Identity Security Checklist for Beginners
A practical, beginner-friendly checklist for building identity security from the ground up — covering authentication, privilege, lifecycle, NHIs, AI agents, monitoring, and continuous improvement.
Identity Security Checklist for Beginners
This checklist is a practical starting point for anyone building or improving identity security. It is grouped by area, ordered roughly by impact, and based on industry guidance (NIST SP 800-53, NIST SP 800-207 Zero Trust, CISA / NSA Top 10 Misconfigurations, Microsoft / AWS / Google Cloud security baselines, and the Verizon DBIR's recurring patterns).
You don't need to do everything at once. Start with the highest-impact items, build momentum, and keep going.
1. Identity Foundations
- Single primary identity provider for human identities (Microsoft Entra ID, Okta, Ping, etc.).
- All applications integrated via SSO wherever possible (SAML 2.0 / OIDC).
- No local accounts in apps that support SSO.
- Unique identity per person — no shared accounts.
- Inventory of all identity types: humans, service accounts, workloads, OAuth apps, AI agents, bots.
- Authoritative source of truth for each identity type (HR, vendor management, cloud control plane).
2. Authentication
- Phishing-resistant MFA (FIDO2 / passkeys) for all users.
- MFA enforced on every admin account.
- MFA enforced on break-glass accounts with hardware keys and offline storage.
- Legacy authentication disabled (POP3, IMAP, basic auth, NTLMv1).
- SMS / voice MFA replaced by app-based or hardware-based methods where possible.
- Conditional access considers device posture, risk, and location for sensitive apps.
- MFA fatigue protections enabled (number matching, additional context).
- Help desk identity verification procedures documented and tested.
3. Authorization and Least Privilege
- Default deny. Access is granted only when justified.
- Roles and groups used instead of direct user grants.
- No use of
*:*or built-in super roles for daily work. - Privileged groups are small (Domain Admins, Global Admins, AWS root group equivalents).
- Just-in-Time (JIT) elevation for admin access (PIM, PAM).
- Approval workflows for sensitive elevations.
- Admin and daily-use accounts are separate.
- Tiered administration (Tier 0 / 1 / 2) defined and enforced.
4. Privileged Access Management
- Privileged credentials are vaulted.
- Credentials rotated automatically, ideally after each use.
- Sessions brokered through PAM; direct paths blocked.
- Privileged sessions recorded for audit and forensics.
- Break-glass accounts monitored on every use.
- Cloud-native PIM used for cloud admin roles (Microsoft Entra ID PIM, AWS Identity Center, GCP equivalents).
5. Identity Lifecycle (Joiner / Mover / Leaver)
- HR-driven joiner provisioning with baseline access on day one.
- Mover events trigger access re-evaluation (remove old, grant new).
- Same-day deprovisioning for terminations.
- Sessions and refresh tokens revoked on deprovisioning.
- Owned secrets and service accounts reassigned when employees leave.
- Time-bound access for contractors and project roles.
- Periodic test — sample departed users, verify access is really gone.
6. Access Reviews
- Quarterly review of privileged groups and sensitive resources.
- Annual review of standard access.
- Right reviewer assigned per entitlement (manager / resource owner / security).
- Usage and risk context provided to reviewers.
- Revocations enforced (not just decided).
- Review covers NHIs and AI agents.
- SoD / toxic combinations detected during reviews.
7. Non-Human Identities (NHIs)
- Inventory of all NHIs — service accounts, workloads, OAuth apps, API keys, bots, AI agents.
- Owner assigned to every NHI.
- Documented purpose for every NHI.
- Permissions right-sized to actual usage.
- Long-lived static credentials replaced with short-lived dynamic credentials (workload identity federation, AWS STS, GCP Workload Identity, Azure Managed Identity).
- Vault and rotate secrets that must remain static.
- Interactive logon restricted for service accounts.
- Decommission unused NHIs.
8. OAuth and Application Permissions
- Inventory of all enterprise OAuth apps in the IdP.
- Quarterly review of installed apps and granted scopes.
- User consent disabled for high-risk scopes; admin approval required.
- Least-scope for first-party apps you build.
