Reference · 2026.05.2

IAM controls — mapped across six frameworks. One IAM operating model.

Citable cross-framework mapping for the IAM controls that show up in every regulated-enterprise audit: NIST 800-53 r5 · ISO 27001/27002 · SOC 2 TSC · HIPAA Security Rule · FFIEC IT Examination Handbook · FedRAMP Moderate / High. Each control includes a plain-English description and engineering notes.

Cite this pageDownload JSON

Controls mapped

Reviewed May 22, 2026 · CC BY 4.0

IGA · Identity governance & lifecycle

3 controls

Account management & lifecycle (JML)

#iga-account-management

Provisioning, modification, disablement, and removal of user accounts driven by an authoritative HRIS / identity source.

NIST 800-53: AC-2, AC-2(1), AC-2(2), AC-2(3)
ISO 27001: A.5.16, A.5.18
SOC 2: CC6.1, CC6.2, CC6.3
HIPAA: § 164.308(a)(3) — Workforce Security; § 164.308(a)(4) — Information Access Management
FFIEC: Information Security § II.C.7 — Authentication and Access Controls
FedRAMP: Moderate + High: AC-2 (1)-(3)

Engineering notes

Best implemented as HRIS-triggered automation with documented exception policy. Manual ticket-driven JML satisfies most frameworks on paper but rarely closes the audit findings cleanly.

Recurring access certification

#iga-cert-recurring

Periodic reviewer-led recertification of user access entitlements, scoped to risk-tier and regulated application boundary.

NIST 800-53: AC-2(7), AC-6(7)
ISO 27001: A.5.16, A.5.18
SOC 2: CC6.2, CC6.3
HIPAA: § 164.308(a)(4) — Information Access Management
FFIEC: Information Security § II.C.13 — User Access Reviews
FedRAMP: Moderate + High: AC-2(7)

Engineering notes

Quarterly + risk-tiered cadence beats annual sweep. Reviewer kits with context (last-login, entitlement diff, peer comparison) move the rubber-stamp rate down meaningfully.

Separation of duties (SoD)

#iga-separation-of-duties

Enforcement of incompatible role / entitlement combinations to prevent fraud, error, or abuse.

NIST 800-53: AC-5, AC-6(7)
ISO 27001: A.5.3
SOC 2: CC6.1, CC6.2
HIPAA: § 164.308(a)(3) — Workforce Security (least privilege)
FFIEC: Information Security § II.C.7 — Separation of Duties
FedRAMP: Moderate + High: AC-5

Engineering notes

SAP and ERP-anchored programs treat SoD as a first-class concern (Saviynt AAG / SailPoint SoD). Most SaaS-first programs need a layered policy on top of native role primitives.

Access · Access management & authentication

3 controls

Multi-factor authentication

#access-mfa

Authentication requiring two or more factors for workforce access, with phishing-resistant factors required for privileged contexts.

NIST 800-53: IA-2, IA-2(1), IA-2(2), IA-2(12)
ISO 27001: A.5.17, A.8.5
SOC 2: CC6.1, CC6.6
HIPAA: § 164.308(a)(5)(ii)(D) — Password Management; § 164.312(a)(2)(i) — Unique User ID
FFIEC: Information Security § II.C.7 — Authentication and Access Controls
FedRAMP: Moderate + High: IA-2(1), IA-2(2); High also requires IA-2(12)

Engineering notes

NIST and FedRAMP both push phishing-resistant factors (FIDO2 / smart card) for privileged access. Push-based MFA remains common but is increasingly insufficient under examiner expectations.

Session management & timeout

#access-session-control

Idle timeout, absolute session lifetime, and re-authentication policies for sensitive contexts.

NIST 800-53: AC-12, AC-11
ISO 27001: A.8.5
SOC 2: CC6.1
HIPAA: § 164.312(a)(2)(iii) — Automatic Logoff
FFIEC: Information Security § II.C.7
FedRAMP: Moderate + High: AC-12

Engineering notes

Conditional Access (Entra) and Adaptive Access (Okta) both meet this when policies are documented. Anonymous "session lasts forever" cookies are an audit finding waiting to happen.

Least privilege

#access-least-privilege

Access scoped to the minimum required to perform a job function, with time-bound elevation for exception cases.

