The five IAM domains

A detailed walk through the five domains that make up modern IAM — Access Management, IGA, PAM, CIAM, and ITDR — with their capabilities, audiences, use cases, and where they overlap with one another.

Why split IAM into five domains

In the previous articles you ran into AM, IGA, PAM, CIAM, and ITDR several times, almost always in passing. Now it’s time to open them one by one. The reason is practical: in the real market, platforms and teams are organized this way. When a company posts an “IAM engineer” job opening, the description most likely mentions one or two of these domains, not all five. When a consultant sells a project, the scope is defined in these terms. And when a tool claims to be a “Gartner Leader,” it always specifies in which quadrant.


If you don’t manage this partition, you’ll confuse conversations. You’ll talk about “MFA” when the problem is “certification,” or about “privileged accounts” when what’s needed is “fraud detection.” Each domain solves different questions with its own tools and vocabulary.


A useful analogy before getting into detail: think of a company as a building with several zones. AM are the guards at the main entrance — they verify credentials and grant access. IGA is the administrative department that maintains the list of who can come in and reviews that the list is correct. PAM are the specialized guards of restricted areas (servers, machine rooms) with their own protocols. CIAM is the reception team for visitors and external customers. ITDR are the cameras and sensors that watch everyone in real time and trigger alarms when they see something off.



Big picture: the map of the five domains

Before going into each one, look at the map. The five domains revolve around identity as the central concept we covered in previous articles. Each one tackles a different dimension of how that identity is managed.


flowchart TB
  accTitle: Map of the five IAM domains
  accDescr: Identity is the central hub with directed edges to five child domains: Access Management, Identity Governance, Privileged Access, Customer IAM, and Identity Threat Detection.
  ID([Identity])
  AM[Access Management<br/>The front door]
  IGA[Identity Governance<br/>The guardian]
  PAM[Privileged Access<br/>The safe]
  CIAM[Customer IAM<br/>The customer-facing layer]
  ITDR[Identity Threat<br/>The sentinel]
  ID --> AM
  ID --> IGA
  ID --> PAM
  ID --> CIAM
  ID --> ITDR
Identity is the axis. Each domain takes that identity and applies a different lens — authenticate, govern, elevate, serve, watch.

They aren’t five different products for the same problem; they’re five different questions about the same subject.


Comparative summary in one table

DomainDominant questionTypical audienceMain operation
AMAre you who you say you are, and can you come in?Any identity that authenticatesLogin + session
IGADo you have the right access, today and over time?Mostly workforceLifecycle + certification
PAMWho touched what with elevated privileges?Admins, sysadmins, DBAsVault + recorded session
CIAMHow do I give access to millions without losing UX?External customersSign-up + auth + profile
ITDRIs anyone behaving oddly on my identity plane?Every identity under monitoringDetection + response

With this map in mind, let’s go through each domain one by one.


1. Access Management (AM): the front door

What AM does

Access Management is the domain that answers the most basic question: can this identity come in?. When you open your banking app, type username and password, get prompted for a second factor, and you’re in — that’s AM in action. It’s the visible face of IAM, the one any user perceives daily.


The core capabilities are four:

  • Authentication: validate the identity with one or more factors (password, OTP, passkey, biometric).
  • Single Sign-On (SSO): a single authentication grants access to multiple related apps.
  • Federation: trust another organization’s IdP (typically via SAML or OIDC) to authenticate external users.
  • Sessions: manage how long the session lasts, when it expires, how it’s revoked.

Who uses it

AM applies to every human or machine identity that authenticates. Employees logging into the ERP, customers logging into the mobile app, microservices calling internal APIs. If there’s a login involved, AM is there.


Concrete example

David, an accountant at a mid-sized company, arrives Monday at 8 AM. He opens Microsoft 365 from his corporate laptop. The company’s IdP (Microsoft Entra ID) asks for his password, then asks him to approve a push notification on his phone. Once inside, over the next 90 minutes he opens Salesforce, SAP, and an internal BI dashboard without re-authenticating — all are connected to the same IdP via SSO. At 17:30 he logs out and the session cookie is invalidated across all apps at the same time.


