Resources

IAM glossary — A to Z.

40 terms across workforce identity, customer identity, privileged access, governance, and zero-trust. Written by the practice leads who deliver the work — definitions that match how the term is actually used on regulated-enterprise engagements.

AALAuthenticator Assurance Level: NIST 800-63B definition of authentication assurance, with three levels (AAL1, AAL2, AAL3). AAL3 requires hardware-bound multi-factor authentication.
Access Certification: A periodic review where designated approvers confirm or revoke the access rights held by users in their scope. Most commonly run on a quarterly cadence in regulated enterprises.
Adaptive AuthenticationRisk-based Auth: An authentication pattern where the factors required are adjusted in real time based on risk signals — sign-in risk, user risk, device posture, location, behavioral baseline.
Attribute-Based Access ControlABAC: An access control model where decisions are made based on attributes of the user, the resource, and the environment, rather than membership in a role or group.

Break-glass Access: An emergency privileged access mechanism for use when normal access paths are unavailable. Should be vaulted, recorded, time-bound, and post-event reviewed in every program.

CIAMCustomer Identity & Access Management: Identity management for customer-facing applications. Different from workforce IAM in scale, fraud profile, consent management, and the integration with marketing and product surfaces.
Conditional Access: Microsoft Entra (and equivalent Okta / Ping) feature that applies access policies based on signals — user, device, location, application, risk. The canonical workforce zero-trust primitive.
Continuous Authentication: An authentication model where session validity is re-evaluated continuously through the session lifecycle, based on behavioral signals and risk inputs — rather than only at sign-in.
Custom Database Connection: A pattern used by some CIAM platforms (notably Auth0) to validate credentials against an external user store during a migration window — enabling lazy migration without forced re-enrollment.

Delegation: The pattern by which one identity grants another (often more restricted) identity authority to act on its behalf. The keystone primitive for AI agent identity.
Derived Credential: NIST 800-157 framework for credentials derived from a higher-assurance source (typically a PIV or CAC) and issued to a mobile device for use without the physical card.
Device Posture: The compliance state of a device evaluated at the moment of access — disk encryption, OS version, MDM enrollment, EDR status. A common signal in Conditional Access policies.
Dynamic Secrets: A pattern where credentials are generated on demand for a specific session and revoked when the session ends, eliminating long-lived credentials. HashiCorp Vault is the canonical platform.

Entitlement: A specific right or permission granted to an identity — a role, group membership, application access, or fine-grained permission. The unit of access certification.
Evidence-as-Code: A discipline where audit artifacts are produced as a byproduct of normal operations, captured in version-controlled and queryable form rather than reconstructed each cycle.

Federation: A trust relationship between two identity domains, typically implemented via SAML or OIDC, that lets users in one domain access resources in another without re-authentication.
FedRAMPFederal Risk and Authorization Management Program: The US federal program for authorizing cloud services for federal use, with Low / Moderate / High impact levels. Required for cloud-hosted federal workloads.
Fine-Grained AuthorizationFGA: Authorization decisions made at the resource and action level — typically using policy engines like Cedar (AWS Verified Permissions), OPA, or SpiceDB.

Identity Governance & AdministrationIGA: The discipline covering identity lifecycle, access requests, access certifications, segregation-of-duties, and policy management. Saviynt and SailPoint are the dominant platforms.
Identity ProviderIDP: A system that authenticates users and issues identity tokens for use by relying applications. Okta, Microsoft Entra, Ping, and ForgeRock are common workforce IDPs.

Joiner-Mover-LeaverJML: The lifecycle pattern that governs how identities are provisioned (Joiner), updated when their role changes (Mover), and offboarded (Leaver). The substrate every IGA program builds on.
Just-In-Time ElevationJIT: A privileged access pattern where elevated rights are granted on demand, bound to a specific task and time window, then automatically revoked. The canonical zero-standing-privilege primitive.

Kerberos: A ticket-based authentication protocol historically central to Active Directory authentication. Still operational in most enterprises but increasingly replaced by modern tokens.

