I am currently completing a masters in cyber security and my final work is on IAM and why it seems to continue to be a problem despite being a longstanding security fundamental and many organisations investing significant funds into the problem...
I have worked at a few places where sustainability of good IAM seems to be a challenge.
My own working theory is that it is seen as a technology problem when in fact it is a business process which needs technology support and that controls degrade after investment due to poor connection with wider corporate governance.
If anyone has any thoughts and views they would be very welcome.
I guess large organisations have very complex processes and IAM works extremely well in a standardized environment. The real challenge is achieving the level of flexibility and complexity in the system and yet get it working.
It is a business relationship issue. If your business is able to define it's capabilities and business processes you can then develop a security model that can be maintained. Most businesses can't describe their processes and what it take to operate.
Most IAM system end up with a mix of what they think is RBAC and then a pile of direct assignments. This amounts to a lack of rules and application of rules.
The key is to first understand actions, actors, relationships (including customers/personas), and the resources that are acted upon. (also remembering that processes and data are resources)
You are correct that it is not a technical issue at first. Although you can make a bad situation worse with IAM technology.
Okay, so here are a few points.
Larger organisations are more likely to have heterogenous environments (particularly if they have grown by merger) and, especially, legacy systems. IAM solutions (process and technical) deal less well where you have to control numerous different scopes.
Movers & leavers. In a small organisation, you know about people leaving or changing roles. In larger organisations, it may take IT ages to find out (and HR may deliberately hide the fact that some people have left.)
Greater granularity. The more you split up your IAM roles, the harder it is to keep up to date. Larger organisations will (usually) have different privileged roles for different areas - a small company might have a few people who are admins for everything.
Edge cases - the more complex your organisation, the more people you will have who don't fit in a nice neat IAM role. And will require exceptions.