I spent Tuesday chairing the IDM09 conference in London, an event that pulled in hundreds of people interested in the state of play in identity management. It was an opportunity to discover more about a subject that I've tended to skirt in the past, having been deterred by vendors' point/counterpoint arguments and the occasionally mind-numbing swirl of concerns over privacy, data integrity, the law and politicking.

The speakers were strong, (mostly) sticking to their 15-minute deadlines and focusing (mostly) on user case studies. Perhaps the best was given by Alex Waddell of Australian financial services group NAG, who gave a lucid exposition of pragmatic IT architecture, not ignoring the need to attain C-level sponsorship, display ROI and communicate what's going on in IDM projects early, throughout the process and at the end of deployments. As Simon Veale of Oxford Computer Group suggested, it might be best to think of identity and management projects as a string of people-and-process change management challenges with some technology to come at the end.

There were also excellent addresses from Simon Godfrey of CA on Liverpool Victoria's IDM deployment, Joe Baguley of Quest Software on Microsoft Active Directory as platform for IDM, David Kerr of the University of Salford, Steve Robinson of VocaLink, Jamie Bodley-Scott of The Jericho Forum, Ian Cooper of Hampshire County Council, Robin Wilton of the Kantara Initiative and Tunde Ishola of Winchester and Eastleigh NHS Trust.

But what struck me forcibly was that although identity management has been around as a live topic for many years, best practice is still emerging. That's hardly surprising given the febrile conditions we live in today. A changing business scene contains a macro economy still in flux, potential for huge merger/demerger disruption and uncertainty as to whether IDM is really a governance exercise or cost-saving and efficiency sell. We have a state environment featuring cost-cutting and facing probable regime change and calls for European and US alignment in the public/government sector.

And then there is a lack of clarity on where IDM goes next in terms of making for a solution that works today and one that works tomorrow in an age of federated identities where a single source of identity might make proving yourself to be who you are the metaphorical passport to automating the battle against crime, red tape and general complexity. Finally, in a world where there is a great deal of pushback against the command-and-control style of IT management, I didn't hear a convincing argument about how IDM might not need to adapt to users who are given the right to buy their own systems and who habitually download their own productivity tools for iPhones, disclose information over social networks or use web-based services such as free email or storage clouds for convenience.

There's a conundrum here. IDM is generally agreed to be A Good Thing and single sign-on much to be preferred over collections of passwords or tokens but everybody seems to have a different idea of how you get there. It's slow going you might argue, but then identity management might well be the most important puzzle to solve in technology today.