Identity and access management (IAM) is one of the pillars of information systems security. With the proliferation of accounts and cloud environments, businesses need to tighten control over digital access. Their challenge? Ensuring that only the right people have access to the right resources, at the right time and for the right reasons..
IAM, an essential bulwark against threats
The rise of corporate digital identities
As a reminder, theIdentity and Access Management (IAM) or identity and access management is the set of processes, rules and technologies used to manage digital identities (human and machine) and control access to systems, applications and data. See the definition ofIAM in our cybersecurity glossary.
The digital identities (user accounts, devices, digital services and tools, etc.) are undergoing a major change. unprecedented growth within companies. With an impressive phenomenon: the machine identities far surpass human identities.
On average, there are
CyberArk 2025 study
82 machine identities for 1 human
Change in the average number of identities per company
The graph illustrates a clear trend:
- By 2025, thehe majority of identities managed by companies are no longer human.
- This means that IAM governance must switch from an HR/customer focus towards a massive management of machine identities (certificates, tokens, secrets, workloads).
- French companies must therefore anticipate this change of scaleby integrating identity management solutions capable of managing the volume, automation and security of non-human identities.
This phenomenon is fuelled by several factors: massive adoption of the cloud, teleworking and openness to external partners.
The rise of cyberthreats
This growth in IAM is also due to the increasing number of cyber threats which are forcing organisations to raise their level of protection.
Attacks targeting identities (password theft, phishing, account hijacking, etc.) are on the rise. According to a recent survey (One Identity), 7 out of 10 businesses have suffered an identity-related cyber attack over the past year.
What's more, these cyber attacks often focus on the most crucial identities of the targeted company. According to a Forbes report, 74 % of major data breaches involve the misuse of credentials at privilegessuch as administrator accounts.
IAM as the new security perimeter
The traditional perimeter security approach (where a user is trusted once inside the network) is no longer sufficient - today, identity itself has become the new perimeter to actively defend.
Companies must apply the principle of least privilegeThis means ensuring that only the right people have access to the right resources, at the right time and for the right reasons.
This is a a technical and organisational challenge. Each user (employee, supplier, customer, etc.) has a digital identity which must be authenticated and to which only the necessary authorisations are granted, and nothing more.
This is where IAM comes in. By centralising the management of identities and rights, identity and access management makes it possible to automate controls, reduce excessive access and react quickly in the event of a compromise.
Managing this access manually or in a dispersed way exposes the company to errors and critical flaws.
2. The modern IAM toolbox
To meet the challenge of identity security, IAM relies on a whole ecosystem of complementary tools and technologies.
Each IAM component covers a key aspect of verifying users' identity and controlling their access rights. Here are the main components of a modern IAM strategy, along with examples of related solutions.
2.1 Centralised directory and identity federation
The basis of IAM is based on a a single repository of users and their rights.
Directories as Active Directory (on site) or Microsoft Entra ID (formerly Azure AD) are used to store and centralise identities. This centralisation is crucial for gaining a global view of access and avoiding dormant accounts in silos.
Identity federation (via standards such as SAML, OAuth or OIDC) complements the directory by enabling users to connect to multiple applications with the same credentials, while avoiding the proliferation of passwords.
2.2 Multi-factor authentication (MFA)
Le MFA requires users to prove their identity by at least two factors (password + mobile code, biometrics, physical key, etc.). This is one of the most effective security measures. 99.9 % of compromised accounts did not have an activated MFAaccording to Microsoft.
By deploying the MFA on sensitive applications (VPN, email, business tools), you can block the vast majority of intrusion attempts, even if a password is stolen.
In addition, adaptive authentication mechanisms are being introduced: for example, access from an unusual location or a new device could trigger an additional check.
IAM solutions often include these functions. Oktafor example, is recognised for its advanced capabilities in single sign-on (SSO) and adaptable MFA (via SMS, mobile push, biometrics, etc.).
