Identity and access management (IAM)
Identity and access management (IAM) is the framework for authenticating identities and controlling their access to resources, according to the principle of least privilege. Learn IAM's core capabilities, how it differs from privileged access management, and why it underpins modern security.
What is identity and access management (IAM)?
Identity and access management (IAM) is the framework for authenticating users and non-human identities and empowering them to access the resources they need — no more, no less — according to the principle of least privilege. It governs the whole lifecycle of access: establishing who an identity is, granting appropriate access, and adjusting or removing that access as roles change.
What are the core capabilities of IAM?
An IAM program typically covers:
- Authentication — verifying that an identity is who it claims to be, often with multi-factor authentication.
- Authorization — determining what an authenticated identity may access.
- Provisioning and deprovisioning — granting access as people join and removing it as they leave.
- Single sign-on — access to multiple resources with one set of credentials.
- Access governance — reviewing and certifying that access remains appropriate.
IAM vs. PAM: what's the difference?
IAM governs identities and everyday access for the entire user population. Privileged access management (PAM) is a focused discipline within that space, dealing specifically with the small number of high-risk, elevated accounts. IAM manages access for everyone; PAM adds vaulting, session control, just-in-time access, and rotation for the powerful accounts that could do the most damage.
| IAM | PAM |
|---|---|
| Governs identities and access for the entire user base. | Governs elevated, high-risk privileged accounts specifically. |
| Authentication, provisioning, SSO, everyday access. | Vaulting, session control, JIT access, and rotation. |
Why does IAM matter?
Most security incidents involve identity in some way — a stolen credential, over-broad access, or an account that should have been removed. IAM reduces that risk by making access intentional, verified, and current, and by enforcing least privilege across the organization. It is the foundation on which more specialized controls, including PAM, are built.
Frequently asked questions
What is identity and access management (IAM)?
Identity and access management (IAM) is the framework for authenticating identities and controlling their access to resources according to the principle of least privilege. It governs the full lifecycle of access: establishing who an identity is, granting appropriate access, and adjusting or removing it as roles change.
What is the difference between IAM and PAM?
IAM governs identities and everyday access for the entire user population, while privileged access management (PAM) is a focused discipline dealing specifically with high-risk elevated accounts. IAM manages access for everyone; PAM adds vaulting, session control, just-in-time access, and rotation for the powerful few.
What are the core capabilities of IAM?
IAM typically covers authentication, authorization, provisioning and deprovisioning, single sign-on, and access governance — together making access intentional, verified, and current across the organization.
Govern access with confidence
Extend identity and access management with privileged access controls from Devolutions.
Related terms
Privileged access management (PAM)
Controls, audits, and secures access to an organization's most sensitive systems.
Read now →Role-based access control (RBAC)
A hierarchy of permissions determining what a user can do based on their role.
Read now →Least privilege
Granting users only the access needed to carry out their responsibilities.
Read now →