IAM explainers.
Plain-English answers to the IAM concept questions practitioners actually search: authentication vs authorization, RBAC vs ABAC, OAuth vs OIDC, access token vs ID token, and more.
- Comparison
Authentication vs authorization
Authentication (authN) proves who an identity is — it answers "are you who you claim to be?" Authorization (authZ) decides what that authenticated identity i…
- Comparison
RBAC vs ABAC
Role-based access control (RBAC) grants access through roles assigned to users — simple to implement and audit, but prone to role explosion as exceptions acc…
- Comparison
OAuth vs OIDC
OAuth 2.1 is an authorization framework — it issues scoped access tokens that let a client call an API on a user's behalf. OpenID Connect (OIDC) is a thin au…
- Comparison
Access token vs ID token
An ID token is an OIDC authentication artifact — a JWT that proves who the user is, intended for the client application that requested the login. An access t…
- Comparison
SSO vs federation
Single sign-on (SSO) is the user-facing outcome: authenticate once, then access many applications without logging in again. Federation is the underlying trus…
- Concept
What is non-human identity (NHI)?
Non-human identity (NHI) is any identity that authenticates without a human present: service accounts, API keys, OAuth client credentials, certificates, work…
- Concept
What is Okta FastPass?
Okta FastPass is a passwordless, phishing-resistant authentication method built into the Okta Verify app. Once enrolled, a user signs in to any Okta-protecte…
- Comparison
Okta Personal vs Okta Workforce
Okta Personal is a free, consumer-facing password manager for individuals (Okta's competitor to 1Password / browser password managers). Okta Workforce Identi…
- Comparison
SAML vs OAuth
SAML (Security Assertion Markup Language) is an authentication + single-sign-on standard — it lets an identity provider assert "this is who the user is" to a…
- Comparison
SCIM vs SAML
SCIM (System for Cross-domain Identity Management) is a provisioning standard — it automatically creates, updates, and deactivates user accounts in an applic…
- Comparison
AI agents vs agentic AI
An AI agent is a single software identity that uses a model to take actions on a user’s or system’s behalf — calling tools, APIs, and services to complete a …
- Comparison
MCP security
The Model Context Protocol (MCP) lets AI agents connect to external tools and data through a standard interface. MCP security is the practice of controlling …
- Comparison
Zero standing privileges (ZSP)
Zero standing privileges (ZSP) means no identity holds usable access between tasks — permissions and credentials are granted just-in-time for a specific acti…
- Comparison
RBAC vs ReBAC
Role-based access control (RBAC) grants access through roles assigned to identities — simple to reason about and audit, but prone to role explosion as except…
- Concept
OAuth 2.1 for AI agents
OAuth 2.1 for AI agents applies the OAuth authorization framework to non-human, autonomous identities: an agent obtains a scoped, short-lived access token — …
- Concept
Agentic identity governance
Agentic identity governance is the discipline of managing AI-agent identities across their full lifecycle — issuance, scoping, delegation, monitoring, and de…
- Concept
The EU AI Act and identity controls
The EU AI Act regulates AI systems by risk tier and imposes obligations — human oversight, logging and traceability, robustness, and accountability — that ma…
- Concept
Fine-grained authorization (FGA)
Fine-grained authorization (FGA) is access control that decides permissions at the level of individual resources, actions, and relationships — "can user A ed…