IAM — IT definition

IAM (Identity and Access Management) is the discipline that answers a simple-sounding, brutally hard question: "who has access to what in the IT estate, when, and is it justified?". It is one of the cornerstones of modern cybersecurity and a topic directly tied to IT governance.

With the spread of SaaS, remote work, and multi-cloud, the IAM perimeter has exploded: an average employee uses more than 35 applications a day, each with its own accounts and permissions. Per Verizon DBIR 2024, 74 % of breaches involve a human factor and 49 % involve credential compromise — making IAM a frontline defense.

Building blocks of IAM

IAM groups several technical components that work together:

• •Identity Provider (IdP): the source of truth for identities (Microsoft Entra ID, Okta, Google Workspace, Ping). It authenticates users.
• •[SSO](/en/glossary/sso): Single Sign-On, one login for all connected applications.
• •MFA / 2FA: Multi-Factor Authentication, a second factor (TOTP, FIDO2 key, mobile push) that cuts password-based compromise by 99 %.
• •Automated provisioning (SCIM): account creation and deletion in target apps as employees join or leave.
• •PAM: (Privileged Access Management): dedicated management of high-privilege accounts (admins, root).
• •CIAM: (Customer IAM): IAM oriented at external customers rather than employees.

IAM, IdM, IGA: untangling the acronyms

• •IdM: (Identity Management): the technical lifecycle — create, modify, delete identities.
• •AM: (Access Management): the access control when a user tries to use a resource (authentication + authorization).
• •IAM: the umbrella term covering IdM + AM.
• •IGA: (Identity Governance and Administration): the governance layer — access reviews, certification, role management, compliance. IAM as auditors see it.

Standard IAM protocols

• •SAML 2.0: classic enterprise SSO standard.
• •OpenID Connect (OIDC): modern version on top of OAuth 2.0, simpler to integrate.
• •OAuth 2.0: for authorization delegation (often confused with authentication — that's not its primary job).
• •SCIM 2.0: for automated account provisioning between IdP and applications.
• •FIDO2 / WebAuthn: for passwordless authentication (passkeys).

Why IAM is strategic

• •Security: credential compromise remains the top breach vector. MFA + SSO + regular reviews dramatically lower the risk.
• •Compliance: GDPR, NIS2, DORA, SOX, ISO 27001 mandate access traceability, periodic reviews, and least-privilege.
• •Productivity: new hires productive on day one rather than after a week of access tickets.
• •Cost: without automation, up to 30 % of SaaS accounts remain active after an employee leaves — both a security gap and wasted licenses.
• •[Shadow IT](/en/glossary/shadow-it): ungoverned apps escape IAM, creating blind spots.

IAM best practices

• •Least privilege: every user gets exactly the access their role requires, no more.
• •Zero Trust: never trust, always verify — every request is authenticated and authorized regardless of the network.
• •Periodic access reviews: quarterly for sensitive roles, annually otherwise.
• •Automated Joiner-Mover-Leaver: workflows for hires, role changes, and departures.
• •Centralization: one IdP, not a patchwork of directories.

IAM and application visibility

IAM only works if the CIO knows which applications exist in the IT estate — including the ones nobody declared. Kabeen surfaces every application employees actually use, including outside SSO, and lets you prioritize attaching them to the central IdP to close the blind spots.