Identity and Access Management (IAM) is the discipline and set of controls governing who can access what resources, how they prove their identity, and what actions they may take. IAM comprises four interconnected functions: Identification (establishing a unique identity for each user, device, or service), Authentication (verifying that a claimed identity is genuine), Authorization (determining which resources and actions an authenticated identity may access), and Accountability (logging and auditing identity activity for detection and compliance). In the ISACA-CISA framework, IAM sits within Domain 5 — Protection of Information Assets — and serves as the primary preventive and detective control layer against unauthorized access, privilege abuse, and insider threats. Three governing principles underpin all IAM design: Least Privilege (grant only the minimum access necessary), Segregation of Duties (prevent any single identity from controlling a complete sensitive process end-to-end), and Defense in Depth (layer multiple identity controls so no single failure grants full compromise). IAM operates across a defined identity lifecycle: provisioning (creating and assigning access) → authorization management (maintaining correct access over time) → usage monitoring (detecting anomalies) → deprovisioning (revoking access when no longer needed).
Where it stops · what it isn't
- —IAM IS: authentication mechanisms (passwords, MFA, biometrics), authorization models (RBAC, ABAC, ACLs), access governance (reviews, certifications, deprovisioning), privileged access management (PAM), identity lifecycle management, and audit logging.
- —IAM IS NOT: network perimeter security (firewalls, IDS/IPS), physical access controls (badge readers, locks), data encryption at rest or in transit, vulnerability management, or endpoint detection — though IAM operates in concert with all of these.
- —IAM IS NOT limited to user account administration. It includes non-human identities — service accounts, API credentials, machine identities, and third-party vendor accounts — all of which require the same governance rigor as human user accounts.
- —IAM governance (policy design, access reviews, role architecture) is distinct from IAM implementation (deploying specific tools). CISA practitioners assess governance adequacy and control effectiveness, not tool selection.
- —Zero Trust Architecture (ZTA) relies on IAM as its primary enforcement mechanism but also encompasses network micro-segmentation and device posture assessment. IAM is a necessary but not sufficient component of ZTA.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFProtection of Information Assets (CISA Domain 5)
ENABLESZero Trust ArchitecturePrivileged Access Management (PAM)Segregation of Duties Controls
REQUIRESIdentity Governance and Administration (IGA)Directory Services (Active Directory, Azure AD/Entra ID, Okta)
RELATED TONetwork and Endpoint SecurityData Loss Prevention (DLP)Public Key Infrastructure (PKI)
CONSTRAINSCloud Security ArchitectureThird-Party Vendor Access Management