI agents, machine identities
Continuous posture monitoring replaces the point-in-time access review that ZTA makes immediately obsolete
ZTA Readiness Sequence
Know your IAM posture
Continuous monitoring surfaces excessive privilege, dormant accounts, NHI exposure, and cross-application access accumulation before you architect around it.
Map your identity attack surface
Understand which identities — human and non-human — have access to which resources, at what privilege level, and for what reason.
Design ZTA around verified posture
Zero Trust policies built on a verified identity baseline are enforceable from day one. Policies built on assumptions produce exceptions from day one.
Monitor continuously
Posture degrades as the environment changes. Continuous monitoring ensures your ZTA model stays aligned with the actual access state.
Limitations — What We Do Not Measure
Transparency requires acknowledging what our scoring engine cannot capture. These limitations do not reduce the value of the assessment — they define where your own due diligence must begin.
Vendor-specific support quality
We score documented SLA tiers and published support models. We cannot score the subjective quality of vendor support responsiveness for your account, which varies by contract size and relationship.
Implementation partner quality
We do not score the quality of individual system integrators or implementation partners. Deployment success depends heavily on the specific partner team, not the vendor product alone.
Negotiated pricing
All pricing scores are based on published list prices or publicly disclosed ranges. Enterprise negotiated discounts, which can be 30–60% below list, are not reflected in TCO estimates.
Organisation-specific integration complexity
Connector scores reflect documented integration capabilities. Your actual integration effort depends on the age, customisation, and hygiene of your existing identity stack, which we cannot assess.
Vendor roadmap reliability
We score current capabilities, not announced roadmap features. A vendor's stated roadmap may change. Do not select a vendor based on features marked "Coming Q3 2026."
Geopolitical and supply chain risk
We do not score vendor geopolitical exposure, ownership structure, or supply chain dependencies. For regulated industries, conduct independent vendor risk assessment.
Important Limitations of This Assessment
Not a purchasing recommendation. IAM Posture™ assessment outputs are provided for informational and decision-support purposes only. They do not constitute professional advisory, a warranty of vendor fitness, or a guarantee of any procurement outcome. All purchasing decisions remain the sole responsibility of your organisation.
Conduct independent due diligence. You must conduct your own independent evaluation, including proof-of-concept testing, reference checks, and legal review, before committing to any vendor relationship. No algorithmic score replaces hands-on validation.
Data accuracy disclaimer. Vendor capability data is accurate as of the data freshness date displayed in your report. IAM Posture™ makes no representation that Output Data is complete or error-free. If you believe a data point is materially inaccurate, submit a formal dispute to [email protected] within 30 days.
Intellectual property. All report outputs are the exclusive IP of IAM Posture™, licensed for internal use only. Redistribution, resale, or incorporation into competing products is a breach of our Terms of Service §2.