IAM

#IAM in the Cloud & SaaS Era: Tackling Shadow IT, API Sprawl, and Access Chaos TL;DR As enterprises shift further into cloud and SaaS ecosystems, identity and access management (IAM) becomes a tangled web of apps, permissions, and overlooked risks. This post outlines the top threats—like Shadow IT and API sprawl—and offers strategies to maintain control. The Identity Challenge in a Cloud-First World Modern enterprises are no longer running a single stack—they’re running hundreds....

Six Essential IAM Policies Every Business Needs (Beyond Passwords) TL;DR If your security program starts and ends with a password policy, your business is exposed. To defend against breaches, insider threats, and regulatory penalties, you need a well-rounded suite of Identity & Access Management (IAM) policies—clear, actionable rules that leave no gaps for attackers (or auditors) to exploit. This post breaks down six foundational IAM policies, when to use them, why they matter, and how to link them together for real-world protection....

🧠 TL;DR IAM projects don’t succeed because of tools—they succeed because of project discipline. This post breaks down core project management pillars—scope, stakeholders, communications, risk, and delivery—and ties them to identity work like Okta, Adaxes, and JAMF rollouts. 🏗️ IAM Projects Are Still Projects While identity work is technical and security-driven, the project fundamentals are universal: Stakeholder alignment drives decisions Scope controls chaos Communication prevents surprises Testing builds confidence Governance ensures long-term success Every successful identity project I’ve led—whether rolling out JAMF, Okta, or ServiceNow—followed proven project management best practices....

When a Phished Employee Has Admin Rights TL;DR Phishing remains one of the most effective initial access methods for attackers—but the real risk begins when the compromised user has admin or privileged rights. In this post, we’ll dissect how privilege escalation turns a single click into a breach, the downstream impacts, and practical steps to contain the blast radius in your own organization. The Real-World Scenario: One Click, Total Compromise Let’s paint a picture....

What Does an IAM Manager Actually Do? First-Hand Insights from a 15-Year IAM Pro Introduction Fifteen years ago, I stumbled into Identity and Access Management (IAM) when “cloud SSO” was still a buzzword and the biggest access threat was a sticky note password. Fast-forward to today, and I manage an IAM team responsible for protecting thousands of users, devices, and applications. If you’re wondering what an IAM Manager actually does—and what it takes to thrive in the role—this post is for you....

AI + Human-in-the-Loop IAM: Compliance Mapping Guide Introduction This guide maps how AI-driven IAM—with human-in-the-loop—meets the world’s leading security compliance frameworks. Use this as a reference for your governance and audit strategies. SOX (Sarbanes-Oxley) Key Controls: Change management for financial systems, privileged access approval, audit logs. HiTL Mapping: All privileged access changes require manual sign-off. Maintain full, immutable logs of both automated and human actions. HIPAA (Health Insurance Portability and Accountability Act) Key Controls: Controls for PHI, traceability of access, breach notification....

TL;DR If you’re leading or supporting an Identity and Access Management (IAM) program, you’re already touching all five functions of the NIST Cybersecurity Framework (CSF)—you just may not be thinking of it that way. This post breaks down how each function of the NIST CSF maps directly to your identity lifecycle, from provisioning to detection to post-breach recovery. 🧠 Background: Why NIST CSF Still Matters The NIST Cybersecurity Framework (CSF) remains a go-to model for organizations aiming to assess and improve their security posture....

Acceptable Use Policy Overview This Acceptable Use Policy (“AUP”) establishes clear rules and guidelines for the responsible, secure, and ethical use of company-owned or managed systems, devices, accounts, and data resources. Adherence to this policy helps safeguard organizational assets and maintain compliance with all applicable laws and regulations. Scope This policy applies to all employees, contractors, interns, consultants, temporary staff, and third-party users who access or interact with any company technology resources, whether on-premises or remotely....

Access Provisioning and Deprovisioning Policy Overview This policy establishes the requirements and processes for securely granting, modifying, and revoking access to company systems, applications, and data—for all identities, both human and non-human (e.g., API accounts, service accounts, bots). Its goal is to minimize unauthorized access risk, support compliance, and ensure all access is appropriate for the assigned purpose. Scope This policy applies to all information systems, applications, data, and resources owned, managed, or controlled by the company....

Data Protection and Classification Policy Overview This policy establishes standards for identifying, classifying, and safeguarding all company data—whether accessed by human users or non-human identities such as bots, APIs, and service accounts—throughout its lifecycle. The objective is to ensure data confidentiality, integrity, availability, and compliance with legal and regulatory obligations. Scope This policy applies to all data created, stored, processed, or transmitted by the company, including data handled by third-party service providers....