NIST 800-53: AC-6, AC-6(1), AC-6(5), AC-6(10)
ISO 27001: A.5.15, A.8.2
SOC 2: CC6.1, CC6.3
HIPAA: § 164.308(a)(4) — Access Authorization
FFIEC: Information Security § II.C.7
FedRAMP: Moderate + High: AC-6(1), AC-6(5), AC-6(10)

PAM · Privileged access

3 controls

Privileged credential vaulting

#pam-credential-vault

Privileged accounts (domain admin, root, database, cloud) held in a vault with checkout/checkin and rotation policies.

NIST 800-53: AC-2(7), IA-5, SC-12
ISO 27001: A.8.2, A.8.5
SOC 2: CC6.1, CC6.6
HIPAA: § 164.308(a)(3) — Workforce Security; § 164.312(d) — Person or Entity Authentication
FFIEC: Information Security § II.C.7 — Privileged Access
FedRAMP: Moderate + High: AC-6(5), IA-5

Engineering notes

CyberArk, BeyondTrust, Delinea, and HashiCorp Vault all satisfy this. Auditors look for evidence of rotation, not just vault existence.

Privileged session monitoring

#pam-session-monitoring

Recording, monitoring, and selective replay of privileged sessions on sensitive systems.

NIST 800-53: AC-2(12), AU-2, AU-12
ISO 27001: A.8.15
SOC 2: CC6.8, CC7.2
HIPAA: § 164.312(b) — Audit Controls
FFIEC: Information Security § II.C.7; Audit § III.D — Privileged Session Logging
FedRAMP: Moderate + High: AU-2, AU-12; High: AC-2(12)

Engineering notes

HIPAA explicitly elevates session monitoring on ePHI-adjacent systems. PHI handler workstation sessions are increasingly under-recorded under recent HHS-OCR enforcement.

Just-in-time elevation

#pam-just-in-time

Privileged access granted on request for a bounded time window, with elimination of standing privileged accounts.

NIST 800-53: AC-2(6), AC-6(5)
ISO 27001: A.5.15
SOC 2: CC6.1, CC6.3
HIPAA: § 164.308(a)(4) — Access Authorization
FFIEC: Information Security § II.C.7
FedRAMP: Moderate + High: AC-6(5)

Engineering notes

JIT is not literally required by any framework name, but it is the strongest way to satisfy least-privilege expectations under all of them. Standing privilege is the single most-cited finding category.

Audit · Audit & evidence

3 controls

Identity event logging

#audit-event-logging

Centralized logging of authentication events, access modifications, and privileged actions with tamper-evident retention.

NIST 800-53: AU-2, AU-3, AU-9, AU-12
ISO 27001: A.8.15, A.8.17
SOC 2: CC7.2
HIPAA: § 164.312(b) — Audit Controls
FFIEC: Audit § II — Logging and Monitoring
FedRAMP: Moderate + High: AU-2, AU-3, AU-9, AU-12

Log retention

#audit-log-retention

Retention period for identity-related logs sufficient for the regulator and the incident-response cycle.

NIST 800-53: AU-11
ISO 27001: A.8.15
SOC 2: CC7.2
HIPAA: § 164.316(b)(2)(i) — six year retention
FFIEC: Audit § III.B
FedRAMP: Moderate + High: AU-11 (1 year online, 3 years offline)

Engineering notes

HIPAA mandates six-year retention; FedRAMP requires one year online plus three offline. SOC 2 leaves duration to entity policy — but auditors typically expect 12+ months.

Evidence collection program

#audit-evidence-program

Repeatable process for producing audit-ready evidence on demand for in-scope IAM controls.

NIST 800-53: CA-2, CA-7
ISO 27001: Clause 9.2, A.5.35
SOC 2: CC4.1, CC4.2
HIPAA: § 164.308(a)(8) — Evaluation
FFIEC: Audit § II — Audit Program
FedRAMP: ConMon: CA-7, monthly evidence cycle

Engineering notes

Evidence-as-code (generated continuously) reduces audit cost meaningfully and is becoming the expected posture for FedRAMP-authorized programs.

CIAM · Customer identity & federation

2 controls

Customer-side MFA

#ciam-customer-mfa

Multi-factor authentication offered (and increasingly required) for end-customer accounts on sensitive surfaces.

