Identity & Access Management — Recruiter's Complete Reference Guide

🔑

Identity & Access Management — The Basics

// what every recruiter must know before screening IAM candidates

IAM

What is Identity & Access Management?

// the foundation of enterprise security

🗣️ In plain EnglishIdentity and Access Management (IAM) is the security discipline that answers two fundamental questions about every person (or system) trying to access your company's resources: "Who are you?" (authentication — proving identity) and "What are you allowed to do?" (authorization — controlling access). Every data breach, every ransomware attack, every insider threat ultimately comes down to an IAM failure — someone accessed something they shouldn't have, or something bypassed the controls that should have stopped them. IAM is the digital lock-and-key system for every door in your organization.

The IAM market reached $33 billion in 2025 and is projected to reach $67 billion by 2030 — driven by remote work, cloud adoption, and regulatory requirements. 80% of data breaches involve compromised credentials or identity failures. IAM is no longer an IT function — it's a board-level security priority. Three main IAM problem categories: Access Management (who can log in and to what), Identity Governance (who should have access and is it appropriate?), and Privileged Access Management (securing the most powerful accounts).

// the three pillars of IAM — what each category solves

📄 NIST Identity Guide

📄 Gartner IAM Definition

▶ IBM TechnologyIdentity and Access Management explained — most viewed IAM intro

▶ CyberArkIAM concepts and PAM explained

ON-P

On-Premises IAM On-Prem

// Active Directory · SailPoint IIQ · CyberArk Classic

🗣️ In plain EnglishOn-premises IAM means the organization owns the hardware and software that manages identity — it all runs in your own data center. Like having your own safe deposit box in a vault you control: maximum control, but you're responsible for everything — maintenance, upgrades, security, and the physical vault. Banks, defense contractors, and government agencies often prefer on-prem IAM because their data literally cannot leave their own walls.

On-premises IAM requires dedicated servers, database infrastructure, specialized IAM engineers to maintain and upgrade it, and significant capital investment. The longest-standing example is Microsoft Active Directory (AD) — deployed in virtually every enterprise globally since 1999. On-prem IAM offers complete data residency control (critical for regulatory compliance), deep integration with legacy systems, and no dependency on vendor uptime. Disadvantages: slower to scale, costly maintenance, hard to extend to cloud apps. Candidates with on-prem IAM expertise (AD, CyberArk EPV, SailPoint IdentityIQ) are increasingly rare and valuable — these skills are needed to manage the vast installed base.

// on-premises IAM architecture

📄 Microsoft Active Directory

▶ NetworkChuckActive Directory explained for beginners

CLOUD

Cloud-Based IAM (IDaaS) Cloud

// Okta · Azure Entra ID · SailPoint Identity Now

🗣️ In plain EnglishCloud IAM (Identity-as-a-Service, IDaaS) means renting identity management from a vendor instead of running it yourself. Like a bank that manages your safe deposit box for you — you access it from anywhere, the bank maintains the vault, and you don't need your own security staff. The cloud vendor handles the infrastructure, updates, and 99.9%+ uptime SLA. This is the dominant model for modern organizations, especially those with many SaaS applications.

Cloud IAM has overtaken on-premises for new deployments. Benefits: deploy in weeks not months, no hardware to maintain, scales instantly, pre-built integrations with thousands of SaaS apps, accessible from anywhere. Vendors charge per user per month ($2–$15 typical). The "Big Three" cloud IAM providers — Okta, Microsoft Entra ID, and Ping Identity — hold the largest market share. Cloud IAM is mandatory for organizations with hybrid workforces and SaaS-heavy environments. Candidates with cloud IAM experience are the highest-demand IAM professionals in 2025–2026.

📄 Okta: What is IDaaS

▶ Okta DeveloperCloud IAM and SSO explained

CORE

Core IAM Concepts Every Recruiter Must Know

// universal terminology across all IAM platforms

🗣️ In plain EnglishBefore screening IAM candidates, you need to understand these 10 universal concepts. They appear in every IAM job description regardless of vendor. Candidates who can't explain these clearly are junior-level or inflating their experience.

Authentication = "Who are you?" — verifying identity. Authorization = "What can you do?" — controlling access after authentication. SSO (Single Sign-On) = log in once, access everything — no 15 different passwords. MFA (Multi-Factor Authentication) = two or more proofs of identity (password + phone). Provisioning/Deprovisioning = automatically creating/removing user accounts when someone joins or leaves. Least Privilege = give users only the minimum access needed — not full admin by default. Zero Trust = "Never trust, always verify" — verify every access request regardless of location. RBAC (Role-Based Access Control) = assign permissions by job role, not individually. PAM (Privileged Access Management) = securing the most powerful accounts (admin, root, service accounts). Identity Governance = ongoing oversight of who has access to what, and is it appropriate?

// how a modern Zero Trust IAM architecture works

📄 NIST Zero Trust Architecture

▶ IBM TechnologyZero Trust explained — most-watched security intro

☁️

Cloud IAM Vendors — Access Management Leaders

// Okta · Microsoft Entra ID · Ping Identity + ForgeRock · Auth0 · Duo

OKTA

Okta Cloud-Native

// Workforce Identity · CIAM · 7,000+ integrations · 18,000+ customers

🗣️ In plain EnglishOkta is the most widely adopted cloud IAM platform — the industry's go-to for giving employees secure, simple access to all their apps with one login. Imagine a master key that opens every app door in your company — Salesforce, Microsoft 365, Slack, GitHub, AWS — without employees needing a separate password for each. Okta is to identity what Salesforce is to CRM: the cloud-native market leader that set the standard.

Okta has been a Gartner Magic Quadrant Leader for Access Management for 9 consecutive years (2025). Key products: Workforce Identity Cloud (employee SSO, MFA, lifecycle management), Customer Identity Cloud (formerly Auth0 — consumer-facing authentication). The Okta Integration Network (OIN) has 7,000+ pre-built connectors — the largest in the industry. Okta pricing starts at $2/user/month for basic SSO; enterprise tiers reach $8–15/user/month. Okta acquired Auth0 in 2021 for $6.5B, making it the leader in both workforce and customer identity. Auth0 is now often listed separately for developer-focused customer identity roles.

// Okta's workforce identity stack

📄 okta.com

▶ Okta OfficialProduct demos and identity concepts

▶ Okta DeveloperAuth0 and developer identity tutorials

ENTRA

Microsoft Entra ID (Azure AD) Hybrid

// Enterprise identity · 500M+ users · Microsoft 365 integration

🗣️ In plain EnglishMicrosoft Entra ID (formerly Azure Active Directory) is the corporate login system for virtually every organization running Microsoft products. When an employee opens their laptop and signs in with their work email, that's Entra ID authenticating them. It then enables that same login to work for Office 365, Teams, SharePoint, and thousands of other apps — all without separate passwords. If your target company runs Microsoft, Entra ID is in their environment — guaranteed.

