IAM is the discipline of ensuring the right people and systems can access the right resources — and nothing more.
Who or what is making a request — a user, service, or device uniquely identified in the system.
Proving the identity is genuine, via passwords, tokens, biometrics, or certificates.
What an authenticated identity is allowed to do — read, write, delete, or administer.
Logging who did what and when — essential for compliance and detecting threats.
Grant only the permissions needed to do the job — nothing extra. Reduces blast radius if an account is compromised.
No single person or system should be able to perform a sensitive action alone — requires two parties.
Elevated permissions are granted temporarily when needed, then automatically revoked.
Trust is never assumed — identity and context are re-evaluated on every request, not just at login.