Topics Guides Market Map Directory Comparisons Capabilities Maturity Compliance Events

Wiki Blog Works

Topics Guides Market Map Directory Comparisons Capabilities Maturity Compliance Events

Wiki Blog Works

Maturity

CIAM Maturity Self-Assessment.

Score your customer-identity program against a written rubric across the nine capability domains. For each one you pick the description that matches your reality today, not a bare number. Your answers stay in your browser — nothing leaves it unless you choose to contribute them anonymously. No email required. Use it to find the gaps worth a vendor conversation.

The 0–4 scale

0 None: — Capability not present
1 Basic: — Manual or one-off; minimum viable
2 Standard: — Productized, repeatable, mostly self-service
3 Advanced: — Adaptive, context-aware, automated
4 Leading: — Predictive, federated, ecosystem-aware

Identity Management & Lifecycle what to ask →

0 No self-service: accounts are created and edited by support, and deletion is manual or impossible. 1 Basic registration form and password reset, but profile edits and account deletion need a support ticket. 2 Self-service registration, profile management, password reset, and account deletion; social login available. 3 Progressive profiling, self-service MFA enrollment, and recovery that survives a lost second factor. 4 Orchestrated lifecycle with policy-driven recovery and a real data-minimizing delete propagated downstream.

Capabilities behind this domain

Registration. Consumer self-creates an account with branded forms, validation, and bot defense.
Social / third-party login. Sign in via Google, Apple, Facebook, and regional or enterprise identity providers.
Self-service profile management. Consumer edits attributes, preferences, and MFA enrollment, or deletes the account.
Password self-service. Forgot, change, and secure reset flows with hardened credential storage.
Account recovery. Regain access after lost credentials, device, or factor.
Account de-registration. Consumer-initiated delete with data minimization and right-to-be-forgotten.

Authentication & Authorization what to ask →

0 Passwords only; no MFA; access rules are hard-coded inside each application. 1 Optional MFA with manual enrollment; single sign-on wired up for a couple of apps. 2 MFA is standard and SSO spans apps; OAuth 2.0, OIDC, and SAML are supported. 3 Adaptive, risk-based authentication with mid-session step-up and centralized RBAC/ABAC policy. 4 Passkey-default and phishing-resistant, with externalized fine-grained authorization (ReBAC) evaluated continuously.

Capabilities behind this domain

Multi-factor authentication. A second factor beyond the password: OTP, push, biometrics, or FIDO2.
Single sign-on. One login across multiple apps, brands, and sub-brands.
Authorization & policy engine. Centralized rules for who can do what: RBAC, ABAC, and transactional policy.
Session management. Granular session lifetime, scoping, and revocation.
Open standards support. OAuth 2.0, OIDC, SAML 2.0, FIDO2, SCIM, and UMA.

Consumer Experience & Journey what to ask →

0 Generic vendor login screens, no brand, and no view of where customers drop off. 1 Logo-and-color theming only; journeys are fixed; little funnel insight. 2 Fully branded screens with standard hosted journeys and basic conversion analytics. 3 Visual, no-code journey orchestration with conditional branches and friction tuned to risk. 4 Continuously optimized, personalized journeys with full funnel analytics feeding experimentation.

Capabilities behind this domain

Branded / white-label UI. All consumer-facing screens match the brand's look and feel.

Privacy, Consent & Compliance what to ask →

0 No real consent capture; a single blanket checkbox at best. 1 Consent stored as one flag; data-subject requests handled manually. 2 Per-purpose consent capture with a documented DSAR workflow. 3 Consent dashboard with withdrawal that propagates, backed by a tamper-evident audit trail. 4 Real-time consent propagation to downstream systems and a regulator-ready evidentiary log across regimes.

Capabilities behind this domain

Consent capture. Collect explicit consumer consent at the right moments.
Consent granularity. Fine-grained, per-purpose consent rather than blanket terms.
Consent dashboard & withdrawal. Consumer reviews and withdraws consent, propagated across systems.
Consent audit trail. Long-lived, queryable, evidentiary record of every consent event.
Data subject rights (DSAR). Support GDPR and CCPA rights to access, delete, and port data.
Regulatory coverage. Built-in workflows for GDPR, CCPA, HIPAA, and other regimes.
Right to be forgotten. Delete consumer data on request, including downstream propagation.