The use ofauthentication without password (passwordless(via FIDO2 security keys, certificates or biometrics) is also being developed to eliminate the vulnerability of passwords, while improving the user experience.
2.3 Single Sign-On (SSO)
Le SSO or single sign-on allows users to log in once and access all their authorised applications without having to re-enter their login details.
In addition to the convenience offered to employees (who no longer have to manage dozens of passwords), SSO strengthens security: as authentications are centralised, they are better controlled and traced.
Cloud SSO providers such as Okta and OneLogin offer thousands of ready-to-use integrations to federate SaaS and on-premise access.
These tools also offer contextual policies (also known as Zero Trust orchestration) to adapt access conditions according to context (location, type of device, time of day, etc.), and thus block any connection deemed abnormal or at risk.
2.4 Identity Governance (IGA)
The aim is to manage the entire lifecycle of user accounts - from their creation to their deletion, including changes to rights when roles are changed.
Good governance ensures that each entry (recruitment) or exit (departure of an employee, end of a service provider's contract) is processed without delay. The necessary accounts are created on arrival, access is modified or withdrawn when there is a change of post, and above all, the following steps are taken immediately disable accounts when a person leaves the organisation.
Without this rigorous management, orphan accounts proliferate and needlessly widen the attack surface. A company audit revealed that 30 % of user accounts were inactive but still present in the directoryThis poses a serious risk of unauthorised access.
Dedicated solutions such as SailPoint automate these processes and offer governance functions (periodic review of rights, certification of access by managers, alignment with compliance rules). Onboarding/offboarding workflows and role management (RBAC) ensure that the 'right accesses' are allocated to the 'right people' and revoked as soon as they are no longer justified.
To provide a framework for your IAM approach, rely on tried and tested methods such as EBIOS or ISO 27001/27005 standards.
2.5 Privileged Access Management (PAM)
Accounts at high privileges (system administrators, domain accounts, root access, etc.) represent a critical risk if they are compromised, as they provide access to the most sensitive data and to IS controls. It is therefore essential to manage them with the utmost vigilance.
PAM solutions, such as CyberArkare specifically designed for lock administrator accountsby storing their passwords in an encrypted safe, monitoring and recording every privileged session, and applying the just-in-time (privileges granted only on request and for a limited time).
According to the IDSA alliance, 33 % of cyber attacks involve the exploitation of privileged credentials.
PAM can also detect any abnormal use of a privileged account (for example, an administrator accessing a system for no legitimate reason) and trigger alerts in real time.
Coupled with a policy of Zero TrustPAM ensures that no administrator access is granted by default: each elevation of privilege must be justified and approved on a case-by-case basis, drastically reducing the potential window of opportunity for an attacker.
2.6 Monitoring, auditing and behavioural analysis
In addition to the initial allocation of rights, good IAM security involves continuous monitoring access usage. This includes logging user connections and operations, regular audits to check that the rights in place still correspond to business needs, and the deployment of anomaly detection tools.
For example, solutions incorporatingIA and Machine Learning can establish a profile of normal behaviour for each identity (usual times, applications commonly used, etc.) and spot any activity that is out of the ordinary (logging on at an unusual time, massive data extraction, etc.). In the event of suspicious behaviour, access can be automatically restricted or suspended pending verification. These User Entity Behavior Analytics (UEBA) mechanisms are becoming more widespread and are a welcome addition to the IAM arsenal. They address the problem that confidence in an identity should no longer be static - it must be dynamically and continuously evaluated. As one expert points out, the future of IAM will consist of link identity to real-time risk assessment at each access attempt, by cross-referencing multiple signals (context, device, behaviour) rather than relying on a simple initial login.
Finally, it is important to note that there is no one-size-fits-all IAM solution. The market offers a wide range of solutions with different scopes - some cover everything (authentication, SSO, IGA, PAM) in a unified platform, others are specialised in a specific area (e.g. MFA or governance). The choice will depend on the size of the company, its IS (cloud, hybrid, on-premise), its sector constraints and its budget.