That’s AM operating correctly: a single initial authentication, persistent session, coordinated logout.


Emblematic vendors

VendorProductNotes
MicrosoftEntra ID (formerly Azure AD)Dominant in organizations already on M365
OktaWorkforce Identity CloudHistorical leader in vendor-neutral IDaaS
Ping IdentityPingOne, PingFederateStrong in large companies with intense regulation
ForgeRockIdentity CloudAcquired by Ping in 2023
Auth0Auth0 PlatformAcquired by Okta in 2021, developer-focused

Sources for tracking the AM market: Gartner Peer Insights — Access Management (verified reviews and comparisons), KuppingerCole Leadership Compass: Access Management (search “Access Management” in their listing), Forrester Wave: Identity-As-A-Service.


Where it overlaps with other domains

AM produces the logs and events that ITDR consumes to detect anomalies. The IdP is also the source that IGA uses to reflect lifecycle changes (new employee → account created → can log in). And the boundary with CIAM is fuzzy: technically CIAM also does AM, just for a customer audience and at a different scale.



2. Identity Governance and Administration (IGA): the guardian

What IGA does

While AM cares about the authentication of the moment, IGA cares about access over time. Its central question is: does the right identity have the right access today, and do we take it away the day they no longer need it?.


The core capabilities are six:

  • Lifecycle management (JML): automate onboarding (Joiner), changes (Mover), and offboarding (Leaver) of identities.
  • Access request: a catalog where users can request access with an approval workflow.
  • Access certification (recertification): periodic review of granted access, where managers or app owners decide if it’s still valid.
  • Role management: group permissions into functional roles to manage at scale.
  • Separation of Duties (SoD): detect toxic combinations of permissions (e.g., “create vendor + approve payment” in SAP).
  • Audit & reporting: evidence exportable to auditors to comply with SOX, HIPAA, PCI-DSS, etc.

Who uses it

Historically IGA was built thinking about workforce (employees, contractors, partners). It’s optimized for environments where HR triggers lifecycle events and where managers are the ones who approve access. In recent years IGA has begun expanding to non-human identities, but its conceptual core remains workforce.


Concrete example

Sara joins as a new credit analyst at a regional bank. HR creates her record in Workday on Tuesday. That same night, the company’s IGA platform (SailPoint) detects the event and triggers the workflows: it creates an account in Active Directory, assigns her the “credit analyst” role that automatically grants her access to the scoring app, the CRM, and the internal portal. Sara arrives Wednesday morning and everything works from the first click — no tickets, no waits.


Three months later, Sara moves to “senior analyst.” The new role includes additional permissions (approving loans up to a certain amount). But it also fires an SoD alert: the senior role + a permission inherited from the previous role create a toxic combination (she can create and approve the same operation). The system blocks the change until her manager removes the inherited permission. Sara gets her new role clean, without accumulating privileges.


A year later, Sara resigns. HR closes her record in Workday. IGA detects the state change to “terminated” and triggers cascading deprovisioning: revokes her AD account, removes the roles, closes active sessions, and notifies IT. In less than 30 minutes, Sara can’t log into anything in the company.


That’s IGA at its best: invisible when it works, brutal when needed.


Emblematic vendors

VendorProductNotes
SailPointIdentityIQ, Identity Security CloudHistorical leader, on-prem and cloud
SaviyntEnterprise Identity CloudCloud-native, strong in SaaS-first companies
OmadaOmada Identity CloudStrong in Europe, recognized for simplicity
One IdentityIdentity ManagerIntegrated enterprise suite
MicrosoftEntra ID GovernanceIGA capabilities within the Microsoft stack

Sources for tracking the IGA market: Gartner Peer Insights — Identity Governance and Administration, Gartner Magic Quadrant for Identity Governance and Administration (annual, paywall), KuppingerCole Leadership Compass: Identity Governance and Administration, Forrester Wave: Identity Governance and Administration.


Where it overlaps with other domains

IGA is the source of truth on “who should have access to what,” and that’s why it connects with AM (which applies that access at login time) and with PAM (which takes elevated identities and manages them under stricter controls). With ITDR the boundary is interesting: IGA detects static toxic combinations (SoD), while ITDR detects anomalous behavior in real time.



