We're mandated to allocate IT costs to the service level, but this creates friction with Identity & Access Management (IAM). The issue: non-negotiable security costs (MFA, SSO, governance) often exceed the cost of low-value services they protect (e.g., internal portals), leading to business owner pushback. How have you addressed this "Low-Value Service Paradox"? Do you keep foundational SSO/basic provisioning as corporate overhead or allocate everything? Do you use risk- or value-weighted allocation to subsidize essential, low-cost services? Who owns the final decision on allocation formulas—Finance, CIO Council, or Security? Please share specific solutions and governance models that have made IAM cost allocation fair and sustainable.

There are certain things that are really non-negotiable and very much in the technical weeds. I would create a category of base IT things that everyone needs to have. The ability to access systems and have security around them belongs in that category. If its necessary to charge out do it by number of employees.

If it were me, I would change the business mindset that MFA, SSO, IAM, etc are NOT low-value services and actually high value services to ensure the business is protected and the users have the proper and easy to use access. I would put the cost of engineering and cost of product as corporate overhead but then calculate different request costs based on complexity. Business don't really understand all the effort it goes into adding new user, going through a reorganization, and simply maintaining an RBAC. We have begun educating our business since they really had no idea how anyone ever got provisioned.