3. Best practice for effective IAM
Implementing IAM in an information system is a major challenge. a complex, cross-disciplinary project. Many companies have learned this the hard way: more than 50 % of AMI projects are over budget or over scheduleand according to Gartner 40 % fail or are delayed due to lack of coordination between business and IT teams.
Poorly prepared IAM integration can even disrupt business: several studies (Forrester, Ping Identity) show that 2 out of 3 IAM projects cause service interruptions during system migration if it is poorly controlled.
To avoid these pitfalls, you need to adopt a methodical approach. Here are the recommended best practices for securing identity and access in an operational way, from planning the IAM project to day-to-day deployment:
3.1 Involve all stakeholders
IAM is not just a purely technical issue - it touches on HR processes (hiring and leaving), compliance rules, the user experience, etc. So it's crucial to build the project with a global vision.
From the outset, create an interdisciplinary working group including IT, security, HR, business, compliance and management. This cross-functional governance ensures that security objectives are aligned with business needs.
For example, the HR department will be able to specify which onboarding workflows to automate, while business managers will be able to define which accesses are critical for their teams, and so on.
If we neglect this aspect, we run the risk of deploying a solution that is out of step with the situation on the ground. more than 40 % of IAM projects fail due to a lack of business/IT coordinationaccording to Gartner.
Constant communication, workshops to gather requirements and clear governance (IAM steering committee) will ensure collective support.
That's right, end-user buy-in is decisive Nearly 60 % of digital transformation initiatives fail because of insufficient user adoption.
It is therefore necessary to support the change, provide information about the benefits (e.g. fewer passwords thanks to SSO, greater security and therefore fewer incidents), and train both administrators and users in the new IAM tools.
3.2 Audit the existing situation and set clear objectives
Before rushing into technical integration, take the time to map the existing situation. Identify where the identity data is located (multiple directories, application databases, etc.), what the current account management processes are, and identify any known vulnerabilities.
A preliminary audit often leads to some edifying discoveries - one customer was found to have 30 % dormant accounts in its AD, another that the same employee had unrevoked access to old systems.
Correcting these flaws upstream immediately enhances security, even before the IAM solution is deployed.
On the basis of the inventory of fixtures, then define precisely the objectives of the project. What is the priority to achieve? For example: "guarantee the removal of all access within 24 hours after a departure", "implement strong authentication on critical tools", "reduce the number of calls to support to reset passwords by 80 %".etc.
SMART (Specific, Measurable, Achievable, Realistic, Time-bound) objectives will serve as a compass throughout the project. They will prevent the solution from going astray or being oversized.
For example, if the number one issue is regulatory compliancethe focus will be on traceability and audit reports. reducing the risk of phishingpriority will be given to the MFA and the passwordless.
This framework also makes it possible to prioritise the projects: you may decide to deal first with IAM for internal employees, then extend it to customers/partners (CIAM), etc., depending on the resources available.
3.3 Apply the principle of least privilege and automate
In operational terms, the golden rule is "least privilege - each user must only have the access necessary for their function, no more and no less.
In practice, this means defining clear roles (for example: Mr X "Marketing department employee" has access to tools A, B and C; Ms Y. "Marketing department employee" has access to tools A, B and C; Ms Y. "Marketing department employee" has access to tools A, B and C), "IT Manager" accesses D, E, F, etc.) and to automate the allocation of rights according to these roles.
When an employee arrives, a onboarding workflow will create their account in the directory, assign them to the right groups/roles and grant them the appropriate access. Conversely, when an employee leaves, a automated offboarding process must deactivate or delete all its accounts (email, VPN, business applications, etc.) without delay.
Automation is essential to avoid human latency (a forgotten account that is active for a few days is enough to cause a compromise).
In addition, programme regular reviews of rights Every 6 months, for example, managers review their subordinates' access rights and certify that they are still justified, otherwise they ask for them to be revoked.