Multi-Factor AuthenticationMFA: Authentication requiring two or more independent factors (something you know, have, or are). The single most effective workforce identity control against credential-stuffing attacks.

OAuth 2.1: The 2025-era consolidated OAuth specification, deprecating the implicit and password grants and mandating PKCE for public clients. The current best-practice baseline for authorization flows.
OIDCOpenID Connect: An identity layer built on OAuth 2.0 that provides authentication and identity claims in addition to authorization. The canonical modern federation protocol.

Passkey: A phishing-resistant credential built on the FIDO2 / WebAuthn standards. Can be platform-bound, synced through a credential manager, or bound to a hardware security key.
PKCEProof Key for Code Exchange: An OAuth 2.0 extension (mandatory in 2.1) that prevents authorization code interception attacks on public clients. Required for all SPA and mobile auth flows.
Privileged Access ManagementPAM: The discipline covering vaulting, brokered access, session recording, and just-in-time elevation for privileged identities. CyberArk and BeyondTrust are the dominant platforms.

Role-Based Access ControlRBAC: An access control model where rights are granted to roles, and users acquire rights through role membership. The canonical access model in IAM, often paired with attribute-based extensions.

SCIMSystem for Cross-domain Identity Management: A standard protocol for provisioning users and groups across systems. Most modern IdPs and SaaS applications support SCIM 2.0 for inbound provisioning.
Segregation of DutiesSoD: A control principle that prevents one user from holding combinations of access that would enable fraud or error. Critical for SOX, FFIEC, and financial-services compliance.
Service Account: A non-human identity used by an application, script, or integration to authenticate to other systems. The long tail of every privileged access program.
Session Recording: The capture of every action taken during a privileged session for later audit. A standard PAM capability across CyberArk, BeyondTrust, and Delinea.
Single Sign-OnSSO: An authentication pattern where one credential authorizes access to multiple applications, typically via SAML or OIDC federation. The baseline workforce identity capability.
Step-up Authentication: A pattern where additional authentication is required for high-risk actions within an already-authenticated session — typically MFA, biometrics, or a hardware key.

Token Rotation: The OAuth 2.1 best practice where refresh tokens are invalidated after each use and replaced with a new token, allowing detection of leaked tokens via reuse.

Workforce Identity: Identity management for employees, contractors, and partners — distinct from CIAM in scope, lifecycle pattern, and compliance integration. Okta and Microsoft Entra are dominant.

Zero Standing PrivilegeZSP: A privileged access design goal where no identity holds standing administrative rights — every privileged action requires a just-in-time elevation, recorded and time-bound.
Zero Trust: A security model that assumes no implicit trust based on network location and verifies every access request based on identity, device, and contextual signals.

Term you do not see? We can write it.

The glossary is curated, not exhaustive. If you searched for a term we have not defined, drop us a note and we will add it — usually within a week.

Request a term

Resources

IAM glossary — A to Z.

AALAuthenticator Assurance Level: NIST 800-63B definition of authentication assurance, with three levels (AAL1, AAL2, AAL3). AAL3 requires hardware-bound multi-factor authentication.
Access Certification: A periodic review where designated approvers confirm or revoke the access rights held by users in their scope. Most commonly run on a quarterly cadence in regulated enterprises.
Adaptive AuthenticationRisk-based Auth: An authentication pattern where the factors required are adjusted in real time based on risk signals — sign-in risk, user risk, device posture, location, behavioral baseline.
Attribute-Based Access ControlABAC: An access control model where decisions are made based on attributes of the user, the resource, and the environment, rather than membership in a role or group.

Break-glass Access: An emergency privileged access mechanism for use when normal access paths are unavailable. Should be vaulted, recorded, time-bound, and post-event reviewed in every program.

