There is little point in creating policies if they are not enforced. Just imagine how ineffective building codes would be if they were not enforced. Enforcement is not a duty that can fall to a committee. Neither should the same operational group that is supposed to be providing service enforce policy. It's impossible to provide good customer service and be the police force at the same time. Usually enforcement is a function of the CIO's office and separated from operations so that customers see operations as helping solve the problem, rather than causing it.
Make sure policies are promulgated effectively to those who need to see them. As part of this effort, you might consider developing a training program around your policy suite and make sure you include this program in new employee orientation, management training, and other meetings as appropriate. Sometimes things like online quizzes, with prizes for completion, can be effective for measuring employee understanding of important policies.
Include an acknowledgment statement in every policy. Sometimes this is appropriate for individual users, but also consider having the leaders of organizations affected by the policy acknowledge that they've read it and that their organization is in compliance. If they can't sign a compliance statement, be sure to have a program for helping them develop a roadmap that takes them to compliance and require milestone reporting for major milestones in the roadmap.
One of the most effective techniques for measuring and encouraging compliance is to conduct periodic audits. Here are some important points to remember when planning and carrying out audits:
Make sure you have approval to conduct the audit.
Don't exclude groups or individuals such as the IT department and executive management from audits.
Don't announce the audit ahead of time.
Find creative ways to make audits non-punitive where possible. As silly as it sounds, just leaving candy or rocks in someone's office after an audit as a measure of their compliance can alert people to problems in a non-threatening way.
Develop standard audit forms.
Develop custom audit procedures for each type of policy. For example, a password audit is very different from an audit of coding practices.
Make sure the audit does not unduly interfere with revenue producing activities.
Document and share the results.
Remember that the point of policies and enforcement is to create a context within which a working digital identity infrastructure can be built and operated. Enforcement actions should consequently be aimed at helping projects, organizations, and employees come into compliance rather than extracting punishment.