eastbaycyber

IAM (Identity and Access Management): Definition, How It Works, and Where You’ll Encounter It

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

IAM (Identity and Access Management) is the discipline and tooling used to create, manage, and secure digital identities—and to control access to resources. In practice, IAM governs:

IAM (identity and access management) is the set of people, processes, and tools that controls who can access what, when, and under what conditions. If you manage cloud accounts, SaaS apps, endpoints, or internal systems, IAM is the foundation that decides whether a user (or service) is allowed to sign in and what they can do afterward.

How IAM works (the core building blocks)

IAM is rarely a single product. It’s an ecosystem that typically includes an identity provider, policy/role management, enforcement points, and logging.

1) Identity creation and lifecycle (joiner/mover/leaver)

  • An identity can represent a human (employee, contractor, customer) or a non-human entity (service account, workload, API client).
  • Identities must be provisioned, updated as roles change, and deprovisioned promptly when access should end.
  • Strong IAM programs integrate with an authoritative source (often HR) and automate lifecycle changes to reduce orphaned accounts.

2) Authentication (AuthN): proving who you are

Authentication factors typically fall into:

  • Something you know (password, PIN)
  • Something you have (authenticator app, hardware key)
  • Something you are (biometrics)

Modern IAM emphasizes: - MFA (multi-factor authentication) - Phishing-resistant authentication when possible (FIDO2/WebAuthn) - Conditional access (device posture, location, risk signals)

If you’re moving away from passwords, passkeys are a common next step—see: what is a passkey.

Practical tooling note (affiliate, optional): For teams standardizing MFA and vaulting shared secrets during transitions, a managed password manager can help—e.g., 1Password: Try 1Password →.

3) Authorization (AuthZ): determining what you can do

Authorization is typically expressed through:

  • Roles (e.g., “Billing Admin”)
  • Groups (e.g., “Finance”)
  • Policies (allow/deny rules with optional conditions)

Common models you’ll see: - RBAC (Role-Based Access Control): access through roles - ABAC (Attribute-Based Access Control): access through attributes (department, device trust, data classification) - ReBAC (Relationship-Based Access Control): access based on relationships (common in collaboration apps)

4) Enforcement points (where decisions get applied)

IAM decisions must be enforced somewhere, such as:

  • Cloud control planes (infrastructure actions)
  • Applications and APIs (business actions)
  • Reverse proxies / gateways / policy enforcement points (PEPs)

Even with centralized identity, enforcement is distributed—so consistency and visibility matter.

5) Session and token management

After authentication, systems issue session artifacts like cookies or tokens (often OAuth2/OIDC-based). Key considerations:

  • Short-lived tokens for sensitive operations
  • Session termination on risk events (account compromise suspicion)
  • Avoiding long-lived secrets for non-human identities when federation/workload identity is available

6) Auditing and monitoring

IAM should produce reliable logs for:

  • Sign-in events (success/failure, MFA, device, IP, geo)
  • Privilege changes (role assignments, policy edits)
  • Resource access attempts (allowed/denied)

Those logs feed detection and response—because identity misuse is often the earliest observable signal of compromise.

Technical notes: What IAM looks like in practice

Common log events and what to hunt for

Across your IdP, cloud, and SaaS logs, watch for:

  • Repeated failed logins followed by success (password spraying / credential stuffing)
  • MFA fatigue patterns (many push prompts) or MFA method changes
  • New device or “impossible travel” sign-ins
  • Privilege escalation: role/group added, admin consent granted, policy changed
  • OAuth/token anomalies: refresh token reuse, unusual client IDs, suspicious new app integrations

Example SIEM-friendly query ideas (pseudo):

# Failed logins by user + IP
event_type="login_failed" | stats count by user, src_ip | where count > 20

# Privilege assignment events
event_type IN ("role_assigned","group_added","policy_updated") AND actor != "automation"

A simple least-privilege policy mindset

When defining access, prefer:

  • Deny by default
  • Grant the minimum actions needed
  • Scope to specific resources
  • Add conditions (time, network, device trust) where supported

Illustrative policy “shape”:

{
  "effect": "allow",
  "actions": ["read:invoices", "export:invoices"],
  "resource": "finance/invoices/*",
  "conditions": {
    "mfa_required": true,
    "device_trust": "managed",
    "ip_range": ["203.0.113.0/24"]
  }
}

Service identity hygiene (avoid long-lived secrets)

Prefer, when supported:

  • Workload identity / federation (short-lived, auto-rotated credentials)
  • Tight scoping to only required actions/resources
  • Environment segregation (dev/test/prod identities and permissions)

Red flags: - Shared service accounts used by multiple teams/apps - Keys that never expire - “Admin” permissions granted “temporarily” that become permanent

Where you’ll encounter IAM (common scenarios)

1) Cloud platforms

  • Creating users and groups, attaching roles/policies, managing service identities, and auditing activity
  • High impact: cloud IAM can control infrastructure, storage, and key management

2) SaaS applications

  • Enabling SSO, enforcing MFA, controlling access to features, and managing external sharing
  • Integrating many SaaS apps into a central IdP and standardizing access reviews

3) Enterprise endpoints and internal apps

  • Device login, VPN/ZTNA access, file shares, internal apps, and databases all rely on IAM concepts
  • “Legacy” environments often mix a directory service with app-local accounts, increasing orphaned access risk

4) DevOps and CI/CD

  • Pipelines, registries, IaC, and secret stores rely heavily on non-human identities
  • Compromised CI tokens/runners can have massive blast radius—treat them as privileged

5) Incident response and forensics

IAM logs help you answer:

  • Which identities authenticated?
  • From where, when, and how (MFA method, device)?
  • What permissions changed?
  • What actions were taken?

Many containment actions are IAM actions: reset credentials, revoke tokens, disable accounts, remove risky app integrations.

6) Compliance and governance

Audits often focus on:

  • Privileged access controls
  • MFA coverage
  • Deprovisioning timeliness
  • Access reviews and evidence

Practical next steps (quick checklist)

  • Inventory identities: humans, service accounts, third parties
  • Enforce MFA everywhere feasible; prioritize phishing-resistant methods
  • Remove unused accounts and stale access; formalize joiner/mover/leaver automation
  • Lock down admin access (JIT where possible) and monitor privilege changes
  • Centralize logs and alert on sign-in anomalies and role/policy edits

If you’re looking for more “how-to” guidance on tightening policies and enforcement, see: how to secure open policy agent opa deployments.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Identity Provider (IdP)

System that stores identities and performs authentication.

Authentication (AuthN)

Verifying an identity (password, passkey, MFA, certificate).

Authorization (AuthZ)

Determining permissions—what actions are allowed on which resources.

SSO (Single Sign-On)

One sign-in that provides access to multiple applications via federation.

Federation

Trust relationship that lets an IdP authenticate users to apps (often SAML or OIDC).

MFA (Multi-Factor Authentication)

Multiple factors to reduce account takeover.

Least Privilege

Only the access required, nothing more—ideally time-bounded for admin work.

RBAC / ABAC

Role-based vs attribute-based access models.

PAM (Privileged Access Management)

Controls/monitoring for admin access (JIT elevation, session recording).

Zero Trust

“Never trust, always verify”; IAM plus device/context signals drive access decisions.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.