Predefined IAM guidelines define the target status of certain issues and can be customised by you. It is therefore helpful if you define the threshold values yourself for when something becomes critical from your point of view. For example, how many user accounts with full access do you want to allow in a certain system or how many group memberships can a user account have? And, and, and... If such a policy is active, it continuously checks the actual status against the desired target status (i.e. against the policy) and immediately alerts you to any irregularities. This way, you can be sure that your IAM database is really clean.