Identity Glossary
Clear, practical definitions for the identity security concepts that matter most — from ISPM and attack paths to shadow admins and non-human identity risk.
133 terms across 8 categories
What is Identity and Access Management?
Identity and Access Management, or IAM, is the set of policies, processes, and technologies used to manage digital identities and control access to systems, applications, data, and infrastructure.
IAM Basics: A Beginner's Guide to Identity and Access Management
A beginner-friendly guide to Identity and Access Management. Learn how IAM works, the core building blocks, real-world examples, and the practices that help organizations control who can access what.
Authentication vs Authorization: What is the Difference?
Authentication answers 'who are you?' while authorization answers 'what are you allowed to do?'. Learn the difference, how they work together, real-world examples, and common mistakes.
What is Least Privilege Access?
Least privilege access is the principle of granting every identity only the permissions it needs to perform its task — and nothing more. Learn what it means, why it matters, and how to implement it.
What is Role-Based Access Control?
Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles, and users get permissions by being assigned to roles. Learn how it works, examples, and best practices.
What is Attribute-Based Access Control?
Attribute-Based Access Control (ABAC) makes authorization decisions using attributes of the user, the resource, the action, and the environment. Learn what ABAC is, how it differs from RBAC, examples, and best practices.
What is Privileged Access Management?
Privileged Access Management (PAM) is the security discipline of controlling, monitoring, and securing accounts and sessions that hold elevated privileges. Learn what PAM is, how it works, and why it matters.
What is Identity Lifecycle Management?
Identity Lifecycle Management is the end-to-end process of creating, updating, and removing identities across systems — from joiner to mover to leaver. Learn how it works and why it matters.
What is Access Review?
Access review is the process of periodically verifying that users, applications, and other identities still need the access they have. Learn what access reviews are, why they matter, and how to do them well.
Common IAM Mistakes That Increase Security Risk
Most identity-related breaches succeed because of common, well-known IAM mistakes — not exotic attacks. Learn the most damaging IAM mistakes, why they happen, and how to fix them.
What Is Overprivileged Access?
Overprivileged access exists when a user, application, service account, or workload has more permissions than it actually needs, expanding blast radius and risk.
What is Identity Security?
Identity security is the discipline of protecting human and non-human identities, the credentials they use, and the access they hold across an organization's environment.
Why Identity is the New Security Perimeter
Cloud, SaaS, remote work, and APIs have erased the network perimeter. Identity has replaced it as the primary security boundary. Here's why — and what it means for defenders.
What is Identity Risk Management?
Identity risk management is the discipline of identifying, prioritizing, and reducing risks tied to human and non-human identities and their access. Learn what it means, why it matters, and how to do it well.
What is an Identity-Based Attack?
Identity-based attacks abuse legitimate identities, credentials, sessions, or trust relationships rather than exploiting software vulnerabilities. Learn the most common types and how to defend against them.
What is Privilege Escalation?
Privilege escalation is the process by which an attacker (or insider) gains higher permissions than they were originally granted. Learn the types, real-world examples, and how to defend against it.
What is Lateral Movement?
Lateral movement is how attackers move from one system or identity to another inside an environment, expanding access without triggering detection. Learn the techniques, examples, and defenses.
What is Credential Theft?
Credential theft is the act of stealing usernames, passwords, hashes, tokens, certificates, or session cookies to impersonate a legitimate identity. Learn the techniques, real examples, and defenses.
What is Toxic Combination in Identity Security?
A toxic combination is a set of permissions, roles, or attributes that — while individually safe — combine to create unacceptable risk. Learn what they are, common examples, and how to detect them.
Identity Security Checklist for Beginners
A practical, beginner-friendly checklist for building identity security from the ground up — covering authentication, privilege, lifecycle, NHIs, AI agents, monitoring, and continuous improvement.
What Is Identity Security Posture Management (ISPM)?
Identity Security Posture Management, or ISPM, is the continuous practice of discovering, assessing, and reducing identity-related risk across human and non-human identities, access, permissions, and trust relationships.
What Is an Identity Visibility & Intelligence Platform (IVIP)?
An Identity Visibility & Intelligence Platform (IVIP) unifies identity and access data across cloud, SaaS, on-premises, and IAM tools into actionable intelligence.
What Is Identity Attack Surface?
The identity attack surface is the full set of identity-related entry points, credentials, permissions, and trust relationships an attacker could exploit.
What Is Attack Path Management (APM)?
Attack Path Management, or APM, is the continuous practice of discovering, analyzing, prioritizing, and reducing the routes an attacker could use to move from an initial foothold to critical assets.
