Identity and Access Management (IAM) is the security discipline responsible for ensuring that the right individuals have appropriate access to technology resources. IAM encompasses the policies, processes, and technologies used to manage digital identities and control how users are authenticated, authorized, and audited across an organization's systems, applications, and data..
What is Identity and Access Management?
Identity and Access Management (IAM) is the security discipline responsible for ensuring that the right individuals have appropriate access to technology resources. IAM encompasses the policies, processes, and technologies used to manage digital identities and control how users are authenticated, authorized, and audited across an organization's systems, applications, and data.
Core Components of IAM
| Component | Function |
|---|---|
| Identity Governance | Defines who should have access to what, based on roles and policies |
| Authentication | Verifies a user's identity (passwords, MFA, biometrics) |
| Authorization | Determines what an authenticated user is allowed to do |
| Provisioning | Creates, modifies, and removes user accounts and access rights |
| Single Sign-On (SSO) | Allows users to authenticate once and access multiple systems |
| Privileged Access Management | Controls and monitors elevated access to critical systems |
| Audit and Compliance | Logs and reviews access activity for security and regulatory requirements |
Why IAM Matters for Human Risk
IAM is the control plane that determines the blast radius when an employee is compromised. If an attacker social engineers an employee with overly broad access permissions, the damage is exponentially greater than compromising someone with tightly scoped access. Human risk scoring should factor in IAM data - an employee's access level, the sensitivity of systems they can reach, and whether their permissions follow the principle of least privilege. Organizations that connect their IAM data to their human risk management platform can prioritize which employees need the most protection.
Frequently Asked Questions
What's the difference between authentication and authorization?
Authentication verifies that someone is who they claim to be (usually with passwords or MFA). Authorization determines what that verified person is allowed to do. You authenticate to prove your identity, then the system authorizes your access level.
How does IAM prevent social engineering damage?
When a social engineer compromises an employee, IAM controls determine how much they can access. An employee with tightly scoped permissions (least privilege) limits the attacker's blast radius. Employees with overly broad permissions multiply the damage.
Can attackers bypass IAM controls?
Yes. Attackers target the humans who operate IAM systems. Help desk vishing tricks agents into resetting MFA or disabling controls. Phishing harvests credentials that legitimate IAM systems then accept. The strongest IAM system is still operated by humans.
What's the connection between IAM and human risk scoring?
Human risk scoring should weight access levels heavily. An employee susceptible to phishing with admin access represents far greater risk than a non-technical user with read-only permissions. Connecting IAM data to risk scoring helps organizations prioritize protection.