3. Privileged Access Management (PAM): the safe

What PAM does

PAM focuses on a critical subset: accounts with elevated privileges. Linux root, Windows Domain Admin, AWS root, DBA accounts, service accounts with broad permissions. These accounts are different because their compromise means game over for an entire organization, so they deserve disproportionately strong controls.


Its central question: how do I control, monitor, and audit every use of privileged credentials?.


The core capabilities are five:

  • Credential vault: administrative passwords are stored encrypted, nobody knows them by heart, they’re checked out on demand with check-out/check-in flows.
  • Automatic rotation: after each use or on a schedule, privileged passwords get changed automatically.
  • Privileged Session Management (PSM): administrative sessions go through a proxy that records video/keystrokes for forensics.
  • Just-In-Time (JIT) access: privileges are granted only when needed, for the minimum time, and revoked automatically.
  • Endpoint Privilege Management (EPM): remove “local admin” from users and elevate specific commands instead of the whole session.

Who uses it

PAM covers every identity with privileges, whether human or non-human. System administrators are the obvious users. But also service accounts running batch processes, machine certificates signing releases, API tokens with admin permissions over cloud, AI agents with broad scopes.


Concrete example

Daniel is a platform engineer at a fintech. He needs access to the production Kubernetes cluster to investigate an incident. Instead of having a permanent kubectl-admin account, he does the following:

  1. He opens the PAM portal (CyberArk in this case) and requests JIT access to the cluster with justification: “investigating incident INC-4521.”
  2. The request requires manager approval. The manager approves in 4 minutes.
  3. PAM issues temporary credentials with a 60-minute TTL. Daniel receives them and connects. His entire session is recorded on video.
  4. Daniel debugs the problem, fixes it, and closes the session.
  5. The credentials expire after 60 minutes. PAM closes the ticket. The recording remains available for audit.

If instead of Daniel an attacker had entered with his personal credentials, they would have had to go through human approval, would not have been able to stay indefinitely, and everything they did would have been recorded. Those three controls dramatically reduce the possible damage.


Emblematic vendors

VendorProductNotes
CyberArkPrivileged Access Manager, Endpoint PMHistorical leader, considered “the Microsoft of PAM”
BeyondTrustPrivileged Remote Access, Password SafeStrong in endpoint privilege management
DelineaSecret Server, Privilege ManagerResult of the Thycotic + Centrify merger
HashiCorpVaultOpen-source, strong in DevOps and NHI secrets
One IdentitySafeguardIntegrated suite with their IGA

Sources for tracking the PAM market: Gartner Peer Insights — Privileged Access Management, Gartner Magic Quadrant for Privileged Access Management (annual), KuppingerCole Leadership Compass: Privileged Access Management, Forrester Wave: Privileged Identity Management.


Where it overlaps with other domains

PAM strongly overlaps with IGA in governance of privileged accounts (who should have admin access? who certifies it?). It overlaps with AM in reinforced authentication (specific MFA for admins). And it overlaps with ITDR in monitoring anomalous behavior on privileged sessions — an admin who suddenly exports an entire database at 3 AM should raise alarms.


4. Customer IAM (CIAM): the customer-facing layer

What CIAM does

CIAM is identity for an external audience: customers, prospects, subscribers. While workforce IAM measures its success in operational efficiency and compliance, CIAM measures it in conversion, retention, and experience. Each additional step in the signup flow loses a percentage of users; each failed login lowers satisfaction. The economics are brutal and very different from those of employees.


Its central question: how do I give secure access to millions of external users without sacrificing UX?.


The core capabilities are seven:

  • Self-registration and onboarding: the user creates their account, validates email/phone, completes profile progressively.
  • Authentication with optimized UX: passkeys, social login, magic links, mobile biometrics.
  • Identity proofing and KYC: verify the person is real (document + selfie + liveness), especially regulated in banking and online gaming.
  • Consent management: granular, revocable, auditable (GDPR, CCPA, LGPD).
  • Progressive profiling: ask for the minimum at signup, expand as engagement grows.
  • Fraud detection: ATO, credential stuffing, bots, SIM swapping, phishing.
  • Omnichannel: identity follows the customer across web, mobile, kiosk, IVR.

