Identity and Access Management (IAM) is the framework of policies and technologies that controls who can access which systems and data, under what conditions, and with what level of privilege. It ensures the right people get access to what they need and that no one else does. At its core, IAM answers two questions: Who are you? And what are you allowed to do?
Why IAM Is More Than a Password Policy
For most of computing history, access control was simple: you had a username and a password, and that was it. That model broke down as the number of applications multiplied, workforces became distributed, and attackers got better at stealing credentials. IAM is the infrastructure that replaced the password-and-hope model. It is what enables an employee to log in once and access all their tools, while preventing them from accessing anything outside their role, and it is what makes it possible to revoke all of that access in minutes when they leave.
The Core Components
Authentication
Verifying that a user is who they claim to be. Modern authentication goes beyond passwords to include multi-factor authentication (MFA), requiring a second form of verification, like a phone prompt or hardware key, in addition to a password. MFA alone blocks the vast majority of credential-based attacks.
Single Sign-On (SSO)
SSO allows users to log in once and access all connected applications without re-authenticating. It is more convenient for users and more secure for IT. Instead of managing dozens of separate login credentials, access is controlled through one identity provider.
Role-Based Access Control (RBAC)
Access permissions are assigned based on roles rather than individuals. A support engineer gets access to ticketing systems and logs. A finance analyst gets access to financial platforms and reporting tools. Neither gets access to what the other has. When someone changes roles, their access profile updates accordingly.
Privileged Access Management (PAM)
Some accounts, such as system administrators and database owners, carry elevated permissions. PAM adds extra controls around these accounts: time-limited access, session recording, and additional approval requirements. The principle is that elevated access should be granted only when needed and tracked when used.
Directory Services
The underlying database that stores identities and group memberships, most commonly Microsoft Active Directory or a cloud-based equivalent like Okta or Azure AD. This is what SSO and RBAC query when deciding what someone can access.
Access Reviews
IAM is not set-and-forget. Access accumulates. Someone gets temporary access to a project, the project ends, and the access stays. Someone changes roles and keeps their old permissions alongside the new ones. Regular access reviews, quarterly for most organizations and more frequently for privileged accounts, are necessary to keep permissions aligned with actual job requirements.