Entra ID protects 500+ million users globally — the largest IAM deployment in the world. It's included in Microsoft 365, making it effectively the default choice for any Microsoft shop. Key features: SSO, MFA (Authenticator app, FIDO2 keys), Conditional Access (block login from risky locations/devices), Identity Protection (AI detects compromised credentials), Privileged Identity Management (PIM — just-in-time elevated access), Entra ID Governance (IGA capabilities). Pricing: P1 at $6/user/month, P2 at $9/user/month. Entra ID is the #1 IAM deployment globally by user count.

📄 Microsoft Entra ID

▶ Microsoft AzureEntra ID deep dives and tutorials

▶ NetworkChuckActive Directory and Entra ID explained

PING

Ping Identity + ForgeRock Hybrid

// Enterprise federation · CIAM · 8B+ identities protected

🗣️ In plain EnglishPing Identity is the enterprise specialist for complex, large-scale identity environments — especially when organizations need to connect employees, customers, and partners across many different systems. After acquiring ForgeRock in 2023, Ping now protects over 8 billion identities worldwide. Think of Ping as the master locksmith for organizations whose lock-and-key problems are too complex for standard solutions — large banks, healthcare systems, and government agencies with intricate access requirements.

Ping Identity excels at: federated identity (connecting multiple different identity systems together), customer identity at massive scale, complex hybrid environments (on-premises Active Directory + cloud apps), and financial services/government regulatory requirements. PingOne DaVinci is a low-code identity orchestration tool — building complex authentication journeys without coding. ForgeRock (now part of Ping) is known for its open-standards implementation and scalability for consumer-facing applications. Ping + ForgeRock is the dominant choice for large financial institutions and healthcare organizations. Both companies are now owned by Thoma Bravo private equity.

📄 pingidentity.com

📄 forgerock.com

▶ Ping IdentityProduct demos and enterprise IAM tutorials

DUO

Cisco Duo Security MFA Specialist

// Multi-factor authentication · Zero Trust access · device trust

🗣️ In plain EnglishCisco Duo is the simplest, most widely deployed MFA (multi-factor authentication) solution — the "push notification on your phone when you log in" that most corporate employees experience daily. Duo focuses on one thing and does it brilliantly: making sure every login is verified with a second factor, and blocking logins from devices that don't meet company security standards. Acquired by Cisco in 2018 for $2.35B, Duo now protects over 40 million users.

Duo's strength is in ease of deployment — organizations can add MFA across their entire environment in days, not months. Key capabilities: push notifications, biometric authentication, hardware tokens, device trust (checks if the device is managed, has up-to-date OS, has disk encryption before granting access), and VPN access control. Duo integrates with everything: VPNs, cloud apps, on-premises apps, Windows/Mac login, and SSH. It's often the "quick win" MFA choice before a full IAM platform is implemented. Pricing starts at $3/user/month. Duo is a common first step in a Zero Trust implementation.

📄 duo.com

▶ Cisco DuoDuo MFA product tutorials and demos

Microsoft Active Directory On-Premises

// LDAP · Kerberos · Group Policy · on-premises directory standard

🗣️ In plain EnglishMicrosoft Active Directory (AD) is the original corporate phone book and key system — installed in virtually every enterprise since 1999. It's the on-premises system that knows every employee, what computer they use, what printers they can access, and what files they can open. When employees log into a Windows computer at the office, AD is checking their credentials. While cloud is taking over, AD is still in the vast majority of large enterprises and will be for decades — making AD expertise perpetually in demand.

Active Directory uses LDAP (Lightweight Directory Access Protocol) for directory queries and Kerberos for authentication tickets. Group Policy Objects (GPOs) enforce security settings across thousands of computers simultaneously. AD Domain Services (AD DS) is the core; AD Certificate Services (AD CS), AD Federation Services (AD FS), and AD Rights Management Services (AD RMS) extend it. Azure AD Connect (now Microsoft Entra Connect) synchronizes on-premises AD with Entra ID — the most common hybrid IAM deployment globally. An IAM candidate who doesn't know Active Directory is missing a foundational skill.

📄 Microsoft AD Documentation

▶ John Savill's Technical TrainingActive Directory and Entra ID — most watched technical AD series

▶ NetworkChuckActive Directory explained for beginners

IBM

IBM Security Verify Hybrid

// AI-driven IAM · compliance · enterprise-scale identity

🗣️ In plain EnglishIBM Security Verify is IBM's enterprise IAM platform — combining the identity expertise IBM has built since its 1996 acquisition of Tivoli with modern AI-driven risk analysis. IBM's IAM is most valuable in large, complex enterprises with a mix of on-premises legacy systems and modern cloud apps — industries like banking, government, and healthcare where IBM's regulatory compliance depth is particularly valued.

IBM Security Verify covers: workforce and consumer SSO, adaptive MFA, identity governance, privileged access management, and AI-driven threat detection. The platform uses machine learning to establish baseline user behavior and flag anomalies (accessing systems at unusual hours, from unusual locations). IBM's IAM heritage includes Tivoli Identity Manager (TIM/ISIM) — many large enterprises still run legacy IBM IAM that needs migration or modernization. Candidates listing "IBM ISIM," "IBM IGI," or "IBM Security Verify" have deep enterprise IAM experience, often in regulated industries.

📄 IBM Security IAM

▶ IBM TechnologyIBM Security Identity tutorials

🏢

On-Premises & Legacy IAM Platforms

// traditional IAM deployed in company data centers · still dominant in large enterprises

OIM

Oracle Identity Management On-Premises

// Oracle OIM · OAM · OIG · large enterprise deployments

🗣️ In plain EnglishOracle Identity Management (OIM) is one of the oldest and most comprehensive enterprise IAM suites — the choice of massive organizations like banks, telcos, and government agencies that need an identity system that handles millions of users across hundreds of complex systems. Think of it as the industrial-grade, heavy-duty vault of IAM platforms — built for scale and durability in the most demanding environments.

Oracle IAM suite components: Oracle Identity Manager (OIM) — provisioning and governance; Oracle Access Manager (OAM) — SSO and access control; Oracle Identity Governance (OIG) — access certifications and compliance; Oracle Unified Directory (OUD) — enterprise directory. Oracle IAM is typically found in large enterprises already running Oracle ERP (E-Business Suite, PeopleSoft, Oracle Fusion) — the tight integration is the key advantage. Legacy Oracle IAM environments are complex and require specialized skills — candidates with Oracle OIM experience are rare and highly valued for modernization projects.

