Many security teams manage user access in the dark, without clear insight into who has access to what, or why. This lack of visibility makes it difficult to stay ahead of both attackers and auditors, especially under growing compliance pressure from frameworks like NIS 2, DORA, and ISO 27001.
Making IAM risks visible helps you:
Spot hidden threats like orphaned accounts;
Prioritise what matters instead of chasing generic checklists
Communicate risk clearly to management and auditors using real-world impact
Prove control with evidence-based insights, not assumptions
The Identity Indicator Canvas helps CISOs and IAM teams quickly assess and prioritise identity-related risks. It focuses on eight key indicators that matter most for security, compliance, and operational control:
✅ Orphaned Accounts – Unused accounts with lingering access
✅ Privileged Accounts – Users with elevated, high-risk access
✅ Access Accumulation – Users with more access than needed
✅ Identity Hygiene – Cluttered or unnecessary user accounts
✅ Role Hygiene – Outdated, unused, or overly complex roles
✅ Data Quality – Incomplete or inconsistent identity data
✅ Separation of Duties – Toxic combinations of permissions
Each indicator is mapped to frameworks like ISO 27001, NIS 2, and DORA, giving you a structured way to align IAM with regulatory and security priorities.
Open the Excel file
You’ll find both an example and a blank version ready to use.
Review the example tabs
Start with “Overview (example)” and “Key Identity Indicators (example)” to see how risks are typically scored on likelihood and impact.
Switch to the template tabs
Use “Overview (template)” and “Key Identity Indicators (template)” to enter data for your own organisation.
Score your environment
Evaluate each of the 8 indicators and assign a risk level based on how likely and how impactful each one is.
Plot your risks
The canvas will automatically map your scores on a visual risk matrix.
Use it in discussions
Share the result with leadership, auditors, or compliance teams to clearly demonstrate your IAM risk posture.
Whether you're preparing for an audit or just need clarity on where your risks lie, the canvas helps you structure your thinking and focus efforts.