Identity & security glossary.
Plain, practitioner definitions of the terms that come up across identity and access management and security — no marketing, no fluff. Search it, or skim it.
- ABAC — Attribute-Based Access Control
- Access decided dynamically from attributes (user, resource, environment) evaluated against policy.
- Access certification
- A periodic review in which owners attest that the access people hold is still appropriate. Read more →
- ACSC Essential Eight
- The Australian Cyber Security Centre's baseline of eight mitigation strategies, assessed across maturity levels. Read more →
- APRA CPS 234
- The Australian prudential standard requiring regulated entities to maintain information-security capability commensurate with their threats. Read more →
- Birthright access
- The baseline access every member of a role receives automatically on day one. Read more →
- Conditional access
- Policies that allow, challenge (step-up) or deny access based on user risk, device posture and context.
- Credential stuffing
- Using stolen username/password pairs at scale against other services, exploiting password reuse. Read more →
- Entitlement
- A specific permission or access right held by an identity.
- FIDO2 / Passkey
- A phishing-resistant, public-key authentication standard. The private credential never leaves the device and is bound to the site, so it can't be stolen by a lookalike page.
- IAM — Identity & Access Management
- The discipline of ensuring the right identities have the right access to the right resources — and being able to prove it.
- IdP — Identity Provider
- The system that authenticates users and issues the tokens or assertions that applications trust — the basis of SSO.
- IGA — Identity Governance & Administration
- The policy and process layer over IAM: lifecycle automation, roles, access certifications and separation of duties.
- ISO/IEC 27001
- The international standard for an Information Security Management System (ISMS).
- ITDR — Identity Threat Detection & Response
- Detecting and responding to attacks against identity itself — stolen credentials, token theft, MFA fatigue, privilege abuse. Read more →
- JIT — Just-in-Time access
- Privilege granted on request for a limited window, then automatically removed.
- JML — Joiner-Mover-Leaver
- The identity lifecycle: onboarding a joiner, re-evaluating a mover's access on role change, and removing a leaver's access. Read more →
- Least privilege
- Granting only the access required for a task, and nothing more.
- MFA fatigue
- Bombarding a user with repeated MFA prompts until they approve one to make it stop.
- MFA — Multi-Factor Authentication
- Requiring two or more independent factors (something you know / have / are) to authenticate.
- NHI — Non-Human Identity
- Machine identities: service accounts, API tokens, workload identities and AI agents — now far outnumbering humans. Read more →
- NIST CSF
- The NIST Cybersecurity Framework — Govern, Identify, Protect, Detect, Respond, Recover.
- OAuth token
- A credential that grants an application delegated access to data or APIs on a user's or organisation's behalf.
- Orphaned account
- An account on a system that no longer maps to an active identity — a common, quiet attack path. Read more →
- PAM — Privileged Access Management
- Controlling, vaulting, brokering and monitoring accounts that hold elevated rights. Read more →
- PDP — Policy Decision Point
- The engine that evaluates an access request against policy and returns allow, step-up or deny.
- PEP — Policy Enforcement Point
- Where the policy decision is enforced, sitting in front of the protected resource.
- Phishing-resistant MFA
- MFA that cannot be replayed by a fake site because it is cryptographically bound to the legitimate origin — e.g. FIDO2 and certificate-based methods.
- Prompt injection
- Malicious instructions hidden in the data an AI system processes, hijacking its behaviour. Read more →
- Provisioning / De-provisioning
- Creating or removing an identity's access across systems.
- RBAC — Role-Based Access Control
- Access granted through roles that bundle entitlements, rather than assigned per individual.
- Secret
- Any sensitive credential — key, token, password, certificate — used to authenticate; should be vaulted and rotated.
- Service account
- A non-human account used by an application or process — frequently privileged, long-lived and under-governed.
- SoD — Separation of Duties
- Ensuring no single person holds a toxic combination of permissions (e.g. create a vendor and approve its payments). Read more →
- SSO — Single Sign-On
- One authentication event that grants access to many applications.
- Standing privilege
- Elevated access held permanently, whether or not it is in use — a 24/7 attack surface.
- Zero standing privilege
- The target state where no privilege is permanent; all elevation is just-in-time and expires automatically.