CIAMCustomer Identity & Access Management: Identity management for customer-facing applications. Different from workforce IAM in scale, fraud profile, consent management, and the integration with marketing and product surfaces.
Conditional Access: Microsoft Entra (and equivalent Okta / Ping) feature that applies access policies based on signals — user, device, location, application, risk. The canonical workforce zero-trust primitive.
Continuous Authentication: An authentication model where session validity is re-evaluated continuously through the session lifecycle, based on behavioral signals and risk inputs — rather than only at sign-in.
Custom Database Connection: A pattern used by some CIAM platforms (notably Auth0) to validate credentials against an external user store during a migration window — enabling lazy migration without forced re-enrollment.

Delegation: The pattern by which one identity grants another (often more restricted) identity authority to act on its behalf. The keystone primitive for AI agent identity.
Derived Credential: NIST 800-157 framework for credentials derived from a higher-assurance source (typically a PIV or CAC) and issued to a mobile device for use without the physical card.
Device Posture: The compliance state of a device evaluated at the moment of access — disk encryption, OS version, MDM enrollment, EDR status. A common signal in Conditional Access policies.
Dynamic Secrets: A pattern where credentials are generated on demand for a specific session and revoked when the session ends, eliminating long-lived credentials. HashiCorp Vault is the canonical platform.

Entitlement: A specific right or permission granted to an identity — a role, group membership, application access, or fine-grained permission. The unit of access certification.
Evidence-as-Code: A discipline where audit artifacts are produced as a byproduct of normal operations, captured in version-controlled and queryable form rather than reconstructed each cycle.

Federation: A trust relationship between two identity domains, typically implemented via SAML or OIDC, that lets users in one domain access resources in another without re-authentication.
FedRAMPFederal Risk and Authorization Management Program: The US federal program for authorizing cloud services for federal use, with Low / Moderate / High impact levels. Required for cloud-hosted federal workloads.
Fine-Grained AuthorizationFGA: Authorization decisions made at the resource and action level — typically using policy engines like Cedar (AWS Verified Permissions), OPA, or SpiceDB.

Identity Governance & AdministrationIGA: The discipline covering identity lifecycle, access requests, access certifications, segregation-of-duties, and policy management. Saviynt and SailPoint are the dominant platforms.
Identity ProviderIDP: A system that authenticates users and issues identity tokens for use by relying applications. Okta, Microsoft Entra, Ping, and ForgeRock are common workforce IDPs.

Joiner-Mover-LeaverJML: The lifecycle pattern that governs how identities are provisioned (Joiner), updated when their role changes (Mover), and offboarded (Leaver). The substrate every IGA program builds on.
Just-In-Time ElevationJIT: A privileged access pattern where elevated rights are granted on demand, bound to a specific task and time window, then automatically revoked. The canonical zero-standing-privilege primitive.

Kerberos: A ticket-based authentication protocol historically central to Active Directory authentication. Still operational in most enterprises but increasingly replaced by modern tokens.

Multi-Factor AuthenticationMFA: Authentication requiring two or more independent factors (something you know, have, or are). The single most effective workforce identity control against credential-stuffing attacks.

OAuth 2.1: The 2025-era consolidated OAuth specification, deprecating the implicit and password grants and mandating PKCE for public clients. The current best-practice baseline for authorization flows.
OIDCOpenID Connect: An identity layer built on OAuth 2.0 that provides authentication and identity claims in addition to authorization. The canonical modern federation protocol.

Passkey: A phishing-resistant credential built on the FIDO2 / WebAuthn standards. Can be platform-bound, synced through a credential manager, or bound to a hardware security key.
PKCEProof Key for Code Exchange: An OAuth 2.0 extension (mandatory in 2.1) that prevents authorization code interception attacks on public clients. Required for all SPA and mobile auth flows.
Privileged Access ManagementPAM: The discipline covering vaulting, brokered access, session recording, and just-in-time elevation for privileged identities. CyberArk and BeyondTrust are the dominant platforms.

Role-Based Access ControlRBAC: An access control model where rights are granted to roles, and users acquire rights through role membership. The canonical access model in IAM, often paired with attribute-based extensions.

