The Complete Identity Security Glossary

The process where managers or resource owners periodically review and "certify" that a user's access rights are still appropriate for their current job function. This is a core requirement for regulatory compliance (SOX, HIPAA, SOC2) to prevent "privilege creep." Modern IGA platforms like ObserveID use AI to highlight high-risk access, making reviews faster and more accurate.

The use of machine learning and artificial intelligence to automate identity processes that were previously manual. This includes analyzing billions of access events to detect anomalies, automatically recommending the removal of unused permissions, and predicting potential security risks before they are exploited. ObserveID's core engine is built on this "Identity Intelligence" to provide real-time protection.

The set of access rights and application entitlements automatically granted to a new employee based on their role, department, or job function at the time of onboarding - without requiring a manual request. Birthright access automates provisioning and ensures consistency. ObserveID's platform provisions birthright roles automatically during the Joiner workflow.

A category of security solutions that discover, analyze, and right-size permissions and entitlements across cloud platforms (AWS, Azure, GCP, OCI). CIEM identifies risky over-permissioned identities - both human and non-human - and enforces least privilege in dynamic cloud environments where traditional IGA tools struggle. ObserveID extends identity governance natively into CIEM.

An approach to regulatory compliance that replaces point-in-time audits with ongoing, automated monitoring and policy enforcement. Instead of preparing for an annual SOX or HIPAA audit, organizations maintain a perpetually audit-ready state through real-time policy checks, automated access reviews, and live compliance dashboards.

A unified platform that consolidates IAM, IGA, PAM, and CIEM capabilities into a single solution with one interface, one policy engine, and one data model. Contrasts with the traditional approach of deploying separate point solutions for each identity function. ObserveID is purpose-built as a converged identity security platform.

The process of revoking a user's access rights, disabling accounts, and removing entitlements when an employee leaves the organization (Leaver) or changes roles (Mover). Timely deprovisioning is critical - orphaned accounts from departed employees are among the most exploited attack vectors. ObserveID automates the Leaver workflow to trigger immediate deprovisioning across all connected systems.

An access control approach where permissions are granted or adjusted in real time based on contextual signals - user behavior, device posture, location, risk score, and resource sensitivity - rather than fixed static roles. Dynamic access is a core enabler of Zero Trust architectures.

The discipline of discovering, cataloguing, and governing all access rights (entitlements) that identities hold across applications, databases, cloud environments, and infrastructure. Entitlement management answers: "Who has access to what, and should they?" It underpins access reviews, role mining, and least privilege enforcement.

The General Data Protection Regulation (GDPR) requires organizations to protect personal data, enforce data minimization, and demonstrate accountability for who accesses personal data. Identity governance supports GDPR by enforcing least privilege, automating access reviews, maintaining full audit trails, and enabling rapid user data deletion ("right to be forgotten") during offboarding.

The Health Insurance Portability and Accountability Act (HIPAA) mandates strict access controls to protected health information (PHI). Identity governance supports HIPAA compliance by enforcing role-based access to PHI systems, automating access reviews, detecting unauthorized access attempts, generating compliance reports, and maintaining comprehensive audit logs of all identity activity.

The overarching discipline and technology stack for managing digital identities, controlling user authentication, and governing who can access which resources. IAM encompasses user provisioning, authentication (SSO, MFA), authorization, and access lifecycle management. Modern IAM has evolved from on-premises directories to converged platforms spanning hybrid and multi-cloud environments.

The discipline and technology that combines identity governance (who should have access, verified through policy and access reviews) with identity administration (the operational execution of provisioning, deprovisioning, and role management). IGA platforms are the system of record for all identity and access decisions in an enterprise. Key capabilities include access certifications, role management, separation of duties enforcement, and compliance reporting. ObserveID's IGA automates governance, access reviews, and policy enforcement across every application and user.

A security discipline focused on detecting, investigating, and responding to threats targeting identity infrastructure - including compromised credentials, privilege escalation, lateral movement, and insider threats. ITDR combines behavioral analytics, real-time anomaly detection, and automated response to identity-based attacks. It is a critical component of modern identity security platforms.

The end-to-end management of a digital identity from creation (onboarding/Joiner) through changes (role transitions/Mover) to termination (offboarding/Leaver). Identity lifecycle management automates provisioning, access changes, and deprovisioning to reduce manual overhead, eliminate orphan accounts, and ensure access stays appropriate throughout an employee's tenure.

The three core identity lifecycle events every organization must manage: Joiner - a new employee joins and needs accounts, access, and entitlements provisioned; Mover - an employee changes roles, departments, or locations and needs access updated (old access removed, new access granted); Leaver - an employee departs and all access must be revoked immediately. Automating JML is foundational to secure identity governance.

A security model where privileged or elevated access is granted dynamically for a specific task and time window, then automatically revoked when the window expires - rather than granting standing (permanent) privileged access. Just-in-Time access eliminates always-on admin rights, dramatically shrinking the attack surface for privileged account compromise.