Data, Analytics & Intelligence what to ask →

0 Identity data is siloed per app, with no unified profile and a rigid schema. 1 A central directory exists but the schema is fixed; reporting is batch and manual. 2 Flexible profile schema, one customer view within a brand, and basic analytics. 3 Unified profile across brands and channels, exposed as a real-time identity event stream. 4 Resolved customer identity feeding ML for fraud, personalization, and marketing in real time.

Capabilities behind this domain

Identity repository. Central directory store for consumer profile data.
Profile schema flexibility. Add, remove, or modify attributes without downtime.

Integration & Extensibility what to ask →

0 No public APIs; every change requires vendor professional services. 1 Some REST endpoints but no SDKs; integration is manual and brittle. 2 Documented REST APIs and mobile SDKs covering the core actions. 3 Full API/SDK parity with the console, plus webhooks or event streams and config as code. 4 Identity managed as code through CI/CD, with a rich connector ecosystem and extensibility hooks.

Capabilities behind this domain

REST APIs. Documented APIs for registration, auth, profile, admin, and query.
Mobile SDKs. Native iOS and Android SDKs for auth, biometrics, and push.

Security & Threat Protection what to ask →

0 Passwords stored weakly, no account-takeover defense, and no certifications. 1 Hashed passwords and TLS, but abuse is handled reactively and by hand. 2 Password hardening with breach checks, basic bot/ATO protection, and SOC 2 or ISO 27001. 3 Risk-based account-takeover and bot defense, SIEM export, bring-your-own-key, and current certifications. 4 Predictive fraud and device intelligence, threat-intel-driven defense, and sector-specific certifications.

Capabilities behind this domain

High-security data storage. Encryption at rest, key management, and bring-your-own-key.
Encryption in transit. TLS everywhere with modern ciphers.
Account takeover protection. Detect and block credential stuffing, stolen credentials, and bots.
Bot & DoS protection. Withstand denial-of-service and automated abuse.
SIEM integration. Export normalized identity events to security analytics.
Compliance certifications. Independently verified SOC 2, ISO 27001, and sector standards.
Password hardening. Hashing, salting, denylists, and breach checks.

Architecture, Scale & Operations what to ask →

0 Single region, scaled by hand, with no uptime commitment and no disaster-recovery plan. 1 Hosted SaaS on best-effort uptime; scaling needs intervention and DR is limited. 2 Auto-scaling SaaS with documented availability and multi-AZ with basic disaster recovery. 3 Multi-region high availability with contractual SLAs, RPO/RTO targets, and flexible deployment models. 4 Elastic, sovereign-capable deployment with strong SLAs proven at launch-day scale.

Capabilities behind this domain

Deployment model. SaaS, PaaS, on-premise, or hybrid options.
Dynamic scalability. Scale with demand without operator intervention.
High availability & DR. Multi-AZ and multi-region with RPO and RTO SLAs.
Performance SLA. Latency, throughput, and uptime guarantees.

Administration & Governance what to ask →

0 One shared admin login, changes made directly in production, and no audit log. 1 A basic admin console with no delegation and minimal change control. 2 Role-based admin console with immutable audit logging of admin actions. 3 Delegated, scoped administration per brand or tenant, with config promotion and rollback. 4 Governed change management with approval workflows, tenant isolation, and queryable audit across the estate.

Capabilities behind this domain

Admin console. Operator UI for managing apps, users, and policies.
Audit logging. Immutable logs of admin and consumer actions.
Support SLA & service model. Vendor support quality, escalation, and engagement model.

Your CIAM maturity

Your profile across the nine domains

Contribute my anonymized scores to the CIAM maturity dataset. No email and no identifying information — just the nine 0–4 numbers, pooled for a future “State of CIAM Maturity” report.

Match me to platforms Compare platforms in the directory →

Directional and for your own planning. Score yourself before you score vendors — the requirement that matters is your gap, not the feature list.

Independent and vendor-neutral. Sponsored placements are always labeled.

Neutrality charter · Methodology · Privacy · Disclaimer

© 2026 Innesta LLC. An independent CIAM project.