📄 Oracle Identity Governance

▶ OracleOracle Identity Management tutorials

RSA

RSA SecurID / RSA Security MFA/Authentication

// hardware tokens · risk-based auth · legacy MFA standard

🗣️ In plain EnglishRSA SecurID is the company that invented the hardware token — that little key fob that displays a 6-digit number every 60 seconds that employees use to log in to VPNs and secure systems. Before smartphones existed, RSA's physical tokens were the gold standard for strong authentication. While soft tokens and phone apps have largely replaced physical tokens, RSA's authentication platform is still widely deployed, especially in government, defense, and financial services where physical tokens are required.

RSA SecurID Suite provides: hardware and software tokens, risk-based authentication (analyzes location, device, behavior to determine authentication risk), identity assurance scores, and integration with enterprise VPNs. RSA was spun off from Dell EMC and sold to Symphony Technology Group in 2020. RSA still has a massive installed base — banks, government agencies, and defense contractors that standardized on RSA SecurID in the 2000s and 2010s are still running it. A candidate with RSA experience likely comes from a large regulated enterprise environment.

📄 rsa.com

▶ RSA SecurityRSA authentication product tutorials

One Identity (Quest) Hybrid

// Active Roles · Safeguard PAM · Identity Manager IGA

🗣️ In plain EnglishOne Identity (from Quest Software) specializes in managing, securing, and governing Active Directory environments — the Microsoft IAM infrastructure that almost every enterprise runs. If Active Directory is the city's road network, One Identity is the traffic management and security system built on top of it. Their products make AD easier to manage, more secure, and compliant — without replacing it.

One Identity portfolio: Active Roles (secure AD delegation — let help desk reset passwords without giving full AD admin access); Safeguard (PAM — privileged access vaulting and session management); Identity Manager (IGA — governance, provisioning, access reviews). One Identity is particularly strong in organizations that are "all-in" on Microsoft technology stacks. It's a Gartner Magic Quadrant regular in both IGA and PAM categories. Candidates with One Identity Active Roles or Safeguard experience come from enterprises deeply invested in Microsoft infrastructure.

📄 oneidentity.com

▶ One IdentityActive Roles and Safeguard product demos

🔐

Privileged Access Management (PAM) Vendors

// securing the most powerful accounts — admin, root, service accounts, secrets

CAR

CyberArk PAM Leader

// #1 PAM vendor globally · Enterprise Vault · Conjur secrets

🗣️ In plain EnglishCyberArk is the gold standard for Privileged Access Management — securing the most powerful accounts in an organization (administrator accounts, root accounts, service accounts, database admin accounts). These "privileged" accounts can access and modify everything — if an attacker gets one, the entire organization is compromised. CyberArk's "Digital Vault" stores these powerful passwords in an encrypted safe, rotates them automatically, and records everything done with them. Every major data breach analysis eventually finds a compromised privileged account at the root.

CyberArk's product suite: Privilege Cloud (SaaS PAM — vaulting, session management, credential rotation); Endpoint Privilege Manager (EPM) (removes local admin rights from employee laptops without breaking productivity); Conjur (secrets management for DevOps — API keys, certificates, database passwords for applications); Identity Security Cloud (combines PAM with workforce SSO/MFA); Secure Cloud Access (cloud privilege management for AWS/Azure/GCP). CyberArk commands premium pricing and requires implementation specialists — a CyberArk engineer is one of the highest-compensated IAM specialists.

// how CyberArk protects privileged accounts

📄 cyberark.com

▶ CyberArkPAM concepts and CyberArk product tutorials

▶ IBM TechnologyPAM explained — privileged access management concepts

BeyondTrust PAM

// Privilege Management · Remote Access · Endpoint · #2 PAM vendor

🗣️ In plain EnglishBeyondTrust is CyberArk's primary PAM competitor — covering privileged account management, secure remote access, and least privilege endpoint management. Where CyberArk focuses on enterprise vault-based PAM, BeyondTrust is known for its strength in secure remote access (replacing VPN with privileged remote sessions that are monitored and recorded) and for making least privilege practical on end-user devices (letting IT remove admin rights from employees' computers without breaking their work).

BeyondTrust key products: Password Safe (PAM vaulting — equivalent to CyberArk's Vault); Privileged Remote Access (PRA) (secure, zero-trust remote connections for support and administration — no VPN required); Privilege Management for Windows/Mac (remove local admin without disrupting workflows). BeyondTrust acquired Bomgar (remote support) which gives it unique strength in IT support/helpdesk remote access use cases. Organizations choosing between CyberArk and BeyondTrust often have BeyondTrust win on total cost and remote access capabilities. Both companies are Gartner Magic Quadrant Leaders for PAM.

📄 beyondtrust.com

▶ BeyondTrustPAM and privileged remote access tutorials

DEL

Delinea (Thycotic + Centrify) PAM

// Secret Server · Privilege Manager · cloud-ready PAM

🗣️ In plain EnglishDelinea (formed by the merger of Thycotic and Centrify in 2021) is the third major PAM vendor — particularly popular with mid-market companies that need enterprise-grade PAM without CyberArk's complexity and price. If CyberArk is the heavy industrial vault, Delinea is the modern security safe that most companies can actually implement and maintain with their existing team.

Delinea products: Secret Server (password/secrets vaulting — available both on-premises and cloud); Privilege Manager (endpoint least privilege); Cloud Suite (cloud PAM for AWS/Azure/GCP). Delinea's strength is mid-market penetration — smaller security teams can deploy and manage it without a dedicated PAM team. Secret Server has been particularly popular as an approachable entry point into PAM. Centrify's Zero Trust Privilege approach (JIT access, no standing privileges) has influenced the broader PAM market. Candidates with "Thycotic Secret Server" experience have practical PAM implementation skills.

📄 delinea.com

▶ DelineaSecret Server and PAM product demos

📋

Identity Governance & Administration (IGA) Vendors

// SailPoint · Saviynt · who should have access · compliance automation · access reviews

SPT

SailPoint Technologies IGA Leader

// IdentityIQ (on-prem) · IdentityNow/Identity Security Cloud (SaaS)

🗣️ In plain EnglishSailPoint is the identity governance specialist — the platform that answers "who has access to what, and should they?" It automates the detective work of ensuring employees only have the access they need for their job, automatically removes access when people change roles or leave the company, and generates the compliance reports auditors require. Think of SailPoint as the compliance officer that never sleeps — constantly reviewing access rights and flagging anything that looks inappropriate.

