A practitioner's guide

Your path to IAM success Nine essential steps for breaking into Identity & Access Management.

A field guide for people new to IAM — written for the way the work actually happens in 2026. Read it cover to cover, or jump in wherever you need to.

Right access· Right people· Right reasons· Right time
Step 01

IAM fundamentals

The basics that outlast every tool, vendor, and trend.

The fundamentals will take you further than any tool or certification. In every role I've held, knowing the basics helped me learn new platforms faster, communicate with stakeholders more effectively, and transition between very different IAM positions.

Authentication

Authentication is confirming that a user is who they claim to be. There are three factors: something you know (passwords), something you have (hardware tokens, YubiKeys, passkeys), and something you are (biometrics).

Passwords aren't going away, but they're the weakest option. If SMS is all you can add on top of a password, use it — it's still better than a password alone. RSA tokens and YubiKeys are stronger. Passkeys, which bind authentication to a device using cryptographic keys, are now becoming mainstream and worth understanding early.

Authorization

Authorization is what a user can do after they've been authenticated. Here are the main models you'll encounter:

MethodFlexibilitySecurityScalabilityBest for
RBACModerateHighHighStandard org access
ABACHighHighModerateMission-critical least privilege
PBACVery highVery highHighCompliance-heavy environments
MACLowHighLowClassified / military
DACHighModerateModeratePersonal documents
Authorization models compared.

RBAC is the easiest to stand up — you assign entitlements by job title and use role mining to identify what access a given role needs. The risk is over-provisioning. ABAC is more granular, using attributes like location, time of day, and department, which makes it better for least privilege. PBAC is highly flexible but requires disciplined policy management — stale policies will grant access they shouldn't.

Other terms to know

Protocol

SSO

Single sign-on lets users authenticate once and access all their applications through a dashboard without re-entering passwords. Uses SAML or OIDC protocols.

Protocol

OIDC

OpenID Connect is the modern protocol — apps verify identity using authorization tokens from an authorization server. Preferred over SAML for new integrations.

Lifecycle

Joiner / Mover / Leaver

The core of lifecycle management. Joiners get provisioned, movers get access adjusted, leavers get deprovisioned — immediately or on a schedule.

New · 2026

Passkeys

Device-bound credentials using public key cryptography. No password, no SMS code. Microsoft, Google, and Apple all now support passkeys natively.

New · 2026

ITDR

Identity Threat Detection and Response. Detects compromised identities, unusual access patterns, and lateral movement in real time. Now showing up on job descriptions regularly.

New · 2026

Non-human identities

Service accounts, API keys, machine-to-machine tokens, and AI agent identities. The fastest-growing IAM problem — most orgs have far more non-human identities than human ones.

Step 02

IAM tools & technologies

The platforms hiring managers actually ask about.

Microsoft Entra ID Access management · IGA

The dominant enterprise IAM platform. Provides SSO, MFA, Conditional Access policies, Privileged Identity Management (PIM), and lifecycle workflows. Used across commercial and federal environments. Learn this first.

microsoft.com
SailPoint ISC IGA

The leading IGA platform. Handles user lifecycle management, access certification, segregation of duties, and provisioning. Identity IQ (IIQ) is still deployed heavily in federal and legacy environments. The cloud platform (Identity Security Cloud) now includes AI-driven access recommendations.

sailpoint.com
Okta Access management · IDaaS

A widely deployed IDaaS platform with SSO, MFA, API access management, and PAM offerings. Still used across thousands of organizations. The 2023 breach changed enterprise buying behavior, so expect to see it more in mid-market than large enterprise.

okta.com
CyberArk Added Privileged Access Management

The dominant PAM platform. Controls access to admin accounts, service accounts, and shared credentials. PAM knowledge is now expected for most mid-to-senior IAM roles — it's no longer a specialty track.

cyberark.com
Ping / ForgeRock Added Access management · IGA

Ping Identity acquired ForgeRock in 2023. Together they appear in almost every large enterprise RFP. If you're targeting Fortune 500 or financial services roles, this platform will come up.

pingidentity.com
Keycloak Open source · IGA

Open source IAM with full IGA features. Great for hands-on labs because it's free to run locally. Also used in production at companies and government agencies that can't use SaaS-based tools.

keycloak.org

Also worth knowing: Saviynt (IGA + cloud security), BeyondTrust (PAM), and Delinea (PAM).

Step 03

Gain cybersecurity experience

IAM lives inside cybersecurity — know the frameworks it sits on.

Core frameworks

Framework

CIA triad

Confidentiality, Integrity, Availability. Every security decision maps back to one of these three. Know them well enough to explain them in an interview without notes.

Principle

Least privilege

Give users the minimum access required to do their job. Reduces the blast radius when an account is compromised. The principle underlies ABAC, PIM, and PAM.

Architecture

Zero trust

Not a product — a framework. Trust but verify, continuously. Uses attributes like IP, location, device health, and MFA strength rather than relying on a perimeter. This is now standard practice, not a trend.

New · 2026

ITDR

Identity Threat Detection and Response. Tools like Microsoft Defender for Identity, Silverfort, and CrowdStrike Falcon Identity detect anomalous identity behavior and respond in real time.

