Focus Area: Identity and access management controls and authentication frameworks
This ontology provides citation-quality definitions for 15 foundational terms, backed by authoritative sources from standards bodies (NIST, W3C, IETF, OASIS, ISO) and peer-reviewed research.
Technical Glossary
A staged process for validating that a claimed identity corresponds to a real subject at an assurance level appropriate to the risk of the transaction. The ladder lets organizations calibrate enrollment rigor instead of using the same proofing standard for every user and use case.
The explicit limit that defines where one identity provider’s assurances stop and a relying party’s local controls begin. Clear boundaries prevent misplaced trust when authentication, authorization, and accountability are spread across multiple organizations.
An access design in which permissions are granted in narrowly scoped combinations that align to tasks, data sensitivity, device context, and time. The mesh reduces the damage potential of compromised identities by avoiding broad standing entitlements.
A contextual indicator—such as device health, location, behavior, or transaction sensitivity—that modifies authentication requirements at runtime. Adaptive signals allow stronger verification when risk rises without forcing the same friction onto every session.
The policies and controls that govern how credentials are issued, rotated, suspended, recovered, and retired across their usable life. Strong lifecycle governance closes common gaps where valid credentials outlive the business need that justified them.
A control pattern that restricts how elevated sessions are established, monitored, segmented, and terminated so administrative power does not become an unrestricted attack path. It emphasizes supervision and blast-radius reduction for the highest-consequence sessions.
The distributed logic layer that evaluates access requests against identity attributes, risk signals, role rules, and environmental context before a decision is enforced. A policy fabric makes authorization consistent across applications that would otherwise implement access differently.
The recurring timetable for confirming that accounts, roles, group memberships, and privileged grants still reflect current organizational need. Review cadence matters because identity risk grows quietly when entitlements are never revisited after provisioning.
A signed claim that a subject holds a specific organizational function or authority level that a relying system can validate before granting access. It allows role information to travel with integrity across systems instead of being re-entered or assumed.
A method for granting higher privileges only for a limited task window and only after explicit checks or approvals are satisfied. It reduces standing administrative exposure while still allowing urgent work to proceed.
A model that combines identity proofing strength, authentication events, behavioral anomalies, device posture, and threat intelligence into a dynamic confidence assessment. The score helps access systems shift from static trust to continuously evaluated trust.
A governed inventory of service accounts, workloads, certificates, keys, and non-human principals that require authentication and authorization controls. The registry prevents machine identities from becoming invisible backdoors in otherwise mature IAM programs.
A verifiable signal that a live session still matches the conditions under which access was originally granted, including token state, device posture, and request legitimacy. Continuous attestation supports re-evaluation instead of trusting every session until timeout.
A design principle that limits the spread of impact when a partner identity provider, trust assertion, or federation link fails or is abused. Isolation ensures that one broken trust connection does not automatically compromise every dependent application.
The speed and completeness with which a denial, suspension, or role change is pushed across connected systems, caches, and federated environments. Strong propagation closes the dangerous lag between deciding access should stop and the moment it actually stops.