What Is a Shadow Admin?
A Shadow Admin is an identity that can achieve administrative outcomes without being explicitly labeled as an administrator, hidden in nested groups or permissions.
What Is Identity Hygiene?
Identity hygiene is the ongoing practice of keeping the identity environment clean, accurate, and minimal: removing stale accounts, right-sizing access, and reviewing credentials.
What is Active Directory?
Active Directory, often called AD, is Microsoft's directory service used to manage users, computers, groups, devices, permissions, and policies in enterprise Windows environments.
What is Active Directory Security?
Active Directory security is the discipline of protecting AD — the identity backbone of most enterprises — from misconfiguration, abuse, and attack. Learn the risks, controls, and a practical roadmap.
What is a Domain Controller?
A Domain Controller (DC) is the server that authenticates users and enforces policy in an Active Directory domain. Learn what DCs do, FSMO roles, and how to secure them.
What is an Active Directory Domain?
An Active Directory domain is a logical security boundary that groups users, computers, and resources under a common directory and policy. Learn the structure, trusts, and security implications.
What is an Active Directory Forest?
An Active Directory forest is the top-level container in AD and the true security boundary. Learn what it is, how it differs from a domain, and the security implications.
What is Group Policy?
Group Policy is the Active Directory feature for centrally managing configuration and security settings on Windows users and computers. Learn what it does and how attackers abuse it.
What is Kerberos Authentication?
Kerberos is the primary authentication protocol in Active Directory, using a ticket-based system to verify identity without sending passwords. Learn how it works and how attackers abuse it.
What is NTLM Authentication?
NTLM is a legacy challenge-response authentication protocol still used in many Active Directory environments. Learn how it works, why it's risky, and how to phase it out.
What is LDAP?
LDAP is the standard protocol for querying and modifying directory services like Active Directory. Learn how it works, common attacks, and how to harden it.
What is Active Directory Delegation?
AD delegation lets services impersonate users to access other resources on their behalf. Learn the types — unconstrained, constrained, RBCD — and how attackers abuse them.
What is a Domain Admin?
Domain Admin is the highest-privilege standard group in an Active Directory domain. Learn what it can do, why it's the top target for attackers, and how to manage it safely.
What is AdminSDHolder?
AdminSDHolder is a special object in Active Directory that re-applies a strict ACL to privileged accounts every hour. Learn what it does, how attackers abuse it, and how to monitor it.
What is Kerberoasting?
Kerberoasting is an Active Directory attack that lets any authenticated user request service tickets and crack them offline to recover service account passwords. Learn how it works and how to defend.
What is AS-REP Roasting?
AS-REP Roasting targets Active Directory accounts with Kerberos pre-authentication disabled, allowing attackers to crack their passwords offline. Learn how to detect and defend.
What is DCSync?
DCSync is an Active Directory attack that abuses replication rights to extract password hashes — including KRBTGT — directly from a Domain Controller. Learn how it works and how to defend.
What is Pass-the-Hash?
Pass-the-Hash (PtH) is an attack that lets an adversary authenticate using an NTLM password hash without knowing the plaintext password. Learn how it works and how to defend.
What is a Golden Ticket Attack?
A Golden Ticket attack lets attackers forge Kerberos TGTs using the KRBTGT hash, granting them long-lived impersonation of any user — including Domain Admin. Learn how it works.
What is Active Directory Certificate Services?
Active Directory Certificate Services (AD CS) issues certificates used for authentication and encryption across the enterprise. Learn how it works and how to harden ESC1–ESC15 misconfigurations.
Common Active Directory Misconfigurations
Most AD compromises trace back to the same handful of misconfigurations. Learn the most common AD security mistakes and how to fix them.
Active Directory Security Checklist for Beginners
A practical, beginner-friendly checklist for hardening Active Directory — from Tier 0 administration to AD CS, delegation, GPOs, NTLM, and continuous attack-path analysis.
What is Microsoft Entra ID?
Microsoft Entra ID (formerly Microsoft Entra ID (formerly Azure AD)) is Microsoft's cloud-based identity and access management service. Learn what it does, how it differs from on-premises AD, and key security concepts.
Microsoft Entra ID vs Active Directory: What is the Difference?
Microsoft Entra ID and Active Directory are both Microsoft identity services, but they solve different problems. Learn the key differences and how they connect in hybrid environments.
What is a Tenant in Microsoft Entra ID?
An Entra ID tenant is the dedicated identity boundary your organization uses for Microsoft 365, Azure, and SaaS. Learn what it contains and why it's the cloud security boundary.
What is Conditional Access in Microsoft Entra ID?
