An optimal customer identity and access management (CIAM) architecture supports human, agent, and machine identities in verification, registration, authentication, authorization, and self-service use cases. This report outlines the key steps that security and risk (S&R) professionals must take to govern, measure, build, rebuild, and test CIAM frameworks to realize data-driven, objective, balanced, and sustainable improvements.