Who uses it

Any digital business with external customers: banking, retail, streaming, telco, government, healthcare, gaming. Scale matters: an app with 10,000 users can survive with a generic IdP; one with 10 million needs a dedicated CIAM.


Concrete example

A new e-commerce platform is about to launch. The signup flow designer has to make decisions that directly affect conversion:

  • Email + password, or just email with magic link? They choose magic link to reduce friction.
  • Verify email before purchase? No, they defer it to the first transaction over $50.
  • Ask for ID + photo from day one? No, only when attempting a P2P transfer.
  • Allow login with Apple/Google? Yes, so they don’t lose users who hate creating new accounts.
  • Mandatory MFA? Only for sensitive actions (password change, adding a card, transaction over $200).

Every decision is a negotiation between security and conversion. The team measures every cohort: “the magic link flow converts 14% better than the password one, but generates 2% more duplicate accounts.” That kind of measurement would never exist in a workforce IAM project, and is the essence of CIAM.


Emblematic vendors

VendorProductNotes
OktaCustomer Identity Cloud (Auth0)Leader in developer experience
MicrosoftEntra External IDSuccessor to Azure AD B2C
Ping IdentityPingOne for CustomersStrong in regulated companies
Transmit SecurityIdentity Security for ConsumersFocus on passwordless and fraud
ForgeRockIdentity CloudCIAM capabilities within the suite
CurityIdentity ServerOIDC and OAuth at pro level

Sources for tracking the CIAM market: Gartner Peer Insights — Customer Identity and Access Management, Gartner Magic Quadrant for Customer Identity and Access Management (annual), KuppingerCole Leadership Compass: Consumer Identity and Access Management, Forrester Wave: Customer Identity and Access Management.


Where it overlaps with other domains

CIAM technically does everything AM does (login, MFA, SSO) but with opposite priorities — UX over control. It overlaps with ITDR very strongly in fraud detection, but CIAM’s ITDR is different from workforce ITDR: here the threats are mass ATOs and bots, not privilege escalation.



5. Identity Threat Detection and Response (ITDR): the sentinel

What ITDR does

ITDR is the newest domain, formalized by Gartner around 2022. Its role is to watch all the previous domains in real time, detect threats, and respond automatically. It’s the identity equivalent of what EDR (Endpoint Detection and Response) is for endpoints.


Its central question: is anyone behaving suspiciously on my identity plane, right now?.


The core capabilities are four:

  • Exposure discovery: finds latent attack paths — golden tickets, Kerberoasting paths, shadow admins, accounts with inflated permissions.
  • Real-time detection: applies analytics and ML over identity events to catch anomalies that static rules don’t.
  • Orchestrated response: in the face of an alert, it can revoke sessions, disable accounts, force re-authentication, alert the SOC.
  • Forensic investigation: when the incident is over, allows reconstructing what identity did what and when, with timeline and traceability.

Who uses it

ITDR covers every identity under monitoring, especially those at higher risk: administrators, service accounts, federated identities. It’s transversal — it doesn’t protect a specific group of identities, but watches the entire plane.


Concrete example

At 2:14 AM, a fintech’s ITDR (Microsoft Defender for Identity) detects three correlated signals in less than 30 seconds:

  1. An admin user (admin_db_prod) starts a session from an IP in a country where they had never appeared before.
  2. The same user attempts a massive query on the customers table in the database.
  3. The account of that admin’s manager has an MFA bombing in progress (15 pushes in 60 seconds).

The ITDR engine correlates the three events into a single high-severity alert. Automatically:

  • Revokes the active admin_db_prod session.
  • Locks the account until manual intervention.
  • Cancels all the manager’s pending MFA pushes.
  • Generates a SOC ticket with detailed timeline.
  • Notifies the CISO via SMS.