- Zero Trust
- Making every access decision per-request on verified identity, device and context — never on network location. Read more →
Frequently asked
What are the main types of security that fall under cybersecurity?
Cybersecurity is an umbrella over several overlapping domains: network security (firewalls, segmentation, IDS/IPS), endpoint security (EDR/XDR, hardening), application security (secure development, AppSec, WAF), data security (classification, encryption, DLP), identity & access management (who can do what), cloud security (CSPM, workload and SaaS protection), security operations (SIEM, threat detection and incident response), and governance, risk & compliance (GRC). In practice these are not silos — they interlock. Identity has become the connective tissue across all of them, because almost every modern intrusion ends in the abuse of a credential or an identity, which is why identity security increasingly determines how effective the rest are.
What is the difference between inbound and outbound cybersecurity?
Inbound security defends against what comes at you — phishing, exploitation, intrusion attempts, malware delivery — through prevention, detection and response at the perimeter, on endpoints and at the identity layer. Outbound security governs what leaves your environment and what your systems reach out to: data exfiltration (DLP), command-and-control traffic, risky egress, and third-party or supply-chain connections. A mature programme treats them as two halves of one picture — control what gets in, what gets out, and crucially what your own identities and machines are permitted to do once inside. Several 2025 supply-chain breaches were essentially outbound-identity failures: legitimate OAuth tokens making legitimate-looking outbound API calls to quietly export data.
How do security and compliance actually work together — aren't they the same thing?
They're related but not identical, and conflating them is an expensive mistake. Compliance proves you meet a defined standard at a point in time — ISO 27001, PCI-DSS, APRA CPS 234, the ACSC Essential Eight — while security is the continuous reduction of real-world risk. You can be compliant yet insecure (a box ticked over a hollow control) or secure but not yet certified. The healthy relationship is to design controls that genuinely reduce risk and make them produce audit evidence as a by-product, so compliance becomes a report you can already run rather than a scramble before an assessment. Treat frameworks as a shared language and a floor, never the ceiling — the goal is provable security, with compliance as the evidence it exists.
Why is identity and access management so complex in large enterprises?
Because identity sits at the intersection of every system, every team and every regulation — and it accumulates history. A large enterprise typically runs dozens of authoritative sources, hundreds of applications each with their own access model, thousands of roles, tens of thousands of human identities and often hundreds of thousands of non-human ones, all changing daily. Layer on mergers, legacy systems, contractors and cloud sprawl, and the entitlement graph becomes vast. The hard part isn't only technical — access decisions require business context that lives outside IT — which is why successful programmes lead with authoritative data, governance and ownership, not tooling alone.
How do you roll out a major IAM or Zero Trust programme without breaking the business?
Incrementally, value-first, and with safety rails — boiling the ocean fails. I sequence it in three phases: foundations (authoritative-source lifecycle, MFA on every internet-facing door, vaulted privileged credentials, centralised logs) to close the gaps behind most incidents; governance (RBAC, risk-based certifications, separation of duties, conditional access, a non-human identity inventory) to make access provable; then optimisation (just-in-time access, phishing-resistant MFA everywhere, per-request decisions, ITDR) toward Zero Trust. Moat-class changes — privileged access, authentication, de-provisioning — go through a staging environment with end-to-end tests before production, because a botched identity change can lock out an entire workforce. Always start where value is high and blast radius is low, prove the pattern, then expand.
What is driving the biggest industry-wide changes in security right now?
Three forces. First, identity has become the primary attack vector — attackers log in rather than break in — which is shifting budget toward IAM, PAM and identity threat detection. Second, the explosion of non-human and AI identities, which now vastly outnumber humans and are largely ungoverned, is emerging as the next major breach class. Third, regulation is catching up: phishing-resistant MFA and Zero Trust are moving from best practice to mandate, the Essential Eight and APRA standards keep raising the bar, and the EU AI Act is doing for AI what GDPR did for privacy. The net effect is that identity, machine identity and AI governance are converging into a single discipline.
How do you measure whether a security programme is actually working?