- Monitor for new consent grants and unusual app token use.
9. AI Agent Identity
- Unique identity per AI agent.
- Documented owner for each agent.
- Tools and actions scoped to what the agent actually needs.
- Human-in-the-loop for sensitive or destructive actions.
- Action logging for audit and review.
- Quarterly scope review for each agent.
- Decommissioning process for retired agents.
10. Active Directory Hardening
- Domain Admin and Enterprise Admin membership minimized.
- Tier 0 systems treated as crown jewels.
- LAPS for unique local admin passwords.
- gMSA used for service accounts where possible.
- AD CS templates audited for ESC1–ESC15 misconfigurations.
- Unconstrained delegation removed; constrained delegation reviewed.
- NTLM restricted where compatibility allows.
- KRBTGT rotated regularly.
11. Cloud Identity (Entra ID / AWS / GCP)
- Cloud root accounts vaulted and monitored.
- No standing Global Admin / AWS root usage for daily work.
- Federation trusts reviewed and minimized.
- Cross-account / cross-tenant access kept minimal.
- IAM analyzers used to detect overprivilege.
- Workload identity federation used for CI/CD; no long-lived
AKIA*keys. - Conditional access / IAM conditions enforce MFA, device, and IP context for sensitive actions.
12. Detection and Response (ITDR)
- Identity logs centralized in SIEM (sign-ins, role changes, OAuth consent, PAM activity).
- High-quality alerts for: impossible travel, MFA fatigue, new device, mass downloads, role activation anomalies, OAuth consent anomalies.
- AD attack detections: Kerberoasting, AS-REP roasting, DCSync, Golden/Silver Ticket.
- Cloud detections: anomalous
AssumeRole, federation changes, new high-privilege role grants. - Playbooks for credential compromise, MFA fatigue, OAuth abuse.
- Continuous Access Evaluation (CAEP) enabled where supported.
13. Identity Posture and Attack Paths
- Continuous posture monitoring of identity configurations and permissions.
- Attack paths to Tier 0 mapped and reduced.
- Choke points prioritized for remediation.
- Posture trends reported to leadership.
- Toxic combinations detected continuously across systems.
14. Governance and Compliance
- Identity security policies documented and approved.
- Roles and responsibilities assigned (identity owner, application owner, security).
- Audit evidence for joiner/mover/leaver, access reviews, privileged access.
- Mappings to applicable regulations (SOX, HIPAA, PCI DSS, ISO 27001, SOC 2).
- Tabletop exercises for identity-driven incidents.
15. People and Process
- Security awareness training that includes phishing-resistant MFA, OAuth consent, and credential hygiene.
- Help desk training with realistic social-engineering scenarios.
- Developer training on secrets management and IAM best practices.
- Clear escalation paths for identity incidents.
- Continuous improvement loop — measure, fix, re-measure.
How to Use This Checklist
- Score yourself. For each item: Implemented / Partial / Not Started.
- Pick a focus. Start with the section where you have the most "Not Started" items in high-impact areas (authentication, privilege, NHIs, AD/cloud admin).
- Set a quarterly goal. Move 5–10 items from "Partial / Not Started" to "Implemented" each quarter.
- Re-score quarterly. Track trend over time.
- Use the trend as your KPI, not the absolute score.
How Forestall Helps
Forestall turns this checklist into a measurable program by:
- Discovering identities, configurations, and relationships across your environment.
- Scoring posture against the items above.
- Highlighting attack paths to your most critical assets.
- Tracking progress over time so leadership sees real risk reduction.
- Integrating with ticketing and SIEM so findings become tasks and detections.
Conclusion
Identity security can feel overwhelming — there are dozens of controls, hundreds of misconfigurations, and constant change. The good news is that a small number of high-impact controls (phishing-resistant MFA, no standing privilege, owned NHIs, attack path reduction, identity-focused detection) close most of the risk for most organizations.
Use this checklist as a map, not a verdict. Every item you move from red to green makes the next breach attempt harder, smaller, and shorter.
Turn this checklist into measurable identity risk reduction.
Forestall maps your identity environment, prioritizes risks, and tracks progress against the controls that matter most.