We're mandated to allocate IT costs to the service level, but this creates friction with Identity & Access Management (IAM). The issue: non-negotiable security costs (MFA, SSO, governance) often exceed the cost of low-value services they protect (e.g., internal portals), leading to business owner pushback. How have you addressed this "Low-Value Service Paradox"? Do you keep foundational SSO/basic provisioning as corporate overhead or allocate everything? Do you use risk- or value-weighted allocation to subsidize essential, low-cost services? Who owns the final decision on allocation formulas—Finance, CIO Council, or Security? Please share specific solutions and governance models that have made IAM cost allocation fair and sustainable.

Governance, Risk & ComplianceIdentity & Access Management (IAM)
611 viewscircle icon2 Comments
Sort by:
CIO6 days ago

There are certain things that are really non-negotiable and very much in the technical weeds. I would create a category of base IT things that everyone needs to have. The ability to access systems and have security around them belongs in that category. If its necessary to charge out do it by number of employees.

CIO in Banking6 days ago

If it were me, I would change the business mindset that MFA, SSO, IAM, etc are NOT low-value services and actually high value services to ensure the business is protected and the users have the proper and easy to use access. I would put the cost of engineering and cost of product as corporate overhead but then calculate different request costs based on complexity. Business don't really understand all the effort it goes into adding new user, going through a reorganization, and simply maintaining an RBAC. We have begun educating our business since they really had no idea how anyone ever got provisioned.

Content you might like

For European companies with DORA requirements – DORA expects to have in place exit strategies for critical IT providers, and internal IT providers. How are you handling exit strategies for internal IT providers (especially when they're set up as separate legal entities within your group)? More importantly, has anyone actually conducted the required exit strategy tests for internal providers, and if so, how did you approach it?

We are looking at offshoring some IT roles to India but are struggling to get accurate expected salary ranges.  We have used an agency in country but discovered that the ranges they are suggesting appear to be significantly higher than those we are hearing through feedback from in region contacts.  Does the community have any suggestions on resources we can use to get more accurate expected salary ranges for a broad range of Technology roles in India?

Do you feel supported by your business partners for data governance investments?

Very supported42%

Moderately supported52%

Not supported at all5%

View Results

What's your top IT modernization challenge?

Establishing governance strategies and processes40%

Defining and optimizing IT operating models56%

Integrating centers of data3%

View Results
We're mandated to allocate IT costs to the service level, but this creates friction with Identity & Access Management (IAM). The issue: non-negotiable security costs (MFA, SSO, governance) often exceed the cost of low-value services they protect (e.g., internal portals), leading to business owner pushback. How have you addressed this 'Low-Value Service Paradox'? Do you keep foundational SSO/basic provisioning as corporate overhead or allocate everything? Do you use risk- or value-weighted allocation to subsidize essential, low-cost services? Who owns the final decision on allocation formulas—Finance, CIO Council, or Security? Please share specific solutions and governance models that have made IAM cost allocation fair and sustainable. | Gartner Peer Community