Compliance standards to know

StandardScopeIAM relevance
GDPREU personal dataAccess controls, data classification, access logging
HIPAAUS health dataMinimum necessary access, audit trails, emergency access
SOXUS financial entitiesSegregation of duties, financial data access controls, 90-day audit cycles
PCI-DSSCardholder dataStrong access controls, MFA, encryption, access reviews
NIST 800-63Federal agenciesDigital identity guidelines — the standard for government IAM work
NIST 800-207 AddedZero trust architectureThe federal blueprint for zero trust implementation
Compliance frameworks and what they require from IAM.
Step 04

Develop your technical skills

You don't need to be a developer. You do need to read code.

You don't need to be a developer to succeed in IAM. But you should understand what's being written and be able to read and modify scripts when needed. I didn't start technical — I picked these up over time.

Priority

PowerShell + Microsoft Graph SDK

The most practical scripting skill for IAM in 2026. The Graph SDK lets you query and manage Entra ID, automate lifecycle tasks, and build audit scripts. This is the skill gap I see most often in practitioners working in Microsoft environments.

Added · 2026

REST API literacy

You don't need to build APIs — you need to read documentation, call endpoints, and work with JSON responses. Almost every modern IAM integration runs over REST. Knowing how to use Postman or curl opens a lot of doors.

Language

Python

Popular, readable, and well-supported across IAM tools. Good for automation, data processing, and working with APIs. freeCodeCamp (freecodecamp.org) has solid free courses.

Language

Java / BeanShell

Still relevant if you're working with SailPoint IIQ. IIQ rules and workflows are written in Java BeanShell. You don't need to be a Java developer, but you need to be able to read and modify rule code.

Step 05

Practice with hands-on labs

Experience you build yourself is still experience.

Employers who see a candidate with documented projects and lab work take that seriously — more than a certification alone.

Free environments to start with

Projects worth building

Step 06

Get certified

Certs don't get you hired. But they sharpen what you know.

Certifications won't get you a job by themselves. What gets you a job is everything in the earlier steps. That said, studying for a cert will sharpen your knowledge — and having one gives a hiring manager a data point when they're choosing between two otherwise similar candidates.

CompTIA Security+ Entry

Solid cybersecurity foundation with a dedicated IAM section. A good first cert before moving to vendor-specific or IAM-specific options.

SC-900 Added Entry

Microsoft's entry-level security, compliance, and identity exam. Low cost, quick to study for, and a good on-ramp to SC-300. Recommended before you attempt SC-300.

SC-300 Priority Mid

Microsoft Identity and Access Administrator. Covers Entra ID administration, Conditional Access, PIM, and identity governance. Shows up on more IAM job descriptions than any other cert right now.

Okta Professional Entry

Okta's entry-level certification. Regularly on sale — sometimes under $100 with access to premium study guides. Verify current pricing and track structure before registering, as Okta has restructured their cert program.

CIDPRO Advanced

Developed by IDPro. Tests IAM knowledge through real-world scenarios and conceptual questions. Best suited for practitioners with 2–3+ years of experience.

CIAM (IMI) Advanced

The Certified Identity and Access Manager from the Identity Management Institute. One of the most frequently required certs on senior IAM job descriptions.

Step 07

Get industry experience

Close the experience gap with projects you can talk about.

Many entry-level IAM roles require experience, which is frustrating. The way through it is to arrive at the interview able to speak specifically about what you've built, what you've configured, and what broke and how you fixed it. Projects close that gap.

Entry points worth pursuing

Step 08

Network

Most IAM jobs are filled before they're posted.

The IAM community is genuinely small and tight-knit — people remember who showed up, who asked good questions, and who was generous with their knowledge.

Step 09

Continuous learning

IAM moves fast. Stay current — even thirty minutes a week.

The tools change, the threats change, and the compliance landscape shifts with them. Set aside time each week to stay current — even thirty minutes of reading makes a difference over a year.

Hot right now

Non-human identities

Service accounts, API keys, machine identities, and AI agent identities. NIST, Microsoft, and SailPoint all published guidance on this in 2024–2025. The attack surface here is massive and largely unmanaged.

Hot right now

ITDR

Identity Threat Detection and Response is now a job category, not just a feature. CrowdStrike, Silverfort, and Microsoft Defender for Identity are the main players.

Rising fast

Passkeys & passwordless

Major platforms now support passkeys natively. Enterprise adoption is accelerating. Know how they work and how they're provisioned at scale.

Rising fast

AI in IGA

SailPoint, Saviynt, and newer platforms like Klyro are using AI to automate access recommendations and detect outlier access patterns. Expect this to reshape how access reviews work.

Rising fast

Decentralized identity

W3C DID standards and verifiable credentials have moved from fringe to mainstream conversation. NIST and government frameworks are starting to reference them. Worth understanding conceptually.

Foundational

Self-sovereign identity (SSI)

Users controlling their own digital identity credentials without a central authority. Still emerging in enterprise, but foundational to where digital identity is heading.

Where to stay current

Continue with us

Ready to go deeper?

Personal coaching, interview prep, and structured courses — all through All Things Identity.