3.4 Proactively securing privileged accounts
Administrators and other super-users should be given special attention. Their number should be kept to a minimum and powers should be separated (segregation of duties) to ensure that no one person has all the rights.
Set up a password safe for these sensitive accounts (provided by PAM solutions): in this way, privileged identifiers are no longer known to humans; they are generated randomly and changed frequently.
Access to an admin account is on request, with justification, and is granted on a temporary basis (just-in-time) and then automatically closed again once the task has been completed.
In addition, each privileged session must be supervised and traced video recordings of actions, or at least detailed logging of commands executed. This traceability is used to detect any malicious actions or serious errors, and is often required during security audits. In the event of an incident, it will also facilitate forensic analysis.
You should also consider setting up areal-time alert sensitive accounts: for example, if an administrator account disables logs or creates a new privileged user, the security team must be informed immediately.
The Zero Trust approach recommends never trust a priori - Even an internal admin could act under duress or have stolen identifiers - hence the need to check and limit every action.
3.5 Facilitating the user experience to encourage adoption
An effective IAM must not be synonymous with excessive constraints for employees, at the risk of them seeking to circumvent it. It must striking the right balance between safety and productivity.
For example, replacing 5 daily logins with a single SSO portal will significantly improve convenience for users - and at the same time enhance security (since a robust MFA can then be imposed on this single portal).
Similarly, the introduction of a password self-service (allowing users to reset their passwords themselves via a secure procedure) reduces frustration and cuts down on IT tickets.
It is also a good idea to make employees aware of the importance of these measures: explain to them that the MFA protects their account in the same way that a spare set of keys protects a house, and that the access review ensures that no-one has unjustified permissions, etc. Involving users and paying close attention to user-friendliness (for example, using solutions with a simple mobile application for the MFA, or password-less authentication that avoids repetitive data entry) will increase acceptance.
By following these best practices, you can maximise your chances of success in securing your identities and access.
Of course, the road to a mature IAM is iterative: we need to constantly adjust the rules, take account of feedback from the field, and remain agile in the face of technological change. So what are the major trends in the future of IAM?
4. Emerging trends and anticipated developments
IAM is a constantly evolving field, driven by both technological advances and the ingenuity of attackers. By 2025, several key trends will have emerged that redefine the way in which identities and access are secured:
- The era of Zero Trust The "never trust, always verify" paradigm is taking hold. Identity becomes the central security perimeter. Each access attempt is continuously validated according to context and risk level, even if the user is already connected to the network.
- Passwordless authentication To counter phishing, the industry is pushing ahead with robust alternatives such as FIDO2 security keys (passkeys) and biometrics. These methods are not only more secure, but also simpler for the user.
- Artificial intelligence in the service of defence AI and machine learning are now used to detect anomalous behaviour in real time, suggest optimised rights and automate the response to threats, making IAM more intelligent and proactive.
- The convergence of security platforms the silos between IAM, PAM and IGA are disappearing in favour of unified identity security platforms. This integration provides a 360° view, simplifies administration and guarantees consistent application of security policies across the entire IS.
Conclusion
Securing identities and access IAM is a strategic project for all digital businesses. This requires the implementation of robust tools (SSO, MFA, PAM, IGA, etc.), well-oiled processes (lifecycle management, certification, audits) and change management involving the entire organisation.
The benefits are many: drastic reduction in the risk of a breach, better visibility on the who has access to whatIt also means productivity gains (fewer passwords to manage, fewer support requests). The figures speak for themselves: 57 % of companies believe that better IAM management would have prevented cyber attacks that they have suffered. IAM is therefore an essential investment in protecting your digital assets.
However, we must not lose sight of the fact that this is a continuous process. Threats are changing (AI phishing, theft of API tokens, etc.), as is your environment (new IS applications, new regulatory obligations). You will need to constantly adapt access policies, update tools and raise user awareness.
By making identity the core of the security strategy, we are building an IS where the right people have access to the right resources, at the right time... and for the right reasonsquite simply.