At 2:18 AM (4 minutes later), the SOC has enough context to confirm this was a real breach attempt. Action is already taken; only forensic investigation and closing the original entry remain.


Without ITDR, those same events would have stayed in separate logs of the database, the IdP, and the MFA provider. A human would have had to correlate them the next day — too late.


Emblematic vendors

VendorProductNotes
MicrosoftDefender for IdentityStrong in AD/Entra environments
CrowdStrikeFalcon Identity ProtectionAggressive growth since 2022
SilverfortUnified Identity ProtectionAgentless approach, covers legacy
SemperisDirectory Services ProtectorSpecialized in AD
Quest (One Identity)Active Roles, Change AuditorVeteran in AD monitoring

Sources for tracking the ITDR market: Forrester Wave: Identity Threat Detection and Response (first published in 2024), Gartner research on ITDR (category formalized in 2022), KuppingerCole Leadership Compass — search “Identity Threat Detection” and Identity Security reports.


Where it overlaps with other domains

ITDR is by definition transversal. It consumes signals from AM (auth events), from PAM (privileged sessions), from IGA (suspicious changes in access), and from CIAM (fraud attempts). In SIEM/SOC terms, ITDR can be thought of as a specialized layer that lives between the IAM plane and the general detection plane.


How the five domains relate to each other

So far we’ve seen them individually. Now let’s see how they interact in reality.


Common confusions and how to resolve them

Typical confusionHow to resolve it
”AM and IGA are the same”AM authenticates in the moment; IGA governs over time. AM says “you may come in”; IGA says “you should be able to come in."
"PAM is a subset of IGA”Conceptually yes, but PAM has operational capabilities (vault, PSM, JIT) that IGA doesn’t. In practice they’re different products.
”CIAM is just Workforce with another label”They share protocols but priorities are opposite: Workforce optimizes control, CIAM optimizes UX. Confusing them leads to bad designs.
”ITDR is just SIEM with another label”SIEM consumes all logs; ITDR is specialized in the identity plane and knows the context (AD, Kerberos, OIDC, golden tickets).

Which domain to invest in first by maturity

A common question in consulting: if an organization has limited budget, which domain should they invest in first? A practical guide:

Maturity levelTypical symptomDomain to prioritize
0 — ChaosPasswords in spreadsheets, no SSOAM: deploy a centralized IdP
1 — BasicAM exists but no automated lifecycleIGA: implement basic JML
2 — IntermediateIGA works but admins lack controlPAM: vault + privileged rotation
3 — AdvancedPAM and MFA everywhere, no detectionITDR: watch the identity plane
ParallelBusiness depends on external customersCIAM: separate from workforce from day one


Integrated case: five domains on a regular Friday

To close, let’s follow a typical Friday at a regional fintech with 800 employees and 1.2 million customers. Over the next two hours, all five domains act.


sequenceDiagram
  accTitle: Five IAM domains interacting on a regular Friday
  accDescr: A manager and five domain participants exchange eleven messages between 14:00 and 15:42, showing how IGA, AM, PAM, CIAM, and ITDR collaborate during access approval, a Black Friday login surge, a JIT request, and an anomalous geo-login.
  actor M as Manager
  participant IGA as IGA
  participant AM as AM
  participant PAM as PAM
  participant CIAM as CIAM
  participant ITDR as ITDR
  M->>IGA: 14:00 — Approves senior access for Sara
  IGA->>AM: 14:01 — Syncs new role
  Note over CIAM: 14:32 — 200k customers attempt login (Black Friday)
  CIAM->>ITDR: 14:33 — Detects 3k credential stuffing attempts
  ITDR->>CIAM: 14:33 — Activates CAPTCHA + rate limit
  Note over PAM: 15:10 — Daniel requests JIT to K8s cluster
  PAM->>M: 15:10 — Requests approval
  M->>PAM: 15:14 — Approves
  PAM->>AM: 15:14 — Issues temporary credentials
  Note over ITDR: 15:42 — Anomaly: admin logs in from new geo
  ITDR->>AM: 15:42 — Revokes session
  ITDR->>M: 15:42 — Notifies the SOC
Five domains, five different events, all within the same identity plane in less than two hours.