SailPoint products: IdentityIQ (IIQ) — the on-premises/hybrid IGA platform; the most widely deployed enterprise IGA solution; Identity Security Cloud (ISC) — the cloud-native SaaS version (formerly IdentityNow); SailPoint Atlas — the AI/ML layer enabling identity analytics and risk scoring. Key capabilities: automated provisioning/deprovisioning (when someone is hired/fired, access is created/removed automatically), access certifications (periodic reviews where managers certify their team's access), role management (RBAC — roles define what access each job function gets), Separation of Duties (SOD) controls (prevent one person from having conflicting access that enables fraud). SailPoint is owned by Thoma Bravo private equity.

// SailPoint identity governance lifecycle

📄 sailpoint.com

▶ SailPointIdentity governance demos and product tutorials

▶ freeCodeCampIdentity governance explained

SVT

Saviynt Cloud-Native IGA

// Cloud-native IGA · risk analytics · application access governance

🗣️ In plain EnglishSaviynt is SailPoint's fastest-growing cloud-native competitor — built from the ground up for cloud environments rather than adapted from on-premises software. If SailPoint is the established enterprise veteran, Saviynt is the modern cloud-first challenger that wins business from organizations migrating to cloud and wanting IGA that was designed for that world from the start.

Saviynt differentiators: cloud-native SaaS architecture (faster to deploy than SailPoint IIQ), strong application access governance (ADAG — fine-grained control of what a user can do within an app like SAP or Salesforce, not just access to the app), built-in risk analytics and SoD controls, and a unified platform covering IGA + CIEM (Cloud Infrastructure Entitlement Management — securing cloud permissions in AWS/Azure/GCP). Saviynt typically comes in at 20–30% less cost than SailPoint for comparable features. Gartner regularly places Saviynt as a Leader or Challenger in the IGA Magic Quadrant. Both SailPoint and Saviynt are owned by Thoma Bravo.

📄 saviynt.com

▶ SaviyntIGA and cloud identity governance demos

OMA

Omada Identity IGA

// European IGA leader · compliance-focused · mid-enterprise

🗣️ In plain EnglishOmada is a European identity governance specialist — particularly strong in organizations with stringent GDPR compliance requirements and those that prefer a European vendor for their identity data. It's known for being more approachable for mid-sized enterprises that find SailPoint too complex and expensive, while still providing robust governance capabilities for compliance-heavy regulated industries.

Omada Identity provides: role lifecycle management, access requests and certifications, SoD controls, automated provisioning, and analytics. It's particularly strong in Scandinavian countries, DACH region (Germany/Austria/Switzerland), and the broader European market. Omada is recognized in Gartner Magic Quadrant for IGA as a Challenger/Visionary. For organizations hiring IAM governance professionals with European compliance experience (GDPR, NIS2), Omada experience on a résumé is a relevant signal.

📄 omadaidentity.com

▶ Omada IdentityIdentity governance demos and compliance content

⚖️

IAM Vendor Comparison — Side by Side

// the definitive recruiter reference for evaluating IAM candidates by vendor

IAM Category Map — What Each Vendor Does Best

🔑

Access Management

SSO, MFA, Federation, CIAM

Okta · Entra ID · Ping · Duo · RSA

📋

Identity Governance (IGA)

Provisioning, Reviews, Compliance

SailPoint · Saviynt · Omada · IBM

🔐

Privileged Access (PAM)

Vaulting, Secrets, JIT Access

CyberArk · BeyondTrust · Delinea

🏢

Directory / On-Premises

LDAP, Kerberos, Group Policy

Active Directory · Oracle OIM · IBM ISIM

Vendor	Category	Deployment	Best For	Pricing	Gartner
Okta	Access Management / SSO	Cloud-Native SaaS	SaaS-heavy enterprises, fast deployment	$2–$15/user/mo	Leader (9 yrs)
Microsoft Entra ID	Access Management + IGA	Cloud + Hybrid	Microsoft shops, O365 users	$6–$9/user/mo	Leader (9 yrs)
Ping Identity + ForgeRock	Access Mgmt + CIAM	Hybrid + Cloud	Complex enterprise, 8B+ identities	Enterprise custom	Leader
SailPoint	Identity Governance (IGA)	On-Prem + SaaS	Large enterprise compliance, regulated industries	$75K+/year	Leader (IGA)
Saviynt	IGA + CIEM	Cloud-Native SaaS	Cloud-first IGA, 20-30% less than SailPoint	Enterprise custom	Leader (IGA)
CyberArk	PAM (Privileged Access)	On-Prem + SaaS	High-security environments, financial/gov	$2–$5/user/mo	Leader (PAM)
BeyondTrust	PAM + Remote Access	On-Prem + Cloud	Remote access security, endpoint privilege	Enterprise custom	Leader (PAM)
Delinea	PAM (Mid-Market)	On-Prem + Cloud	Mid-market PAM, Secret Server users	Mid-market pricing	Challenger (PAM)
Cisco Duo	MFA / Zero Trust Access	Cloud SaaS	Quick MFA deployment, device trust	$3–$9/user/mo	Leader (Access)
IBM Security Verify	Access Mgmt + IGA	Hybrid + Cloud	Complex regulated enterprises	Enterprise custom	Challenger
Active Directory	Directory + On-Prem Auth	On-Premises	Enterprise Windows environments	Included w/ Windows	N/A (foundational)
Oracle IAM (OIM)	IGA + Access Mgmt	On-Premises	Oracle ERP shops, large enterprise legacy	Enterprise custom	Challenger
RSA SecurID	MFA / Authentication	On-Prem + Cloud	Legacy MFA, government/defense	Enterprise custom	N/A (specialist)
One Identity	IGA + PAM + AD Mgmt	Hybrid	Microsoft-centric environments	Enterprise custom	Challenger (IGA)

On-Premises vs. Cloud IAM — Key Differences

Factor	🏢 On-Premises IAM	☁️ Cloud IAM (IDaaS)
Data Control	Complete — data never leaves your walls	Data in vendor's cloud (with contractual protections)
Setup Time	Months to years	Days to weeks
Maintenance	Internal team patches, upgrades, backups	Vendor handles all maintenance automatically
Cost Structure	High upfront capital (servers + licenses)	Monthly per-user subscription (OpEx)
Scaling	Buy more hardware, plan ahead	Instant elasticity — add users in minutes
SaaS App Integration	Complex, custom connectors needed	Thousands of pre-built integrations
Remote Access	Requires VPN or complex setup	Native — works from anywhere
Compliance	Can meet strictest requirements (FedRAMP High)	Most clouds offer major compliance certs
Best For	Defense, intelligence agencies, strict data residency	Majority of modern enterprises
IAM Team Skills Needed	Deep platform-specific expertise (AD, Java, LDAP)	Platform admin, API integration, security config
Examples	Active Directory, CyberArk EPV, SailPoint IIQ, Oracle OIM	Okta, Entra ID, SailPoint ISC, CyberArk Privilege Cloud

📖

IAM Glossary — 90+ Terms Decoded

// every identity and access management term explained in plain English

Authentication"Who are you?" — the process of verifying a user's identity before granting access. Username/password is the simplest form; MFA adds more verification layers.

