Ooh, the follow-up question! lol
I currently work for a sw coding training company. I am on the implementation side, so often work with client AD/IAM teams (anyone who wants to use SSO to access our training platform).
Prior to this was in consulting working with orgs on security hygiene, posture, risk, etc. and before that building infosec programs in corporate America.
In the regulated industries, esp. Financial Services and Healthcare, they are req’d to show user access to apps and data when audited. Using IAM (especially if it is integrated with an HR app such as Workforce) allows the client to quickly/easily provide the “evidence” required. (NOTE: the is RARELY an quick & easy task lol).
So, if you think about how many apps a large org could use, it could be in the hundreds or thousands (and maybe in the low 10,000s of apps). The trick is to prioritize the app in terms of risk, and connect them (SAML/SSO) to a user in a way that it is easy to ID user access ability and frequency.
Having a dedicated IAM team allows IT Ops to focus on uptime and ops while offloading the AD mgt (groups, users, etc). In a complex environment that takes ppl, which creates a team. Even more, it is ideal to maintain a core group of ppl (team) doing this work b/c they understand the intricacies of how apps connect to data AND restrictions on who can/cant access specific data.
Using our own SCW platform as an example, there are 3 roles in descending order: Company Admins, Team Managers, End Users (developers). A user can only be assigned 1 role. A Company Admin can assign Assessments to Team Managers and Developers, but is not able/allowed to take an Assessment. This is because the Assessment are used for compliance and there are no checks and balances on if the CA actually took and passed the Assessment! lol
Right? “hey CA did you take your Assessment?” “Of course I did! and passed with 100%!” hahaha, right. /s
In regulated industries, it is the same situation. Orgs (and their regulators and auditors) may not want an exec to have the same or greater privileged access to an application OR may not want an entire dept to have access to an app or dataset if only a handful of ppl really need it.
BTW, seasoned execs learn/know: the higher up you go, the less access you want. This is b/c the liability and risk is that much greater.
Hope this helps. Good luck in your new gig.