Not by activity, but by risk-reducing outcomes and tested controls. The measures that travel to a board are concrete: time-to-revoke for leavers, the number and trend of standing privileged accounts, dormant privileged access, MFA coverage on privileged and remote access, access-certification revocation rates, and mean-time-to-contain an identity incident. Each maps to a question leadership already asks — how exposed are we, how fast can we contain a problem, and are the controls real or theatre? And under standards like CPS 234 you must test control effectiveness at a frequency matched to how fast the environment changes, which for identity is essentially continuous.
Where should a mid-sized organisation start if it can only fix a few things?
Close MFA coverage gaps on every internet-facing entry point — and fix help-desk identity verification, because that is exactly where 2025's biggest retail breaches began. Get de-provisioning down to hours, driven from an authoritative source, and reduce standing privileged access. Those three are mostly process rather than spend, and they remove the attack paths most likely to be used against you. Then inventory your non-human identities, because you almost certainly have far more than you think. The free IAM Maturity Index and Identity Security Baseline on this site are built to help you find and sequence precisely these gaps.
What is Zero Trust — and is it just vendor hype?
The marketing is diluted, but the principle is real: make every access decision per-request on the basis of verified identity, device and context, and never on network location. “Inside the firewall” stops meaning “trusted.” It is not a product you buy — it is an architecture you assemble incrementally — and least privilege is its prerequisite, because strong authentication layered over over-provisioned access just means an attacker with a valid session can still reach everything. Done well, Zero Trust makes identity the control plane and lets you revoke trust the moment context changes.
How is AI changing cybersecurity — for both attackers and defenders?
It is raising the tempo on both sides. For attackers, AI lowers the barrier to convincing phishing and deepfake voice/video social engineering — the kind used to fool help desks and executives — accelerates vulnerability discovery and malware variation, and adds scale. For defenders, it strengthens behavioural detection and anomaly-spotting across identity and endpoint telemetry, automates triage and parts of response, and multiplies analyst productivity. The dangerous asymmetry is governance: attackers adopt AI instantly with no rules, while defenders must adopt it under compliance, safety and explainability constraints. The takeaway is that AI does not replace the fundamentals — it makes strong identity, phishing-resistant MFA and least privilege more important, because it industrialises the attacks those controls stop.
What are the real security risks of adopting AI in the enterprise?
The near-term risks are concrete and unglamorous: sensitive data leaking into prompts and third-party models (shadow AI), prompt injection hijacking an agent through the data it reads (the top OWASP LLM risk), insecure handling of model output, and supply-chain exposure from third-party models and integrations. The biggest mistake is treating AI as a feature rather than an identity — an autonomous agent that can read your data and call your APIs is the most privileged non-human identity you will deploy, and it is non-deterministic. The defensive posture is to govern agents like the privileged identities they are: least-privilege, narrowly-scoped and short-lived credentials, human-in-the-loop approval for high-impact actions, and monitoring of agent behaviour.
How do you govern AI without blocking the business?
Treat AI governance as a security and identity discipline, not a legal afterthought. Map it onto frameworks you already run — the NIST AI Risk Management Framework, ISO/IEC 42001 and the EU AI Act's risk tiers — and inventory every AI system and integration with an accountable owner and a risk tier, applying controls proportional to impact: a chatbot summarising public documents is not an agent approving transactions. Crucially, out-compete shadow AI rather than banning it — provide a sanctioned, contained option (enterprise AI with no-training-on-your-data guarantees and data-loss prevention at the boundary) that is easier to use than the rogue alternative. The objective is enablement with a contained blast radius, so that when something goes wrong — and with non-deterministic systems it will — the damage is bounded.
Will AI replace security analysts and the SOC?
No — it reshapes the work rather than removing it. AI is genuinely good at triage, correlation, summarisation and first-pass detection, compressing the noise analysts wade through; humans remain essential for judgment, adversarial thinking, business context and the response decisions that carry real consequences. The realistic shape is augmentation — smaller teams handling more, with AI as a force multiplier and humans retaining accountability. The risk to manage is over-reliance: trusting confident-but-wrong output, which is exactly why explainability and human-in-the-loop control for high-impact actions are non-negotiable.
Want the depth behind these? Read the writing, benchmark with the tools, or get in touch.