Authorization"What can you do?" — determines what resources and actions a verified user is permitted to access. Happens after authentication.

SSO (Single Sign-On)Log in once to access many applications without separate logins. Like a master key for all company app doors. Okta, Entra ID, and Ping Identity provide SSO.

MFA (Multi-Factor Authentication)Require two or more proofs of identity: something you know (password) + something you have (phone) + something you are (fingerprint). Dramatically reduces breach risk.

2FA (Two-Factor Authentication)A subset of MFA using exactly two factors. When you get a text code after entering your password — that's 2FA.

SAML (Security Assertion Markup Language)An XML-based standard for exchanging authentication data between an identity provider (Okta) and a service provider (Salesforce). The technology behind most enterprise SSO.

OIDC / OAuth2Modern authentication/authorization standards used by web and mobile apps. OAuth2 authorizes access to resources; OIDC authenticates who the user is. Used by Google, Facebook login buttons.

LDAP (Lightweight Directory Access Protocol)The protocol used to query directory services like Active Directory. When a system asks AD "does this user exist and is this their password?" — it's using LDAP.

KerberosThe authentication protocol used by Active Directory for Windows networks. Provides "tickets" that prove identity without sending passwords across the network.

Identity Provider (IdP)The trusted system that authenticates users and issues tokens to other applications. Okta, Entra ID, and Ping Identity are identity providers. Applications trust the IdP's authentication decisions.

Service Provider (SP)An application that relies on an identity provider for authentication. Salesforce, GitHub, and SAP are service providers — they trust Okta or Entra ID to verify users.

Federated IdentityAllowing users to use one identity across multiple separate organizations or systems. When you log into a partner company's portal using your own company credentials — that's federation.

PAM (Privileged Access Management)Securing, monitoring, and auditing the most powerful accounts in an organization — admin accounts, root accounts, database superusers. CyberArk, BeyondTrust, and Delinea are PAM leaders.

Privileged AccountAn account with elevated permissions — administrator, root, service account, DBA. These accounts can modify systems, access all data, and are primary targets for attackers.

Credential VaultAn encrypted repository that stores privileged account passwords. CyberArk's Digital Vault is the most well-known. Passwords are checked out for use and automatically rotated after check-in.

Session RecordingVideo capture of everything done during a privileged session — what commands were typed, what files were accessed. Essential for audit and forensic investigation of privileged activity.

JIT (Just-in-Time) AccessGranting elevated privileges only when needed and for a limited time, then automatically removing them. Instead of permanent admin rights — you request, get 1-hour access, it expires. Reduces attack surface.

Least PrivilegeSecurity principle: users should only have the minimum access needed to do their job — nothing more. The antidote to over-permissioned accounts that provide attackers too much access after compromise.

IGA (Identity Governance and Administration)Ensuring the right people have the right access at the right time — and removing it when they shouldn't. Covers provisioning, access reviews, role management, and compliance reporting. SailPoint and Saviynt lead this space.

ProvisioningAutomatically creating user accounts and granting appropriate access when someone joins an organization or changes roles. Deprovisioning is the reverse — removing access when they leave or change roles.

DeprovisioningRemoving a user's access when they leave the organization or change roles. One of the most critical IAM functions — "orphaned accounts" (former employees with active access) are a major security risk.

Access Certification / Access ReviewPeriodic review (quarterly, annually) where managers certify that their team's current access is still appropriate. The formal process of checking "does this person still need this access?"

RBAC (Role-Based Access Control)Assigning permissions based on job role rather than individually. "All accountants get access to the finance system" rather than manually granting 50 individual accounts. More scalable and auditable.

ABAC (Attribute-Based Access Control)More granular than RBAC — access decisions based on multiple attributes (user's department + location + time of day + device type). More flexible but more complex to manage.

SoD (Separation of Duties)Preventing one person from having conflicting access that enables fraud. Classic example: the same person who creates purchase orders cannot approve them. SailPoint and Saviynt enforce SoD automatically.

Zero Trust"Never trust, always verify" — the security model that requires verification of every access request regardless of network location. Being inside the corporate network doesn't grant automatic trust. BeyondTrust and CyberArk champion this approach.

SCIM (System for Cross-domain Identity Management)A standard protocol for automating user provisioning between identity providers (Okta) and applications (Slack, Salesforce). When HR adds someone in Workday, SCIM can automatically create their accounts everywhere.

Active Directory (AD)Microsoft's on-premises directory service — the backbone of identity management in most enterprises since 1999. Stores user accounts, group memberships, computer accounts, and enforces security policies.

Group Policy Object (GPO)Rules applied through Active Directory that configure security settings on Windows computers in bulk — password requirements, screen lock timeout, software installation rights.

Domain Controller (DC)The server that runs Active Directory and authenticates users logging into Windows computers on the corporate network. When you log into a company laptop, it talks to a Domain Controller to verify your credentials.

CIAM (Customer Identity and Access Management)IAM for consumers/customers rather than employees. The login page for your bank's website or e-commerce account is CIAM. Auth0 (Okta), Ping Identity, and ForgeRock lead in CIAM.

Identity FabricThe concept of weaving together multiple IAM tools (SSO, IGA, PAM, CIAM) into a unified identity architecture. Modern organizations build identity fabrics rather than relying on a single IAM platform.

Adaptive AuthenticationAdjusting the authentication requirements based on risk context — low-risk login (same device, same location) = password only; high-risk (new country, unknown device) = require MFA. Reduces friction while improving security.

Passwordless AuthenticationEliminating passwords entirely in favor of biometrics, hardware keys (FIDO2), or magic links. Microsoft, Okta, and Cisco Duo all champion passwordless as the future of enterprise authentication.

FIDO2 / WebAuthnThe open standard for hardware security keys and biometric authentication (fingerprint, Face ID). Provides phishing-resistant authentication — even if someone tricks you, your security key won't authenticate to the wrong site.

