Base your identity and access management (IAM) roadmap on a well-defined strategy that establishes and articulates the business need for and value of IAM across your entire organization. Your IAM roadmap should be flexible, specific, and describe short-, medium-, and long-term IAM activities for the next 18 to 24 months; it should be updated at least annually. This report gives security and risk (S&R) leaders systematic guidance on how to develop and sustain a compelling IAM roadmap.