Contact us
All posts

How to brief your board on identity risk without putting them to sleep

Most IAM leaders brief on what their team does. Boards want to know something else — and the gap decides whether the program gets funded.

Roni Lichtman Roni Lichtman, CTO

Most IAM leaders brief on what their team does. Boards want to know something else.

You walk in with twenty-five slides — program-maturity heatmaps, entitlement-coverage statistics, a three-year roadmap. The board nods politely. Two of them check their phones during slide 14. The chair thanks you for "a thorough presentation."

Three weeks later, your budget request comes back trimmed. The feedback, delivered through your CISO: "they couldn't tell what the actual risk was."

This is the universal experience of the first board briefing on identity. Sometimes the second one too. The failure isn't the data — your program metrics are probably fine. The failure is the translation layer.

Briefing a board on identity risk is a different skill from running an identity program. And it's the skill that decides whether the program gets funded.

Why identity is uniquely hard to brief

Three reasons identity is harder than other security domains to brief on.

It's invisible until it isn't. A board understands a stolen laptop. They can picture a phishing email landing in an executive's inbox. They do not have a mental model for "an over-permissioned service account in a system nobody has logged into in six months." The concept doesn't connect to anything in their experience.

The metrics that matter most are negative space. You're describing what didn't happen, what could happen, and what's not in scope. That's a hard story for any audience, and a particularly hard one for an audience trained to make decisions from balance sheets and forward forecasts.

Identity touches every business function. HR, IT, every line of business, every M&A integration. Which is true, and important, and also means no single executive at the table feels ownership of the problem. Endpoint has a clear owner. Identity sits between owners.

If you walk in without addressing these three structural difficulties — even implicitly — the briefing fights an uphill battle that has nothing to do with how good your data is.

The four questions every board actually wants answered

Boards don't want your maturity model. They want answers to four questions, in roughly this order:

Are we in a worse position than our peers? This is the first question every board asks about every risk. They're comparing the company to a benchmark, not to a theoretical ideal. If the answer is "yes, we're behind," you have their attention. If "we're average," it's a different conversation. If "we're ahead," they want to know why we're spending more.

What's the one thing that would actually take us down? Boards think in terms of company-killing scenarios. Not "the average breach." The specific scenario that, if it happened, would be a Wall Street Journal headline and a regulatory response. Identity programs have these scenarios. Name yours.

What are we doing about it, and is it enough? This is the operational question. Brief, concrete, no jargon. What's the plan, what's the timeline, are the resources in place.

What do you need from us? Boards want to be useful. They want a specific ask — budget, executive sponsorship for a cross-functional decision, board-level support for a difficult vendor conversation. Vague asks get refused. Specific asks get serious consideration.

Most identity briefings answer none of these and instead answer "what does my team do?" — which is the wrong question.

The three slides you actually need

The best identity briefings are short. Most IAM leaders walk in with thirty slides. The version that actually works is three, with the rest in an appendix.

Slide 1 — The exposure. One number, one image. The number should quantify blast radius in business terms — applications handling regulated data that sit outside identity governance, accounts with standing access to crown-jewel systems, third-party identities with persistent privilege. Not a maturity score. Not a coverage percentage. A number that, when said out loud, makes a board member sit up.

Slide 2 — The story of how it gets bad. A single realistic scenario, sequenced in three or four steps. A compromised credential at a downstream vendor. Lateral movement into the legacy claims system. Access to ten years of customer PII. A regulatory disclosure within 72 hours. Boards remember stories, not statistics. The scenario you tell on slide 2 is what board members repeat to each other in two weeks.

Slide 3 — The plan and the ask. What you're doing about the exposure. What it costs. What changes when it's done. What you need from the board — budget, air cover, support on a specific decision.

Three slides. Twelve minutes of talking. The rest of the deck is appendix for the audit committee chair who wants to go deeper.

The five mistakes IAM leaders make

These are mistakes I've watched good IAM leaders make, repeatedly. Each one is fixable.

  • Leading with your org chart. No board has ever cared how your team is structured. Lead with exposure.
  • Using "least privilege" without translating it. Define it once in a business sentence — "people only have the access they need to do their jobs" — and move on.
  • Showing audit findings as a list. A list of findings is a punishment. A risk story is a briefing. Same data, different framing.
  • Quantifying in tickets, not exposure. "We closed 12,000 access requests last quarter" is operational and forgettable. "We reduced standing privilege to crown-jewel systems by 40%" is strategic and credible.
  • Asking for budget without naming what gets worse. Every ask should be paired with a sentence describing what specifically degrades if it doesn't get funded. Boards reward leaders who name the tradeoff. They distrust leaders who don't.

Translation is the job

The board doesn't need to understand identity. They need to understand exposure.

The IAM leaders who get budgeted, who get heard in the executive risk committee, and who get promoted into broader security leadership are the ones who learn to translate the second into the first. The translation is the job — at least the part of the job the board sees.

Your program's maturity will be evaluated by people who will never read your runbooks. Brief them accordingly.