TokenA digital or physical object that proves identity or grants access. Software tokens generate codes on your phone; hardware tokens are physical key fobs (RSA SecurID). JWT (JSON Web Token) is a common digital access token format.

Secrets ManagementManaging application credentials, API keys, certificates, and database passwords that software needs to function. CyberArk Conjur, HashiCorp Vault, and AWS Secrets Manager handle this for DevOps environments.

Service AccountAn account used by an application or service rather than a human. These are often overlooked in security reviews but hold significant privileges — a primary target for attackers in modern breaches.

CIEM (Cloud Infrastructure Entitlement Management)Managing and governing permissions in cloud environments (AWS IAM, Azure RBAC, GCP IAM). The cloud equivalent of traditional PAM — ensuring cloud permissions follow least privilege. Saviynt and CyberArk cover CIEM.

ITDR (Identity Threat Detection and Response)Detecting and responding to identity-based attacks in real time — compromised credentials, impossible travel (logged in from NYC and London simultaneously), lateral movement. Emerging category combining IAM with threat detection.

Non-Human Identity (NHI)Any digital identity that isn't a human user — service accounts, API keys, OAuth tokens, certificates, bots, AI agents. NHIs now outnumber human identities in most enterprises and are a major unsecured attack surface.

Conditional AccessPolicies that decide whether to allow or block access based on conditions: user identity + device compliance + location + risk score. Microsoft Entra ID's Conditional Access is the most widely deployed example.

PIM (Privileged Identity Management)Microsoft Entra ID feature for just-in-time elevated access in Azure — users can temporarily elevate to admin rights when needed, with approval workflow and automatic expiration. Reduces standing privilege.

Identity GovernanceEnsuring appropriate access at all times through policy, process, and automation. Answers: Does this person still need this access? Is it appropriate for their role? Is there a compliance risk?

Entitlement ManagementManaging access packages (bundles of access to multiple resources) and automating access requests/approvals. Microsoft Entra Entitlement Management and SailPoint handle this for enterprises.

Role MiningAnalyzing existing access patterns to identify what roles should exist in an organization. Instead of manually defining roles, AI/ML analyzes who has what access and suggests logical role groupings.

Orphaned AccountA user account whose owner has left the organization but wasn't properly deprovisioned. Orphaned accounts are a major security risk — attackers can use them to gain undetected access.

Directory ServiceA hierarchical database of users, groups, computers, and resources in an organization. Active Directory is the dominant directory service; LDAP is the protocol to query it.

FederationTrusting another organization's identity system to authenticate users into your systems. When your company users log into a partner's portal using their corporate credentials — that's federation.

Identity as a Service (IDaaS)Cloud-delivered IAM where the vendor hosts and manages the identity infrastructure. Okta, Entra ID, and Ping Identity are IDaaS providers. The dominant model for new IAM deployments.

DevSecOps / DevOps IAMIntegrating identity and secrets management into software development pipelines. Ensuring API keys, database passwords, and service credentials in code are managed securely rather than hardcoded.

HashiCorp VaultOpen-source secrets management tool widely used in DevOps environments for managing API keys, database credentials, and certificates programmatically. Often used alongside CyberArk Conjur for enterprise secrets management.

Identity FabricThe modern approach to IAM — weaving together multiple identity tools (SSO/IdP + IGA + PAM + CIAM) into a unified architecture rather than relying on one monolithic platform.

Compliance (SOX, HIPAA, GDPR, PCI-DSS)Regulations that mandate identity controls: SOX (financial reporting access controls), HIPAA (healthcare data access), GDPR (EU personal data access rights), PCI-DSS (payment card data access). IAM is the primary tool for achieving compliance in all of these.

NIST SP 800-63The US government's digital identity guidelines — defines levels of identity assurance (IAL) and authentication assurance (AAL). Referenced in most government and regulated industry IAM requirements.

💬

IAM Recruiter Interview Cheat Sheet

// 55+ questions across all IAM domains with Strong / Average / Weak answer guidance

📌 How to Use This Section

Listen for vendor specificity (real product names — "CyberArk EPV" not "a PAM tool"), lifecycle experience (design, implementation, operations — not just theory), and compliance fluency (SOX, HIPAA, GDPR). Each question shows Strong ✓, Average ≈, and Weak ✗ answer patterns.

🔑

Universal IAM Questions

ALL IAM CANDIDATES

Opener

"Walk me through the IAM platforms you've worked with most. For each one, describe what problem you were solving and your specific role."

Strong: Names specific products and versions ("CyberArk EPV 12.x for privileged account management," "SailPoint IdentityIQ for HIPAA access certifications"). Describes both implementation and operations experience. Quantifies: "100,000 identities," "250 applications," "quarterly access certifications for 5,000 users."

Average: Names platforms but vague on what they actually did with them.

Weak: "I've worked with identity tools" — no vendor specificity, no description of the problem being solved.

Zero Trust

"What does Zero Trust mean for identity, and how does it change how you design IAM systems?"

Strong: Zero Trust means never assuming a user is safe because they're inside the network — verify identity, device health, and context on every access request. For IAM design: enforce MFA everywhere (not just VPN), use JIT access instead of standing privileges, continuous session evaluation (risk score doesn't stop at login), segment access so a breach of one account doesn't expose everything. References NIST SP 800-207 or BeyondTrust/CyberArk's Zero Trust approach.

Average: "Never trust, always verify" — understands the concept but can't describe implementation.

Weak: "Zero Trust means firewalls and VPNs" — confuses network security with identity-centric Zero Trust.

Compliance

"How does IAM help an organization pass a SOX or HIPAA audit? What specific controls does IAM provide?"

Strong: SOX: requires segregation of duties (one person can't create and approve transactions), access reviews proving only authorized people have financial system access, audit trails of who accessed what. IAM provides: SoD enforcement (SailPoint flags violations automatically), quarterly access certifications (managers attest to their team's access), provisioning/deprovisioning audit logs. HIPAA: access logging to patient records, minimum necessary access, terminated employee access removal within 24 hours. Names specific IAM controls they implemented for compliance.

Average: "IAM keeps track of who has access" — correct but no specific control mapping.

Weak: No awareness of how IAM connects to compliance — a critical gap for any governance-focused IAM role.

Threat

"An ex-employee whose account wasn't deprovisioned is accessing company systems. Walk me through how this happened and how you'd respond."

