Identity and Access Management (IAM)

This domain focuses on provisioning and managing identities, access, and authorization mechanisms.

Agentic Identity Access Platforms (AIAP)

- Scoping of the Definition: A new centralized brokering and authorization layer tailored for non-human entities, addressing the structural shift from static, human-centric identities to intent-driven, short-lived access mechanisms explicitly designed for AI agents, workloads, and Non-Human Identities (NHIs). They function as an enterprise Single Sign-On (SSO) and governance platform for algorithms.

- Enforcing strict Zero Standing Privileges (ZSP) across the entire agentic ecosystem.
- Acting as the mandatory intermediary control plane that standardizes how agents request access.
- Translating the high-level semantic intent of an agent into deterministic, cryptographically secure authorization decisions.
- Issuing task-scoped, ephemeral credentials that expire immediately after the task concludes.
- Combining traditional Identity Threat Detection and Response (ITDR) and behavioral Identity Security Posture Management (ISPM) with advanced behavioral machine learning algorithms.

- Scoping of the Definition: An identity solution dedicated to managing the registration, login, and profile management for external consumers, partners, and citizens accessing an organization’s public-facing applications and services. CIAM requires extreme scale, high performance, and robust capabilities for managing user consent and privacy, distinguishing it structurally from traditional workforce IAM solutions.
- Definitional Technology, Feature, and Service Lines: Self-service registration and profile management, social media login (social identity federation), robust consent and preference management (GDPR, CCPA), strong customer authentication (MFA, biometrics), and API security for customer data access.

- Scoping of the Definition: The foundational discipline for managing digital identities and access rights across an enterprise. IGA focuses on ensuring compliance by provisioning and de-provisioning user accounts, performing periodic access certification (recertification), and managing role-based access controls (RBAC) across applications and systems. It serves as the authoritative source for access policies.
- Definitional Technology, Feature, and Service Lines: User provisioning and de-provisioning workflows, automated access request fulfillment, periodic access review and certification (attestation) campaigns, and centralized role lifecycle management.

- Scoping of the Definition: The vast, unmanaged, highly invisible, and poorly governed identity exposures that permeate modern enterprise environments, fundamentally undermining all other layers of identity defense. It exists entirely outside the purview of centralized security monitoring tools and defines the primary battlefield of modern identity warfare.
- Definitional Technology, Feature, and Service Lines: Consists of over-privileged service accounts, orphaned user profiles, shadow IT identities created outside of procurement, and misconfigured federation trusts. Requires advanced detection and response capabilities tailored for uncovering, mapping, and neutralizing these hidden identity assets.

- Scoping of the Definition: The critical, missing authorization layer in modern identity security, acting as the necessary bridge to transition the identity stack from passive, read-only visibility to active, granular, and automated governance. It solves the core failure of legacy Identity Governance and Administration (IGA) platforms, which rely on manual, ineffective access reviews.
- Definitional Technology, Feature, and Service Lines:
  - Utilizing deep data analytics and machine learning to map the precise, effective permissions of every single identity (human or machine) across all cloud infrastructure and SaaS environments.
  - Decoding complex, nested permission models, translating raw, machine-readable policies into human insights and risk scores.
  - Enabling organizations to implement true least-privilege models by systematically eliminating excessive, unused permissions.

- Scoping of the Definition: The architectural evolution of the legacy PAM market, shifting from rigid vaulting architectures that secured static passwords for IT administrators to managing the highly elevated privileges of virtually every developer, cloud engineer, and application workload in a multi-cloud, AI-driven development environment.
- Definitional Technology, Feature, and Service Lines: Relies on the total, industry-wide deprecation of standing permissions by shifting the entire paradigm toward Zero Standing Privileges (ZSP). Under this model, access is dynamically provisioned Just-In-Time (JIT), scoped strictly to the specific administrative action, and revoked immediately upon task completion.

- Scoping of the Definition: Centralizing access control and authentication.
- Definitional Technology, Feature, and Service Lines: Centralized Identity and Access Management (IAM), Single Sign-On (SSO) federations, and Multi-Factor Authentication (MFA).