The security principle that every user, process, and system should operate with the minimum level of access privileges needed to perform legitimate tasks - and no more. Applying least privilege reduces the blast radius of compromised accounts and limits lateral movement. Enforcing least privilege at scale requires automated entitlement discovery, role optimization, and ongoing access certification.

An authentication method requiring users to verify their identity using two or more independent factors: something you know (password), something you have (authenticator app or hardware token), and/or something you are (biometrics). MFA is one of the most effective controls against credential-based attacks, blocking over 99% of automated account takeover attempts.

Any digital identity that belongs to a machine, application, or automated process rather than a human user. NHIs include service accounts, API keys, OAuth tokens, SSH keys, robotic process automation (RPA) bots, CI/CD pipeline identities, cloud workload identities, and AI agents. NHIs now vastly outnumber human identities in enterprise environments (often 80:1).

Active user accounts that remain enabled in systems after the associated employee has left the organization. Orphan accounts are a critical security risk - they can be exploited by former employees, used in credential stuffing attacks, or leveraged by external attackers who discover them. Automating deprovisioning through IGA eliminates orphan accounts at the source. ObserveID customers have reported detecting and eliminating 30%+ orphaned accounts post-deployment.

A security discipline that controls and monitors access to highly privileged accounts - administrator accounts, root accounts, service accounts, and emergency access accounts. PAM capabilities include privileged account discovery, password vaulting, session recording, just-in-time privilege elevation, and privilege activity analytics. Privileged accounts are the primary target in advanced attacks because they provide the access needed to move laterally and cause significant damage. ObserveID integrates PAM natively within its converged identity platform.

The automated or manual process of creating, configuring, and managing user accounts and access rights across all systems, applications, and directories. Automated provisioning ensures new employees receive appropriate access instantly on their first day (based on role) without IT tickets. It also updates access when employees change roles and removes access when they leave.

The gradual accumulation of access rights beyond what a user currently needs, typically resulting from role changes, project-based access grants, and failure to revoke old permissions. Privilege creep is one of the most common identity security failures - the average enterprise employee retains access to systems from previous roles for months or years. Regular access certifications and automated Mover workflows are the primary controls against privilege creep.

An access control model where permissions are assigned to roles (e.g., "Finance Manager," "IT Administrator") rather than directly to individual users. Users are then assigned to roles, inheriting the associated permissions. RBAC simplifies access management at scale and is the foundational model for most enterprise IGA platforms. Often combined with ABAC for more granular context-aware decisions.

The requirements imposed by regulations and standards (SOX, HIPAA, GDPR, PCI-DSS, ISO 27001, NIST) that mandate how organizations manage, monitor, and document identity and access. Identity governance is the primary technical control for meeting access-related compliance requirements - automating access reviews, generating audit reports, enforcing SoD, and maintaining tamper-proof access logs.

A fundamental internal control principle that divides critical functions between multiple individuals to prevent errors and fraud. In identity governance, SoD means preventing any single user from holding access combinations that create unacceptable risk - such as the ability to create vendors and approve payments simultaneously. IGA platforms enforce SoD by defining conflicting permission combinations and blocking or flagging their assignment. SoD enforcement is a core SOX and PCI-DSS requirement.

A unified management interface that provides a consolidated, real-time view of all identity activity, access rights, and security events across on-premises, cloud, and hybrid environments - from one dashboard, without switching between multiple tools. A single pane of glass is a key design principle of converged identity platforms, eliminating the blind spots created by fragmented point solutions.

The Sarbanes-Oxley Act (SOX) requires publicly traded companies to maintain internal controls over financial reporting, including strict access controls. SOX Section 404 mandates that organizations demonstrate who has access to financial systems, that access is reviewed regularly, and that SoD is enforced. Identity governance platforms provide the automated access reviews, SoD enforcement, and audit reporting required for SOX compliance.

Security analytics that establish behavioral baselines for users and entities (devices, applications, service accounts), then detect anomalies that may indicate compromise, insider threats, or policy violations. UEBA uses machine learning to identify unusual access patterns - logins at odd hours, bulk data downloads, access to systems outside normal scope - without requiring predefined rules for every attack scenario.

A flexible integration architecture that connects an identity platform to enterprise applications, directories, databases, and cloud services using standardized protocols (SCIM, APIs, LDAP) and pre-built connectors. A universal connector approach enables an IGA platform to govern all enterprise systems from one platform, including legacy applications without modern API support, using RPA-based connectors. ObserveID's Universal Connector supports 100+ out-of-the-box application connectors.

A security architecture and strategy based on the principle of "never trust, always verify." Zero Trust assumes that threats exist both inside and outside the network perimeter, so no identity - user, device, or application - is inherently trusted. Every access request must be authenticated, authorized, and continuously validated based on identity, device health, location, and behavior. Identity governance is foundational to Zero Trust, as you cannot enforce "least privilege" or "verify explicitly" without knowing who everyone is and what they should be able to access.