Strong: Root cause: joiner-mover-leaver process failure — HR didn't trigger the deprovisioning workflow in IGA system, or the IGA system wasn't connected to the application. Response: immediately disable the account, revoke all active sessions, preserve logs for forensics, assess what was accessed. Prevention: integrate HR system (Workday/SAP) with IGA platform (SailPoint) via SCIM so termination in HR automatically triggers deprovisioning within hours. Regular orphaned account reports catch missed deprovisioning. Access certifications as backstop — manager would catch it in quarterly review.

Average: "Block the account and investigate" — correct immediate action but no root cause or systematic prevention.

Weak: "Change all the passwords" — panicked response with no investigation or systemic fix.

🔵

Okta Engineer Questions

SSO · MFA · SCIM · LIFECYCLE · WORKFLOWS

SSO Setup

"Walk me through setting up SSO for a new SaaS application in Okta. What's the process from start to finish?"

Strong: 1) Check if the app is in OIN (Okta Integration Network) — 7,000+ pre-built integrations. If yes: add from catalog, configure SAML or OIDC settings, test with a pilot user. If not in OIN: create a custom SAML/OIDC integration, exchange metadata with the app's SP, configure attribute mappings (pass user's email, name, group memberships to the app). 2) Configure assignment — assign to groups (not individuals) based on job role. 3) Test in a sandbox before production. 4) Enable and document. Mentions SP-initiated vs IdP-initiated SAML flows.

Average: "Find the app, add it, configure SAML" — correct high-level but missing details like group assignment strategy.

Weak: "It depends on the app" without any process description — has not actually done this.

Provisioning

"How does Okta's lifecycle management work? What happens when a new employee is hired?"

Strong: HR system (Workday, BambooHR) triggers a new record → Okta receives this via API or SFTP import, or SCIM push → Okta creates the user account based on profile attributes (department, location, role) → Okta automatically assigns apps based on group membership rules (if department = "Sales" → assign Salesforce, HubSpot, Zoom) → Okta provisions the user into those apps via SCIM or password push → user gets welcome email with activation link. For termination: HR termination triggers Okta deactivation → Okta suspends all assigned apps → scheduled deletion after grace period.

Average: "Okta creates the user and assigns their apps" — correct but no detail on HR integration or group rules.

Weak: "Admins manually create users in Okta" — defeats the purpose of lifecycle management.

MFA Design

"Design an MFA policy for a company with employees, contractors, and executives — each with different security requirements."

Strong: Uses Okta's adaptive MFA with policies by user group. Employees: Okta Verify push (standard, frictionless). Contractors: TOTP (time-based OTP) or hardware key — less trusted devices. Executives (highest-value targets): FIDO2 hardware key (phishing-resistant) + biometric. Adaptive factor: for any user accessing from unmanaged device or unusual location → always prompt MFA regardless of group. Network zone exemptions for office Wi-Fi (managed devices, lower risk). Session length policies (contractors get shorter sessions).

Average: "Everyone uses MFA" — no differentiation by risk profile or user type.

Weak: "We turn on MFA in Okta" — one setting for everyone with no policy design thinking.

Troubleshoot

"A user says they can't log into Salesforce through Okta. What's your diagnostic approach?"

Strong: 1) Check Okta System Log for the user's login attempt — what error did Okta report? 2) Is the user active in Okta (not deactivated or locked)? 3) Is Salesforce assigned to the user or their group? 4) Is the Salesforce application's SAML configuration correct (metadata, attribute mappings, audience URI)? 5) Try SP-initiated vs IdP-initiated SSO to isolate where failure occurs. 6) Check if the issue is specific to this user (test with another user) or all users (application configuration problem). 7) Review Salesforce's login logs for what error they received. Systematic layered approach.

Average: "Check if they have access in Okta" — correct starting point but limited diagnostic depth.

Weak: "Reset their password" — SSO doesn't use passwords; this answer shows fundamental misunderstanding.

🔵

Microsoft Entra ID / Active Directory Questions

AD · ENTRA · HYBRID · CONDITIONAL ACCESS · PIM

AD Design

"Design an Active Directory structure for a company with 5,000 employees across 3 countries."

Strong: Single Forest, multiple domains or OUs by country/business unit. Domain structure: contoso.com (root), with OUs for each country (US, UK, DE). Each country OU contains sub-OUs: Users, Computers, Service Accounts, Groups. Security Groups for role-based access (Finance-Dept, IT-Admins, Sales-Team). Sites and Services configured for each office location to optimize Kerberos traffic to local Domain Controllers. GPOs scoped to OUs (Password Policy at domain level, browser settings at country OU, application settings at dept OU). Trusts if separate domains needed. AD recycle bin enabled. Domain Controller redundancy (min 2 DCs per site).

Average: "OUs for each department" — correct concept but no site/domain/forest architecture awareness.

Weak: "Just put everyone in the Users container" — flat AD with no OU design has no policy granularity.

Hybrid Identity

"A company has 3,000 on-premises Active Directory users. They're moving to Microsoft 365. How do you connect their AD to Entra ID?"

Strong: Microsoft Entra Connect (formerly Azure AD Connect) synchronizes on-premises AD to Entra ID. Installation steps: choose sync mode (Password Hash Sync is simplest and most resilient; Pass-through Authentication keeps auth on-prem; Federation with ADFS for complex cases). Configure sync scope (which OUs to sync). Choose Seamless SSO so domain-joined computers auto-authenticate without prompting. Choose whether to synchronize password hashes. After sync: users log into M365 with their on-premises credentials (same username/password). Plan for filtering (exclude service accounts and admin accounts from sync). Mentions staged rollout and testing.

Average: "Use Azure AD Connect" — knows the tool but not the configuration decisions.

Weak: "Create all 3,000 users in Azure manually" — doesn't know directory synchronization exists.

Conditional Access

"Design Conditional Access policies for a company where some employees work remotely and some only in-office."

Strong: Named Locations: define corporate IP ranges as trusted. Policies: 1) Require compliant device for access to sensitive apps (SharePoint, finance apps) from all locations; 2) Require MFA for any access from non-corporate IP (remote workers, travel); 3) Block access from high-risk countries (based on business need); 4) Grant without MFA from corporate network on compliant, Intune-managed device. Risk-based policies: sign-in risk High → block; sign-in risk Medium → require MFA; user risk High → require password reset. Always exclude break-glass accounts from all CA policies. Report-only mode first to test impact.

Average: "Require MFA for remote users" — basic correct policy but no layered approach.

Weak: "Use a VPN instead" — conflates network access with identity-based conditional access.

🔐

CyberArk / PAM Engineer Questions

VAULT · SESSION · JIT · CONJUR · EPM

Architecture

"Describe the core components of a CyberArk implementation. What does each component do?"