SCIMSystem for Cross-domain Identity Management: A standard protocol for provisioning users and groups across systems. Most modern IdPs and SaaS applications support SCIM 2.0 for inbound provisioning.
Segregation of DutiesSoD: A control principle that prevents one user from holding combinations of access that would enable fraud or error. Critical for SOX, FFIEC, and financial-services compliance.
Service Account: A non-human identity used by an application, script, or integration to authenticate to other systems. The long tail of every privileged access program.
Session Recording: The capture of every action taken during a privileged session for later audit. A standard PAM capability across CyberArk, BeyondTrust, and Delinea.
Single Sign-OnSSO: An authentication pattern where one credential authorizes access to multiple applications, typically via SAML or OIDC federation. The baseline workforce identity capability.
Step-up Authentication: A pattern where additional authentication is required for high-risk actions within an already-authenticated session — typically MFA, biometrics, or a hardware key.

Token Rotation: The OAuth 2.1 best practice where refresh tokens are invalidated after each use and replaced with a new token, allowing detection of leaked tokens via reuse.

Workforce Identity: Identity management for employees, contractors, and partners — distinct from CIAM in scope, lifecycle pattern, and compliance integration. Okta and Microsoft Entra are dominant.

Zero Standing PrivilegeZSP: A privileged access design goal where no identity holds standing administrative rights — every privileged action requires a just-in-time elevation, recorded and time-bound.
Zero Trust: A security model that assumes no implicit trust based on network location and verifies every access request based on identity, device, and contextual signals.

Term you do not see? We can write it.

The glossary is curated, not exhaustive. If you searched for a term we have not defined, drop us a note and we will add it — usually within a week.

Request a term

IAM glossary — A to Z.

AALAuthenticator Assurance Level

Access Certification

Adaptive AuthenticationRisk-based Auth

Attribute-Based Access ControlABAC

Break-glass Access

CIAMCustomer Identity & Access Management

Conditional Access

Continuous Authentication

Custom Database Connection

Delegation

Derived Credential

Device Posture

Dynamic Secrets

Entitlement

Evidence-as-Code

Federation

FedRAMPFederal Risk and Authorization Management Program

Fine-Grained AuthorizationFGA

Identity Governance & AdministrationIGA

Identity ProviderIDP

Joiner-Mover-LeaverJML

Just-In-Time ElevationJIT

Kerberos

Multi-Factor AuthenticationMFA

OAuth 2.1

OIDCOpenID Connect

Passkey

PKCEProof Key for Code Exchange

Privileged Access ManagementPAM

Role-Based Access ControlRBAC

SCIMSystem for Cross-domain Identity Management

Segregation of DutiesSoD

Service Account

Session Recording

Single Sign-OnSSO

Step-up Authentication

Token Rotation

Workforce Identity

Zero Standing PrivilegeZSP

Zero Trust

Term you do not see? We can write it.

IAM glossary — A to Z.

AALAuthenticator Assurance Level

Access Certification

Adaptive AuthenticationRisk-based Auth

Attribute-Based Access ControlABAC

Break-glass Access

CIAMCustomer Identity & Access Management

Conditional Access

Continuous Authentication

Custom Database Connection

Delegation

Derived Credential

Device Posture

Dynamic Secrets

Entitlement

Evidence-as-Code

Federation

FedRAMPFederal Risk and Authorization Management Program

Fine-Grained AuthorizationFGA

Identity Governance & AdministrationIGA

Identity ProviderIDP

Joiner-Mover-LeaverJML

Just-In-Time ElevationJIT

Kerberos

Multi-Factor AuthenticationMFA

OAuth 2.1

OIDCOpenID Connect

Passkey

PKCEProof Key for Code Exchange

Privileged Access ManagementPAM

Role-Based Access ControlRBAC

SCIMSystem for Cross-domain Identity Management

Segregation of DutiesSoD

Service Account

Session Recording

Single Sign-OnSSO

Step-up Authentication

Token Rotation