Reading the journey:

  • 14:00: A manager approves Sara’s promotion. IGA executes the change and propagates the new role to AM, which now lets Sara into systems she couldn’t before.
  • 14:32: A Black Friday campaign starts. 200,000 customers try to log in simultaneously — that’s CIAM operating at scale.
  • 14:33: Of those attempts, 3,000 come from credential stuffing (attackers trying leaked credentials). ITDR detects the pattern and asks CIAM to activate mitigations (CAPTCHA, rate limit). Legitimate customers see 200 ms of extra friction; bots stay out.
  • 15:10: Daniel requests JIT access to the Kubernetes cluster. PAM orchestrates approval and issuance of temporary credentials. AM accepts them as valid for 60 minutes.
  • 15:42: ITDR detects that a database admin logs in from an unusual country. Without waiting for a human, it revokes the session via AM and notifies the SOC.

Five domains, five different events, all happening within the same identity plane in less than two hours. Each one with its own logic, priority, response time. A single platform would never cover all of that well — that’s why five domains exist.


Recap

The five domains of IAM are the five questions a serious organization about identity needs to answer simultaneously:

  • AM: who’s logging in right now?
  • IGA: who should have access to what over time?
  • PAM: who’s using elevated privileges and under what controls?
  • CIAM: how do I give access to millions of customers without sacrificing conversion?
  • ITDR: is anyone misbehaving on my identity plane?

An organization that only asks one or two of these questions has huge gaps. But trying to solve all five at the same time is also a common mistake: there isn’t budget, team, or executive attention for everything at once. Maturity is order — and knowing that order makes you useful in any IAM program conversation.


How to follow the pulse of the IAM market

If you want to keep up with who’s leading each domain, these are the four sources the industry routinely consults:

SourceTypeAccess
Gartner Magic QuadrantAnnual report per domain with vendor positioning (Leaders, Visionaries, Challengers, Niche)Paid, but most leading vendors distribute it free upon request
Gartner Peer InsightsVerified reviews from real users by product categoryFree with registration
KuppingerCole Leadership CompassIndependent European analysis, also with quadrantsMix of free and paid, abstracts available
Forrester WaveAlternative to Gartner, IT industry perspectivePaid; often distributed free by leading vendors



Three questions to test yourself

  1. A retail company with a physical store and a mobile app hires you to “modernize IAM.” They have 600 internal employees and 2 million customers. In what order would you tackle the five domains and why?
  2. They tell you “we already have IGA, we don’t need PAM because IGA governs our privileged accounts.” What’s your counterargument in less than a minute?
  3. Your CISO asks: “what concrete problem does ITDR solve that our SIEM doesn’t?”. What three examples do you give?

Frequently asked questions

What are the five domains of IAM?

Access Management (AM) handles authentication and login; Identity Governance and Administration (IGA) governs who should have access over time; Privileged Access Management (PAM) controls elevated and admin accounts; Customer IAM (CIAM) serves external customers at scale; and Identity Threat Detection and Response (ITDR) watches the whole identity plane for threats.

What is the difference between Access Management and IGA?

AM authenticates in the moment — it decides whether you may log in right now. IGA governs access over time — it decides whether you should have that access at all and removes it when you no longer need it. AM says 'you may come in'; IGA says 'you should be able to come in.'

Is PAM just a part of IGA?

Conceptually PAM overlaps with IGA, but PAM has operational capabilities IGA doesn't — a credential vault, automatic rotation, recorded privileged sessions, and just-in-time access. In practice they are separate products solving different problems for privileged accounts.

How is CIAM different from workforce IAM?

They share protocols but optimize for opposite goals. Workforce IAM optimizes control and compliance for employees; CIAM optimizes user experience and conversion for millions of external customers. Using a workforce tool for a customer app usually destroys conversion.

What does ITDR do that a SIEM doesn't?

A SIEM consumes all logs generically. ITDR specializes in the identity plane and understands its context — Active Directory, Kerberos, OIDC, golden tickets, shadow admins — so it detects and responds to identity-specific attacks a general SIEM would miss or fail to correlate.