nexalign

Glossary term

IAM (Identity and Access Management)

Also: Identity Management, IGA, PAM

The stack of systems that governs who has access to which systems under which conditions. IAM covers authentication, single sign-on, lifecycle management, access governance (IGA) and privileged access management (PAM), and is the most commonly breached control in enterprise environments.

IAM is a stack decision, not a product decision. A mature enterprise IAM typically spans workforce identity, customer identity, identity governance (IGA), privileged access (PAM) and secrets management. Each layer has different vendors, different buying cycles and different operating models.

The core strategic choice is usually between an integrated suite (Microsoft Entra ID, Okta Workforce Identity) and a best-of-breed architecture (separate IGA, PAM and IAM vendors). Integrated suites are faster to deploy and easier to govern; best-of-breed gives deeper functionality in the layers that matter most.

IAM decisions interact strongly with compliance. NIS2 Art. 21 names access control as a mandatory measure. DORA Art. 9 requires documented identity governance. BSI IT-Grundschutz has dedicated modules. The IAM memo should map to these explicitly rather than claim general compliance.

Related terms

Zero Trust

A security model built on the principle that no user, device or network location is trusted by defau

Compliance mapping

The explicit link between a decision (vendor, architecture, control) and the specific regulatory art

Sovereign cloud

A cloud deployment model that guarantees operational, legal and technical control of data and worklo

← All termsBook a demo →