NIST 800-53: IA-2, IA-8
ISO 27001: A.5.17
SOC 2: CC6.1, CC6.6
HIPAA: § 164.308(a)(5)(ii)(D) — when patient portals access ePHI
FFIEC: Authentication in an Electronic Banking Environment (2021 supplement)
FedRAMP: IA-8 for non-organizational users on Moderate + High

Engineering notes

NYDFS Part 500 + the 2021 FFIEC authentication guidance both expect risk-based MFA on consumer financial surfaces. Passkeys are increasingly the strongest practical answer.

Account recovery & step-up

#ciam-account-recovery

Customer account recovery flows that do not silently weaken the primary authentication posture.

NIST 800-53: IA-5(1)(f)
ISO 27001: A.5.17
SOC 2: CC6.6
HIPAA: § 164.308(a)(5)(ii)(D)
FFIEC: 2021 supplement — Layered security
FedRAMP: IA-5(1)

Engineering notes

Email-only recovery on a passkey-protected account is a step-down attack waiting to happen. Document the recovery posture explicitly in the SSP / control narrative.

Cite this page

Reference our benchmarks in your reporting.

These benchmarks are licensed under CC BY 4.0 — free to cite, quote, and link to with attribution. Pick a format below.

APA

askmeidentity. (2026). The State of Identity, live (v2026.05.2). Retrieved 2026-06-04 from https://askmeidentity.com/resources/iam-compliance-crosswalk/

MLA

"The State of Identity, live." askmeidentity, v2026.05.2, https://askmeidentity.com/resources/iam-compliance-crosswalk/. Accessed 2026-06-04.

BibTeX

@misc{askmeidentity_state_of_identity_2026_05.2, title = {The State of Identity, live}, author = {{askmeidentity}}, year = {2026}, note = {Version 2026.05.2, retrieved 2026-06-04}, url = {https://askmeidentity.com/resources/iam-compliance-crosswalk/} }

CC BY 4.0

Compliance program help?

Mapping is the easy part. Evidence-as-code is the hard part.

We build IAM evidence pipelines that satisfy multiple frameworks from a single control narrative — FFIEC, HIPAA, FedRAMP, SOC 2 — without manual screenshot collection at quarter-end.

Talk to a compliance leadTake the maturity assessment

IAM controls — mapped across six frameworks. One IAM operating model.

IGA · Identity governance & lifecycle

3 controls

Account management & lifecycle (JML)

#iga-account-management

Provisioning, modification, disablement, and removal of user accounts driven by an authoritative HRIS / identity source.

NIST 800-53: AC-2, AC-2(1), AC-2(2), AC-2(3)
ISO 27001: A.5.16, A.5.18
SOC 2: CC6.1, CC6.2, CC6.3
HIPAA: § 164.308(a)(3) — Workforce Security; § 164.308(a)(4) — Information Access Management
FFIEC: Information Security § II.C.7 — Authentication and Access Controls
FedRAMP: Moderate + High: AC-2 (1)-(3)

Engineering notes

Best implemented as HRIS-triggered automation with documented exception policy. Manual ticket-driven JML satisfies most frameworks on paper but rarely closes the audit findings cleanly.

Recurring access certification

#iga-cert-recurring

Periodic reviewer-led recertification of user access entitlements, scoped to risk-tier and regulated application boundary.

NIST 800-53: AC-2(7), AC-6(7)
ISO 27001: A.5.16, A.5.18
SOC 2: CC6.2, CC6.3
HIPAA: § 164.308(a)(4) — Information Access Management
FFIEC: Information Security § II.C.13 — User Access Reviews
FedRAMP: Moderate + High: AC-2(7)

Engineering notes

Quarterly + risk-tiered cadence beats annual sweep. Reviewer kits with context (last-login, entitlement diff, peer comparison) move the rubber-stamp rate down meaningfully.

Separation of duties (SoD)

#iga-separation-of-duties

Enforcement of incompatible role / entitlement combinations to prevent fraud, error, or abuse.

NIST 800-53: AC-5, AC-6(7)
ISO 27001: A.5.3
SOC 2: CC6.1, CC6.2
HIPAA: § 164.308(a)(3) — Workforce Security (least privilege)
FFIEC: Information Security § II.C.7 — Separation of Duties
FedRAMP: Moderate + High: AC-5

Engineering notes

SAP and ERP-anchored programs treat SoD as a first-class concern (Saviynt AAG / SailPoint SoD). Most SaaS-first programs need a layered policy on top of native role primitives.