Conditional Access is the Entra ID policy engine that evaluates context — user, device, location, app, risk — at sign-in and applies controls accordingly. Learn how it works.
What is an Entra ID Role?
Entra ID roles grant permissions to manage users, applications, and policies in your tenant. Learn the major roles, how they differ from Azure RBAC, and how to assign them safely.
What is Global Administrator?
Global Administrator is the highest-privilege role in Microsoft Entra ID. Learn what it can do, why standing GAs are dangerous, and how to manage them safely.
What is an App Registration?
App Registrations define applications in Entra ID — their identity, redirect URIs, secrets, certificates, and API permissions. Learn how they work and how to secure them.
What is a Service Principal?
A Service Principal is the local identity an application uses inside an Entra ID tenant. Learn what it represents, how it differs from a user identity, and how to secure it.
App Registration vs Enterprise Application: What is the Difference?
App Registration and Enterprise Application are two sides of the same OAuth identity in Entra ID. Learn what each represents and when you manage which.
What is Application Consent?
Application Consent is how an Entra ID user or admin authorizes an OAuth app to act with specified permissions. Learn how it works and how to defend against consent phishing.
What is Privileged Identity Management?
Privileged Identity Management (PIM) provides just-in-time, time-bound, approval-based activation for privileged roles in Microsoft Entra ID. Learn how it works.
What is Entra ID Governance?
Microsoft Entra ID Governance bundles identity governance — entitlement management, access reviews, lifecycle workflows, and PIM — into a single product. Learn what it does.
What is an Access Package?
An Access Package bundles groups, apps, and SharePoint sites that users can request as a unit through Entra ID Governance. Learn how they work and how to design them.
What is a Risky User?
A Risky User is a Microsoft Entra ID Identity Protection classification indicating that a user's account is likely compromised. Learn how risk is calculated and how to respond.
Common Microsoft Entra ID Misconfigurations
Most Entra ID compromises trace back to a familiar set of misconfigurations. Learn the most common ones and how to detect and fix them.
Microsoft Entra ID Security Checklist for Beginners
A practical, beginner-friendly checklist for hardening Microsoft Entra ID — from privileged access and Conditional Access to apps, hybrid sync, and continuous monitoring.
What is AWS IAM?
AWS Identity and Access Management (IAM) controls who can do what on AWS. Learn the core building blocks — users, groups, roles, policies — and key security concepts.
AWS IAM Basics: Users, Groups, Roles, and Policies
AWS IAM revolves around four core building blocks — Users, Groups, Roles, and Policies. Learn what each does and how they work together to control AWS access.
AWS IAM User vs Role: What is the Difference?
IAM Users have long-lived credentials; IAM Roles use temporary credentials anyone allowed can assume. Learn the key differences and when to use which.
What is an AWS IAM Policy?
An AWS IAM Policy is a JSON document that defines permissions in AWS. Learn the policy types, evaluation order, and how to write least-privilege policies.
What is an AWS Principal?
An AWS Principal is the entity that makes a request to AWS — a user, role, federated identity, or service. Learn the principal types and how they're referenced in policies.
What is AWS STS?
AWS Security Token Service (STS) issues temporary, limited-privilege credentials for IAM principals. Learn what it does and how to use it safely.
What is AssumeRole in AWS?
AssumeRole is the STS API that lets a principal take on an IAM role's permissions temporarily. Learn how it works and how to secure it.
What is AWS Cross-Account Access?
AWS Cross-Account Access lets principals in one AWS account act in another. Learn the patterns — IAM roles, resource policies, RAM — and how to secure them.
What is a Permission Boundary in AWS?
An AWS Permission Boundary is a policy that caps the maximum permissions a user or role can ever have, regardless of attached policies. Learn how it enables safe delegation.
What is AWS Root Account Risk?
The AWS root account has unrestricted access to everything. Learn the risks of root account misuse and how to lock it down per AWS best practice.
What is an Over-Permissioned AWS IAM Role?
An over-permissioned AWS IAM role has more permissions than the workload needs — the most common AWS misconfiguration. Learn the patterns and how to fix them.
Common AWS IAM Misconfigurations
From wildcard policies to public S3 buckets, learn the most common AWS IAM misconfigurations attackers exploit — and how to detect and fix them.
AWS IAM Security Best Practices
A consolidated list of AWS IAM security best practices — covering identities, policies, federation, monitoring, and recovery — drawn from AWS guidance and real incident response.
AWS IAM Security Checklist for Beginners
A practical beginner-friendly AWS IAM security checklist covering identity, authentication, authorization, multi-account, monitoring, and recovery.
