Identity and Access Management (IAM) is the discipline of ensuring the right people have the right access to the right resources at the right time — and that this is provable, auditable, and revocable. IAM encompasses authentication (proving who you are), authorization (determining what you can do), and the lifecycle management of identities from provisioning to deprovisioning.
IAM failures are behind a significant percentage of security breaches. Weak passwords, overprivileged accounts, orphaned credentials from former employees, and inadequate multi-factor authentication all fall under IAM’s scope. Strong IAM programs combine technical controls with governance processes that keep access aligned with actual business needs.
CISSP Relevance
IAM is the entire focus of Domain 5 of the CISSP exam, making it one of the most heavily tested areas. Candidates must understand identity lifecycle management, authentication mechanisms, access control models, federation, privileged access management, and how IAM connects to regulatory compliance requirements.
External reference: NIST SP 800-63 Digital Identity Guidelines
Related terms: Multi-Factor Authentication, Role-Based Access Control