IAM (Identity and Access Management): Definition, How It Works, and Where You’ll Encounter It
IAM (Identity and Access Management) is the discipline and tooling used to create, manage, and secure digital identities—and to control access to resources. In practice, IAM governs:
IAM (identity and access management) is the set of people, processes, and tools that controls who can access what, when, and under what conditions. If you manage cloud accounts, SaaS apps, endpoints, or internal systems, IAM is the foundation that decides whether a user (or service) is allowed to sign in and what they can do afterward.
How IAM works (the core building blocks)
IAM is rarely a single product. It’s an ecosystem that typically includes an identity provider, policy/role management, enforcement points, and logging.
1) Identity creation and lifecycle (joiner/mover/leaver)
- An identity can represent a human (employee, contractor, customer) or a non-human entity (service account, workload, API client).
- Identities must be provisioned, updated as roles change, and deprovisioned promptly when access should end.
- Strong IAM programs integrate with an authoritative source (often HR) and automate lifecycle changes to reduce orphaned accounts.
2) Authentication (AuthN): proving who you are
Authentication factors typically fall into:
- Something you know (password, PIN)
- Something you have (authenticator app, hardware key)
- Something you are (biometrics)
Modern IAM emphasizes: - MFA (multi-factor authentication) - Phishing-resistant authentication when possible (FIDO2/WebAuthn) - Conditional access (device posture, location, risk signals)
If you’re moving away from passwords, passkeys are a common next step—see: what is a passkey.
Practical tooling note (affiliate, optional): For teams standardizing MFA and vaulting shared secrets during transitions, a managed password manager can help—e.g., 1Password: Try 1Password →.
3) Authorization (AuthZ): determining what you can do
Authorization is typically expressed through:
- Roles (e.g., “Billing Admin”)
- Groups (e.g., “Finance”)
- Policies (allow/deny rules with optional conditions)
Common models you’ll see: - RBAC (Role-Based Access Control): access through roles - ABAC (Attribute-Based Access Control): access through attributes (department, device trust, data classification) - ReBAC (Relationship-Based Access Control): access based on relationships (common in collaboration apps)
4) Enforcement points (where decisions get applied)
IAM decisions must be enforced somewhere, such as:
- Cloud control planes (infrastructure actions)
- Applications and APIs (business actions)
- Reverse proxies / gateways / policy enforcement points (PEPs)
Even with centralized identity, enforcement is distributed—so consistency and visibility matter.
5) Session and token management
After authentication, systems issue session artifacts like cookies or tokens (often OAuth2/OIDC-based). Key considerations:
- Short-lived tokens for sensitive operations
- Session termination on risk events (account compromise suspicion)
- Avoiding long-lived secrets for non-human identities when federation/workload identity is available
6) Auditing and monitoring
IAM should produce reliable logs for:
- Sign-in events (success/failure, MFA, device, IP, geo)
- Privilege changes (role assignments, policy edits)
- Resource access attempts (allowed/denied)
Those logs feed detection and response—because identity misuse is often the earliest observable signal of compromise.
Technical notes: What IAM looks like in practice
Common log events and what to hunt for
Across your IdP, cloud, and SaaS logs, watch for:
- Repeated failed logins followed by success (password spraying / credential stuffing)
- MFA fatigue patterns (many push prompts) or MFA method changes
- New device or “impossible travel” sign-ins
- Privilege escalation: role/group added, admin consent granted, policy changed
- OAuth/token anomalies: refresh token reuse, unusual client IDs, suspicious new app integrations
Example SIEM-friendly query ideas (pseudo):
# Failed logins by user + IP
event_type="login_failed" | stats count by user, src_ip | where count > 20
# Privilege assignment events
event_type IN ("role_assigned","group_added","policy_updated") AND actor != "automation"
A simple least-privilege policy mindset
When defining access, prefer:
- Deny by default
- Grant the minimum actions needed
- Scope to specific resources
- Add conditions (time, network, device trust) where supported
Illustrative policy “shape”:
{
"effect": "allow",
"actions": ["read:invoices", "export:invoices"],
"resource": "finance/invoices/*",
"conditions": {
"mfa_required": true,
"device_trust": "managed",
"ip_range": ["203.0.113.0/24"]
}
}
Service identity hygiene (avoid long-lived secrets)
Prefer, when supported:
- Workload identity / federation (short-lived, auto-rotated credentials)
- Tight scoping to only required actions/resources
- Environment segregation (dev/test/prod identities and permissions)
Red flags: - Shared service accounts used by multiple teams/apps - Keys that never expire - “Admin” permissions granted “temporarily” that become permanent
Where you’ll encounter IAM (common scenarios)
1) Cloud platforms
- Creating users and groups, attaching roles/policies, managing service identities, and auditing activity
- High impact: cloud IAM can control infrastructure, storage, and key management
2) SaaS applications
- Enabling SSO, enforcing MFA, controlling access to features, and managing external sharing
- Integrating many SaaS apps into a central IdP and standardizing access reviews
3) Enterprise endpoints and internal apps
- Device login, VPN/ZTNA access, file shares, internal apps, and databases all rely on IAM concepts
- “Legacy” environments often mix a directory service with app-local accounts, increasing orphaned access risk
4) DevOps and CI/CD
- Pipelines, registries, IaC, and secret stores rely heavily on non-human identities
- Compromised CI tokens/runners can have massive blast radius—treat them as privileged
5) Incident response and forensics
IAM logs help you answer:
- Which identities authenticated?
- From where, when, and how (MFA method, device)?
- What permissions changed?
- What actions were taken?
Many containment actions are IAM actions: reset credentials, revoke tokens, disable accounts, remove risky app integrations.
6) Compliance and governance
Audits often focus on:
- Privileged access controls
- MFA coverage
- Deprovisioning timeliness
- Access reviews and evidence
Practical next steps (quick checklist)
- Inventory identities: humans, service accounts, third parties
- Enforce MFA everywhere feasible; prioritize phishing-resistant methods
- Remove unused accounts and stale access; formalize joiner/mover/leaver automation
- Lock down admin access (JIT where possible) and monitor privilege changes
- Centralize logs and alert on sign-in anomalies and role/policy edits
If you’re looking for more “how-to” guidance on tightening policies and enforcement, see: how to secure open policy agent opa deployments.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Related terms
System that stores identities and performs authentication.
Verifying an identity (password, passkey, MFA, certificate).
Determining permissions—what actions are allowed on which resources.
One sign-in that provides access to multiple applications via federation.
Trust relationship that lets an IdP authenticate users to apps (often SAML or OIDC).
Multiple factors to reduce account takeover.
Only the access required, nothing more—ideally time-bounded for admin work.
Role-based vs attribute-based access models.
Controls/monitoring for admin access (JIT elevation, session recording).
“Never trust, always verify”; IAM plus device/context signals drive access decisions.