Our glossary makes IAM easy to understand.

Access management is one of the core disciplines of Identity and Access Management (IAM). It manages and controls who can access what and ensures that only authorized users or systems can access digital resources such as applications, data or services.

Active Directory (AD) is a local, central directory service from Microsoft that serves as the linchpin for managing users, groups, devices and access rights in many organizations. Introduced with Windows Server, AD enables the central control of authentication, authorization and system administration within a network.

Attestation means that those responsible regularly check and confirm whether access rights are still correct and necessary. Recertification repeats this process at fixed intervals. This is a central part of modern identity governance and is often a regulatory requirement.

Customer Identity and Access Management (CIAM) describes technologies and processes that companies use to securely manage the digital identities of their external users, i.e. customers or partners. In contrast to traditional IAM, which focuses on employees, CIAM focuses on the customer experience, security and data protection.

Deprovisioning refers to the process by which digital identities and access rights are withdrawn in a controlled manner, e.g. when an employee leaves the company or moves to a new role. The aim is to prevent unauthorized access to systems, data and applications.

Digital identity describes the totality of all information that makes a person, device or system uniquely identifiable in the digital space. This includes user accounts, access data, roles, authorizations or biometric features, regardless of whether they are stored locally, in the cloud or hybrid.

The EUDI wallet (European Digital Identity Wallet) is the EU's new digital wallet. It is intended to enable all EU citizens to identify themselves online with documents such as ID cards, age confirmation, educational qualifications or professional licenses. The wallet is based on standardized, verifiable proofs and is designed to be data-efficient. Companies must accept the wallet in certain processes from 2026 at the latest (e.g. opening an account, applying for a job, concluding a contract).

Federation (also: identity federation) refers to a trust relationship between several independent identity sources. It enables users to log in securely across organizational boundaries without having to create a new account.

An identity fabric is a holistic, cross-architectural approach to managing digital identities in complex IT landscapes. It connects existing systems such as identity providers, access management, directory services or governance solutions to form a logical layer without the need to redevelop individual applications or infrastructures.

Identity governance and administration (IGA) refers to the area of Identity & Access Management (IAM) that focuses on the control, traceability and automation of user identities and access rights. While IAM enables access, IGA ensures that this access meets security and compliance requirements.

Identity lifecycle management (ILM) refers to the controlled, rule-based handling of digital identities throughout their entire lifecycle - from creation to deactivation or deletion. The aim is to keep identities and authorizations up-to-date, correct and secure at all times. ILM is a central component of modern IAM architectures and forms the basis for automated, compliance-compliant user management.

Identity and Access Management (IAM) is a framework of guidelines, processes and technologies for managing digital identities and controlling access rights. The aim is to ensure that only authorized persons have access to IT systems and sensitive data in a traceable, compliant and secure manner.

Least privilege, also known as the Principle of Least Privilege (PoLP), is a central security principle in Identity & Access Management (IAM). It states that users, systems, applications or devices should only be granted the minimum access rights they need to perform their tasks.

OpenID Connect (OIDC) is a modern, open authentication protocol based on the OAuth 2.0 standard. It enables users to log in securely and conveniently to various applications with just one central login service (Identity Provider, IdP for short). OpenID Connect extends OAuth 2.0 with a standardized method for authenticating users.

An orphaned account is a user account in a system that can no longer be assigned to an active person, for example because an employee has left the company and access has never been deactivated. Such "orphaned" accounts are often active for years without being noticed, sometimes with far-reaching access rights.

Password vaulting is a central component of modern Privileged Access Management (PAM) strategies. Highly privileged access data such as admin passwords, root accounts or service credentials are stored in a protected, encrypted password vault. Access to this information is exclusively controlled, logged and ideally temporary.

Privileged Access Management (PAM) refers to measures, processes and technologies that control and monitor access to particularly sensitive accounts and systems. The aim is to prevent the misuse of privileged authorizations and ensure the security of critical IT resources.

User provisioning refers to the automated process of creating, updating and managing user accounts and access rights in applications and systems. Deprovisioning removes or deactivates these accesses as soon as a user leaves the company or changes roles.

SAML (Security Assertion Markup Language) is an open standard for the secure transmission of authentication and authorization data between an identity provider (IdP) and a service provider (SP). The protocol is based on XML and is primarily used in the corporate and government environment for single sign-on (SSO).

Segregation of Duties (SoD), also known as Separation of Duties, is a fundamental governance and security principle that ensures no single individual has full control over an entire process. Its purpose is to prevent errors, misuse, and fraud by distributing responsibilities and establishing clear accountability.

Single sign-on (SSO) is an authentication process in which users only have to log in once to be able to access multiple services or applications. A central provider verifies the identity and passes this confirmation on to other services.

Zero Trust is a security approach that assumes that no user, device or system is automatically trustworthy, regardless of whether it is inside or outside the company network. Every access must be continuously checked, authorized and monitored. The aim is to minimize risks and effectively prevent unauthorized access.