Strong: Digital Vault (EPV): the encrypted password storage, on-premises or cloud. Central Policy Manager (CPM): automatically changes passwords on target systems on schedule (rotation). Privileged Session Manager (PSM): proxies privileged sessions — admins connect through PSM which records the session and the target system never exposes its password. Password Vault Web Access (PVWA): web UI for requesting access and managing the vault. CyberArk Privilege Cloud: the SaaS equivalent. Connectors/agents on target systems for automatic password management. Explains that the admin never sees the actual password — they click "connect" in the PVWA, PSM connects to the server on their behalf.

Average: "CyberArk stores passwords and records sessions" — correct summary but no component detail.

Weak: "CyberArk is just a password manager" — fundamentally undersells its capabilities; shows surface-level knowledge.

Onboarding

"How would you onboard 500 Windows server local administrator accounts into CyberArk?"

Strong: 1) Discovery scan using CyberArk's DNA scanner or bulk onboarding utility — identifies all Windows servers and their local admin accounts automatically. 2) Create a Platform (policy) for Windows Local Admin — defines password complexity, rotation schedule (e.g., every 30 days), reconciliation account, and connection method. 3) Import accounts via bulk CSV upload or auto-onboarding rules — accounts automatically assigned to the correct Safe and Platform. 4) CPM begins automatic password rotation immediately after onboarding. 5) Configure PSM for remote session connections. 6) Notify system owners that their servers are now managed. Test on 10 servers first before bulk rollout.

Average: "Add them to the vault manually" — technically possible but impractical at 500 scale.

Weak: No process description — shows no CyberArk implementation experience.

JIT Access

"What is Just-in-Time (JIT) access and how does CyberArk implement it? Why is it better than standing privilege?"

Strong: JIT = granting elevated access only when needed for a defined time, then automatically removing it. Instead of server admins having permanent local admin rights (standing privilege), they request access for a 2-hour window via CyberArk — the account is activated, the session is proxied through PSM with full recording, and after 2 hours the access is automatically revoked and the password rotated. Better than standing privilege because: reduces the attack surface (an attacker who compromises an admin account gets access that expires), enables forensic audit trail, enforces approval workflows, and satisfies Zero Trust principle of least privilege over time. CyberArk implements this through Access Policy with time-limited checkout.

Average: "JIT means temporary access" — correct but no implementation detail or security benefit explanation.

Weak: Unaware of JIT — a core modern PAM concept expected of any CyberArk engineer.

📋

SailPoint / IGA Engineer Questions

IDENTITYIQ · PROVISIONING · CERTIFICATIONS · ROLES · SOD

Architecture

"Explain the difference between SailPoint IdentityIQ and IdentityNow (Identity Security Cloud). When would you choose each?"

Strong: IdentityIQ (IIQ): on-premises/customer-hosted Java application, maximum customization, supports complex enterprise environments with many legacy systems, requires dedicated infrastructure and deep Java expertise, longer implementation but highest flexibility. IdentityNow (ISC)/Identity Security Cloud: SaaS, hosted by SailPoint, faster deployment, lower maintenance, modern UI, better for cloud-heavy environments, limited customization vs IIQ. Choose IIQ for: complex legacy integrations, existing IIQ investment, highly regulated environments needing on-prem data. Choose ISC for: new implementations, cloud-first organizations, faster time-to-value. Current SailPoint direction is ISC — new customers default to ISC.

Average: "IIQ is on-prem, IdentityNow is cloud" — correct but no nuance on when to use each.

Weak: Only knows one — a SailPoint architect should understand both products.

Provisioning

"How does SailPoint automate account provisioning and deprovisioning? Walk me through a new employee scenario."

Strong: HR system (Workday, SAP) pushes new employee data to SailPoint via HR feed (file-based or API). SailPoint matches HR data to an Identity → runs Lifecycle Events (Joiner workflow). Joiner workflow evaluates the employee's attributes (department, location, job title, manager) against role assignments → identifies which applications and entitlements they should have. SailPoint provisions accounts automatically via connectors (AD connector creates AD account, Salesforce connector creates SFTP account, ServiceNow connector creates ITSM account). For complex apps without connectors: manual fulfillment tickets. Termination: HR triggers Leaver workflow → all accounts suspended/deleted, access certificates closed, manager notified.

Average: "SailPoint gets data from HR and creates accounts" — correct high-level but no workflow or connector detail.

Weak: "We run a nightly job" — manual batch processing, not real lifecycle management.

Access Certs

"What is an access certification campaign in SailPoint? Design one for a quarterly SOX audit."

Strong: Access certification = formal review of who has what access, with managers certifying appropriateness. SOX campaign design: Scope: all users with access to financial systems (SAP, Oracle Financials, ERP). Frequency: quarterly. Certifier: direct manager (first), application owner (secondary for orphaned accounts). Reviewers see: user name, their current access (roles, entitlements), last activity date, risk indicators (excessive access, SoD violations highlighted in red). Actions: Certify (keep access), Revoke (remove access), Approve/Reject (if access was requested). Escalation if manager doesn't respond in 5 business days. Automatic deprovisioning of revoked access within 24 hours. Completion report exported for auditors. Sign-off by CISO and controller.

Average: "Managers review access and approve or reject it" — correct concept but no design specifics.

Weak: Unaware of access certifications — a core SailPoint/IGA function expected of every governance professional.

🚩 Universal IAM Red Flags — Across All Roles

Vendor name only, no details"I've worked with CyberArk" but can't describe the vault architecture, CPM, or PSM. Always ask: "What specifically did you configure?" Real experience has real details.

No compliance awarenessIAM professionals at any level should understand why IAM exists in the regulatory context — SOX, HIPAA, GDPR, PCI-DSS. No compliance knowledge suggests a pure tool operator, not an IAM professional.

Confused about SSO mechanicsSaying "SSO is just one password for everything" or confusing SAML with LDAP signals a lack of foundational identity protocol knowledge — fundamental for any access management role.

No joiner-mover-leaver processA SailPoint or Okta engineer who has never implemented provisioning automation hasn't done the core job. "We created accounts manually" at scale is a red flag for a governance role.

No security mindset in IAMIAM engineers who optimize only for convenience (removing MFA to reduce friction, giving admin access by default) rather than security principles show a dangerous mindset for a role protecting critical systems.

Only cloud OR only on-premFor senior roles, pure cloud-only or pure on-prem experience limits the candidate's value in hybrid environments — where 80%+ of enterprises currently operate. At least hybrid awareness is needed above junior level.

Identity & Access ManagementComplete IAM Vendor Guide