SAN FRANCISCO – Compliance issues are moving the focus of identity management from administration of users and shifting it more toward access control and authorization to meet regulatory mandates.

The recognition of that shift was one of the highlights of this week’s Digital ID World conference, which is put on by Network World parent company IDG.

Identity management has not finished cutting its teeth on password synchronization, single sign-on, provisioning and privileges, but it is now more aligned with supporting access control, management, verification and authorization, according to Jamie Lewis, CEO of the Burton Group, who delivered a keynote presentation on the second day of the conference.

“Compliance has changed the landscape; it has changed enterprise identity management,” says Lewis. He says the foundation of identity management remains business processes and a supporting infrastructure but that the current trends suggest that users are focused on using those foundational elements for identity-based access control to systems and resources in accordance with company policies. In other words, to lock down access and log and audit such things as who is using their systems, when and what data they are accessing.

The trend has given rise to identity-based risk management, auditing and policy enforcement tools from vendors such as Aveksa, Sailpoint and Vaau.

Some users say the changes are contributing to a slowdown in the evolution of identity technology, which they say is not living up to original expectations, especially around federation.

Compliance is part of the slowdown, users say, but it is also caused by new user-centric identity models, which are fostering questions around where the true value lies in identity projects.

“We’re still at the beginning four or five years after we started,” said one IT architect for a Fortune 500 company who requested anonymity. “Progress is slower than anticipated and there is a lot of uncertainty. By this time we thought federation would be commonplace.”