Identity and Access Management (IAM) is the comprehensive framework of policies, processes and technologies used to manage digital identities and control access to an organisation's resources. IAM encompasses user provisioning and deprovisioning, authentication (verifying who someone is), authorisation (determining what they can access), role-based access control (RBAC), privileged access management and regular access reviews to ensure the principle of least privilege is maintained.
IAM is one of the most critical control domains in virtually every compliance framework, including ISO 27001 (Annex A.9), SOC 2, GDPR and NIS2, because improper access controls are among the leading causes of data breaches. A well-implemented IAM programme ensures that only authorised individuals can access sensitive systems and data, provides a complete audit trail of access events and enables rapid access revocation when employees leave the organisation or change roles.