Some things stay quiet until they fail.
Identity is one of those things. It moves in the background: users, roles, groups, integrations, tokens, sign-ins. Everything works until someone asks two questions at the same time:
"Who decides this?"
and
"Why was this done this way?"
That is when you realize IAM is not only technology. It is ownership. And ownership rarely sits in one person's calendar.
Everyday IAM: not dramatic, but decisive
IAM initiatives rarely begin with a crisis. They begin with a small, reasonable need.
One application wants SSO.
Another needs MFA.
A third asks for provisioning "quickly, just this once".
Someone else says the word audit a little too casually.
Then the scope grows. Entra ID, application sign-ins, identity lifecycle, partners, customers, access requests, authorization models. At some point it starts to feel like the system was not designed - it just grew.
And that is normal. For most organizations, that is IAM's default state.
Why the Fractional Head of IAM exists
Because a full-time IAM leader is rarely hired exactly when the need is highest.
The need usually appears quickly.
Sometimes it surfaces in a side remark, sometimes in a project kickoff. Often it is the moment when it becomes obvious that IAM is not "one work package", but the condition for everything else.
- B2B CIAM cannot cover authorization properly. The solution handles authentication, but not partner, organization, and role-based authorization needs - and digital service renewal stalls because "who can do what" stays unresolved.
- IAM renewal is coming, and the whole scope gets out of hand. The current setup no longer scales or has reached end-of-life, but there are too many requirements, dependencies, and decisions for one project manager or architect.
- Procurement is coming, but requirements are fragmented. Everyone has an opinion and a wish list, but boundaries, evaluation criteria, and decision rationale are missing. Vendors begin to drive the conversation.
- Delivery starts, but ownership and decision-making keep shifting. Technical work progresses, but without a shared line the solution takes shape sprint by sprint - and no one is steering the whole.
- Audits raise findings without a clear owner. Access governance, MFA, logging, and process fixes are needed, but the fix list too easily becomes everyone's and no one's responsibility.
Hiring does not get solved in a week. Yet something still needs to move now.
That is why the fractional model is practical: you get senior IAM leadership for an agreed number of days per month - without reorganizing your whole company around a new hire first.
What a Fractional Head of IAM actually does
This is not "a consultant sharing opinions". And it is not "an architect drawing diagrams and disappearing".
The Fractional Head of IAM is an accountable leadership role that does what is needed so things move for real.
In practice, this often means:
1) Situation picture and decision points
First, we clarify where things stand. Not with endless analysis, but at a level where decisions can be made.
What matters most right now?
Where do dependencies come from?
Where is risk truly high - and where is it just loud?
2) Target state and roadmap
In IAM, "let's improve this a bit" is not enough. You need a direction that lasts.
The target state is not only technical. It is also an operating model: ownership, decision-making, controls, and how IAM fits daily work.
Then we define a concrete 12-24 month roadmap. One that the organization can actually live with.
3) Architecture and integration steering
SSO, MFA, provisioning, authorization models. Integrations. Identity lifecycle. Logging and operability.
Technology is rarely the hardest part. The hard part is when technical decisions are made without a shared line - and later everyone wonders why the whole does not hold together.
The Fractional Head of IAM keeps that line coherent.
4) Procurement and vendor selection
This is one of the most common triggers.
When procurement is approaching, the biggest risk is letting the vendor define your problem. Requirement lists grow, scoring does not lead to the right choice, and demos reward the best presenter - not the best fit for your environment.
In this role I help define:
- scope and requirements
- evaluation criteria and scoring model
- demo/PoC criteria
- decision material for leadership
5) Delivery leadership and operating rhythm
Once the technology and implementation vendor has been selected, the work that never appears in sales pitches begins.
Regular rhythm, decision-making, delivery steering, vendor collaboration, and risk management. The phase where "we should" becomes "we do".
The key promise: an operating model that takes root in daily work, not in slide decks.
Who this is for
Usually organizations where IAM is already critical - or quickly becoming critical.
- CIO/CISO/IT leadership that needs ownership and momentum
- organizations preparing IAM/CIAM/IGA/PAM procurement
- initiatives in flight that need tighter leadership
- environments where audit, regulation, or risk requires doing IAM properly
Why Grasperk
I am Mikko Nurmi. I have over 19 years of experience in identity and access management (IAM). In the Fractional Head of IAM role, I combine strategic guidance with technical delivery leadership and support procurement, architecture, and delivery steering. My background spans international and Finnish consulting firms as well as Finland's digital identity ecosystem.
You get an agreed amount of senior IAM leadership each month - exactly when the need is highest.
If this resonated: start small
The best way to start is usually a 30-minute discovery session. No commitment, no complicated process.
We will cover:
- what your current situation and key trigger are
- what should be done first
- and what rhythm gets the whole effort under control
If we are not the right fit, that will become clear quickly. That is valuable too.