What is Google Cloud IAM?
Google Cloud IAM controls who can do what on which Google Cloud resources. Learn the core concepts — principals, roles, permissions, and policy bindings.
Google Cloud IAM Basics: Principals, Roles, and Permissions
Google Cloud IAM rests on three core ideas: principals, roles, and permissions, joined together by policy bindings on a resource hierarchy. Learn how they interact.
What is a Google Cloud Principal?
A Google Cloud Principal is the entity making a request — a user, group, service account, or federated identity. Learn the principal types and how to use them safely.
What is a Google Cloud Role?
A Google Cloud Role is a named collection of permissions you grant to principals. Learn the basic, predefined, and custom role types and when to use each.
What is a Google Cloud Service Account?
A Google Cloud service account is a special non-human identity for workloads. Learn how it works, how to use it safely, and why it's a top NHI risk.
Basic Roles vs Predefined Roles vs Custom Roles
Google Cloud offers three role types — Basic, Predefined, and Custom. Learn the differences and when to use each for least privilege.
What is Service Account Impersonation?
Service account impersonation lets a principal act as a Google Cloud service account temporarily — eliminating the need for service account keys.
What is Workload Identity Federation?
Workload Identity Federation lets external workloads (CI/CD, AWS, Azure, Kubernetes) authenticate to Google Cloud without service account keys.
What is IAM Policy Binding in Google Cloud?
An IAM policy binding in Google Cloud links a principal to a role on a resource (optionally with a condition). Learn how bindings drive every IAM decision.
What is Google Cloud Resource Hierarchy?
The Google Cloud Resource Hierarchy organizes resources into Organization → Folders → Projects → Resources, with IAM and policies inheriting downward.
What is Least Privilege in Google Cloud IAM?
Least privilege in Google Cloud IAM means granting principals the minimum permissions needed to do their job. Learn how to apply it across the hierarchy.
Common Google Cloud IAM Misconfigurations
From basic roles to public buckets and Token Creator chains, learn the most common Google Cloud IAM misconfigurations and how to fix them.
Google Cloud IAM Security Best Practices
A consolidated list of Google Cloud IAM security best practices — covering identities, roles, hierarchy, federation, monitoring, and recovery.
Google Cloud IAM Security Checklist for Beginners
A practical, beginner-friendly Google Cloud IAM security checklist covering hierarchy, identities, roles, federation, monitoring, and recovery.
What is AI Agent Identity?
AI Agent Identity is the unique digital identity assigned to an AI agent so it can be authenticated, authorized, monitored, governed, and audited.
What is AI Agent Identity Security?
AI agent identity security governs how autonomous AI agents authenticate, are authorized, audited, and contained — a new pillar of identity security.
Why AI Agents Need Their Own Identities
Sharing a service account or piggy-backing on a user breaks attribution, audit, and least privilege for AI agents. Each agent needs its own identity.
Human Identity vs AI Agent Identity: What is the Difference?
Human and AI agent identities differ in behavior, scale, attack surface, and required controls. Learn the differences and how to govern each.
What is Agentic AI Security?
Agentic AI security secures autonomous AI systems that plan, reason, and act. Learn the threat model, controls, and governance unique to agentic AI.
What is AI Agent Authentication?
AI agent authentication establishes who an agent is when it calls APIs and tools. Learn the patterns: OAuth, federation, mTLS, and tokens.
What is AI Agent Authorization?
AI agent authorization decides what an authenticated agent can do — which tools, data, and actions are allowed. Learn the patterns and risks.
What is Delegated Access for AI Agents?
Delegated access lets an AI agent act on behalf of a user — securely if bounded, dangerously if unbounded. Learn the patterns and pitfalls.
What is Agent-to-Agent Authentication?
Agent-to-agent authentication establishes trust between AI agents in multi-agent systems. Learn the patterns and risks.
What is Human-in-the-Loop Authorization?
Human-in-the-loop (HITL) authorization requires a human to approve sensitive AI agent actions before execution. Learn when and how to apply it.
What is AI Agent Access Governance?
AI agent access governance is the program of inventory, ownership, lifecycle, review, and policy enforcement for every AI agent in your environment.
What is an AI Agent Permission Model?
An AI agent permission model defines how tools, data, delegation, and conditions combine to determine what an agent can do at any moment.
What is AI Agent Impersonation Risk?
AI agent impersonation is when something acts as an agent without authorization — or when an agent acts beyond its sanctioned identity. Learn the risks and defenses.
What is Shadow AI Agent?
Shadow AI agents are AI agents deployed in your environment without security or governance review. Learn the risks and how to bring them into the light.
