Our glossary makes IAM easy to understand.

Access management is one of the core disciplines of identity and access management (IAM). It controls and monitors who is allowed to access what, and ensures that only authorized users or systems can access digital resources such as applications, data, or services.

Active Directory (AD) is a local, centralized directory service from Microsoft that serves as the hub for managing users, groups, devices, and access rights in many organizations. Introduced with Windows Server, AD enables centralized control of authentication, authorization, and system administration within a network.

Certification means that those responsible regularly check and confirm whether access rights are still correct and necessary. Recertification repeats this process at fixed intervals. This is a central part of modern identity governance and is often required by regulation.

Customer Identity and Access Management (CIAM) describes technologies and processes that companies use to securely manage the digital identities of their external users, i.e., customers or partners. Unlike traditional IAM, which focuses on employees, CIAM focuses on customer experience, security, and data protection.

Deprovisioning refers to the process of controlled withdrawal of digital identities and access rights, e.g., when an employee leaves the company or changes to a new role. The aim is to prevent unauthorized access to systems, data, and applications.

Digital identity describes all information that makes a person, device, or system uniquely identifiable in the digital space. This includes user accounts, access data, roles, permissions, and biometric characteristics, regardless of whether they are stored locally, in the cloud, or in a hybrid system.

The EUDI Wallet (European Digital Identity Wallet) is the EU's new digital wallet. It is designed to enable all EU citizens to identify themselves online with documents such as ID cards, proof of age, educational qualifications, or professional licenses. The wallet is based on standardized, verifiable evidence and is designed to be data-efficient. Companies must accept the wallet in certain processes (e.g., opening an account, applying for a job, concluding a contract) by 2026 at the latest.

Federation (also: identity federation) refers to a trust relationship between several independent identity sources. It enables users to log in securely across organizational boundaries without having to create a new account.

An identity fabric is a holistic, cross-architecture approach to managing digital identities in complex IT landscapes. It connects existing systems such as identity providers, access management, directory services, and governance solutions into a logical layer without the need to redevelop individual applications or infrastructures.

Identity governance and administration (IGA) refers to the sub-area of identity and access management (IAM) that focuses on the control, traceability, and automation of user identities and access rights. While IAM enables access, IGA ensures that this access complies with security and compliance requirements.

Identity Lifecycle Management (ILM) refers to the controlled, rule-based handling of digital identities throughout their entire lifecycle – from creation to deactivation or deletion. The aim is to keep identities and authorizations up to date, accurate, and secure at all times. ILM is a central component of modern IAM architectures and forms the basis for automated, compliance-compliant user management.

Identity and Access Management (IAM) is a framework of policies, processes, and technologies for managing digital identities and controlling access rights. The goal is to ensure that only authorized persons have access to IT systems and sensitive data in a traceable, compliant, and secure manner.

Least privilege, also known as the principle of least privilege (PoLP), is a key security principle in identity and access management (IAM). It states that users, systems, applications, or devices should only be granted the minimum access rights they need to perform their tasks.

OpenID Connect (OIDC) is a modern, open authentication protocol based on the OAuth 2.0 standard. It allows users to log in securely and conveniently to various applications with just one central login service (identity provider, or IdP for short). OpenID Connect extends OAuth 2.0 with a standardized method for authenticating users.

An orphaned account is a user account in a system that can no longer be assigned to an active person, for example, because an employee has left the company and their access has never been deactivated. Such "orphaned" accounts often remain active for years without being noticed, sometimes with extensive access rights.

Password vaulting is a central component of modern privileged access management (PAM) strategies. It involves storing highly privileged access data such as admin passwords, root accounts, or service credentials in a protected, encrypted password vault. Access to this information is strictly controlled, logged, and ideally temporary.

Privileged Access Management (PAM) refers to measures, processes, and technologies that control and monitor access to particularly sensitive accounts and systems. The aim is to prevent the misuse of privileged permissions and ensure the security of critical IT resources.

User provisioning refers to the automated process of creating, updating, and managing user accounts and access rights in applications and systems. Deprovisioning removes or deactivates these access rights as soon as a user leaves the company or changes roles.

SAML (Security Assertion Markup Language) is an open standard for the secure transfer of authentication and authorization data between an identity provider (IdP) and a service provider (SP). The protocol is based on XML and is primarily used in corporate and government environments for single sign-on (SSO).

Segregation of Duties (SoD), also known as Separation of Duties, is a fundamental governance and security principle that ensures no single individual has full control over an entire process. Its purpose is to prevent errors, misuse, and fraud by distributing responsibilities and establishing clear accountability.

Single sign-on (SSO) refers to an authentication procedure in which users only have to log in once to access multiple services or applications. A central provider verifies the identity and passes this confirmation on to other services.

Zero Trust is a security approach that assumes that no user, device, or system is automatically trustworthy, regardless of whether it is located inside or outside the corporate network. Every access must be continuously verified, authorized, and monitored. The goal is to minimize risks and effectively prevent unauthorized access.