What is Over-Permissioned AI Agent?
An over-permissioned AI agent has more tools, data, or delegation than its use case requires — amplifying every compromise. Learn how to detect and remediate.
What is AI Agent Privilege Escalation?
AI agent privilege escalation is when an agent ends up with more authority than intended — via tool composition, delegation chains, or impersonation.
What is AI Agent Attack Surface?
The AI agent attack surface is every input, tool, identity, and trust relationship an attacker can exploit. Learn the layers and how to map them.
Common AI Agent Identity Security Risks
From shared identities to prompt injection to over-permissioning, learn the most common AI agent identity security risks and how to remediate them.
AI Agent Security Best Practices
A consolidated set of AI agent security best practices covering identity, authorization, prompt safety, monitoring, governance, and incident response.
AI Agent Identity Security Checklist
A practical, prioritized AI agent identity security checklist covering identity, authorization, prompt safety, monitoring, governance, and recovery.
What is a Non-Human Identity?
A Non-Human Identity, often abbreviated as NHI, is a digital identity used by a system, application, service, workload, automation process, device, bot, or AI agent to access resources without direct human interaction.
What is Non-Human Identity Security?
Non-Human Identity (NHI) security covers protecting service accounts, workloads, API keys, OAuth tokens, and bots — the largest and fastest-growing identity surface.
Human Identity vs Non-Human Identity: What is the Difference?
Human and non-human identities differ in lifecycle, authentication, governance, and behavior. Learn the differences and why both need first-class identity programs.
What is a Machine Identity?
A machine identity represents devices, servers, containers, or workloads that authenticate to systems. Learn the types and how to manage them.
What is a Workload Identity?
A workload identity represents an application, service, container, or compute workload — without static credentials when done right.
What is a Service Account?
A service account is a non-human identity used by applications, services, or scripts to authenticate to other systems. Learn the types and how to govern them.
What is an API Key?
An API key is a static credential identifying a calling application. Learn what it is, the risks, and modern alternatives.
What is an OAuth Token?
OAuth tokens — access, refresh, and ID tokens — are the credentials of modern delegated authorization. Learn what each does and how to secure them.
What is a Secret in Cybersecurity?
A secret is any sensitive credential or value (password, key, token, certificate) that grants access. Learn what counts and how to manage them.
What is a Bot Identity?
A bot identity represents an automated actor — Slack bot, Teams bot, RPA bot, chat bot. Learn the types and how to govern them.
What is Non-Human Identity Governance?
Non-Human Identity governance is the discipline of ensuring NHIs are inventoried, owned, scoped, monitored, and lifecycled. Learn the framework.
What is Non-Human Identity Lifecycle Management?
NHI lifecycle management covers provisioning, ownership transfer, scoping changes, recertification, and decommissioning of non-human identities.
What is Non-Human Identity Ownership?
NHI ownership assigns a named human accountable for each non-human identity. Without ownership, NHIs become orphans and risks compound.
What is Secret Rotation?
Secret rotation is the practice of regularly changing credentials to limit the blast radius of leaks. Learn the patterns and how to automate.
What is Hardcoded Credential Risk?
Hardcoded credentials in code, configs, or infrastructure are one of the most common breach vectors. Learn the risks and how to eliminate them.
What is Orphaned Non-Human Identity?
Orphaned NHIs are non-human identities without an owner, unused, or tied to retired use cases. Learn how to find and remediate them.
What is Over-Permissioned Service Account?
An over-permissioned service account holds more privileges than its workload requires. Learn how to detect and right-size.
What is Long-Lived Secret Risk?
Long-lived secrets — credentials valid for months, years, or indefinitely — magnify any leak. Learn the risks and modern alternatives.
What is Non-Human Identity Attack Surface?
The NHI attack surface spans every credential, identity, integration, and trust path attackers can exploit. Learn the layers and how to reduce it.
Common Non-Human Identity Security Risks
From hardcoded credentials to over-permissioned SAs to orphaned identities, learn the most common NHI security risks and how to remediate.
Non-Human Identity Security Best Practices
A consolidated set of NHI security best practices covering discovery, ownership, authentication, scoping, lifecycle, monitoring, and incident response.
Non-Human Identity Security Checklist
A comprehensive checklist for NHI security covering discovery, ownership, authentication, lifecycle, monitoring, governance, and incident response.
What Is Non-Human Identity Risk?
Non-human identity risk is the security risk created by machine-driven identities such as service accounts, service principals, OAuth apps, workloads, API keys, certificates, bots, and AI agents.
See your identity risk clearly.
Start with a 1-day Proof of Value in your own environment.