The five IAM domains
A detailed walk through the five domains that make up modern IAM — Access Management, IGA, PAM, CIAM, and ITDR — with their capabilities, audiences, use cases, and where they overlap with one another.
Why split IAM into five domains
In the previous articles you ran into AM, IGA, PAM, CIAM, and ITDR several times, almost always in passing. Now it’s time to open them one by one. The reason is practical: in the real market, platforms and teams are organized this way. When a company posts an “IAM engineer” job opening, the description most likely mentions one or two of these domains, not all five. When a consultant sells a project, the scope is defined in these terms. And when a tool claims to be a “Gartner Leader,” it always specifies in which quadrant.
If you don’t manage this partition, you’ll confuse conversations. You’ll talk about “MFA” when the problem is “certification,” or about “privileged accounts” when what’s needed is “fraud detection.” Each domain solves different questions with its own tools and vocabulary.
A useful analogy before getting into detail: think of a company as a building with several zones. AM are the guards at the main entrance — they verify credentials and grant access. IGA is the administrative department that maintains the list of who can come in and reviews that the list is correct. PAM are the specialized guards of restricted areas (servers, machine rooms) with their own protocols. CIAM is the reception team for visitors and external customers. ITDR are the cameras and sensors that watch everyone in real time and trigger alarms when they see something off.
Big picture: the map of the five domains
Before going into each one, look at the map. The five domains revolve around identity as the central concept we covered in previous articles. Each one tackles a different dimension of how that identity is managed.
flowchart TB accTitle: Map of the five IAM domains accDescr: Identity is the central hub with directed edges to five child domains: Access Management, Identity Governance, Privileged Access, Customer IAM, and Identity Threat Detection. ID([Identity]) AM[Access Management<br/>The front door] IGA[Identity Governance<br/>The guardian] PAM[Privileged Access<br/>The safe] CIAM[Customer IAM<br/>The customer-facing layer] ITDR[Identity Threat<br/>The sentinel] ID --> AM ID --> IGA ID --> PAM ID --> CIAM ID --> ITDR
They aren’t five different products for the same problem; they’re five different questions about the same subject.
Comparative summary in one table
| Domain | Dominant question | Typical audience | Main operation |
|---|---|---|---|
| AM | Are you who you say you are, and can you come in? | Any identity that authenticates | Login + session |
| IGA | Do you have the right access, today and over time? | Mostly workforce | Lifecycle + certification |
| PAM | Who touched what with elevated privileges? | Admins, sysadmins, DBAs | Vault + recorded session |
| CIAM | How do I give access to millions without losing UX? | External customers | Sign-up + auth + profile |
| ITDR | Is anyone behaving oddly on my identity plane? | Every identity under monitoring | Detection + response |
With this map in mind, let’s go through each domain one by one.
1. Access Management (AM): the front door
What AM does
Access Management is the domain that answers the most basic question: can this identity come in?. When you open your banking app, type username and password, get prompted for a second factor, and you’re in — that’s AM in action. It’s the visible face of IAM, the one any user perceives daily.
The core capabilities are four:
- Authentication: validate the identity with one or more factors (password, OTP, passkey, biometric).
- Single Sign-On (SSO): a single authentication grants access to multiple related apps.
- Federation: trust another organization’s IdP (typically via SAML or OIDC) to authenticate external users.
- Sessions: manage how long the session lasts, when it expires, how it’s revoked.
Who uses it
AM applies to every human or machine identity that authenticates. Employees logging into the ERP, customers logging into the mobile app, microservices calling internal APIs. If there’s a login involved, AM is there.
Concrete example
David, an accountant at a mid-sized company, arrives Monday at 8 AM. He opens Microsoft 365 from his corporate laptop. The company’s IdP (Microsoft Entra ID) asks for his password, then asks him to approve a push notification on his phone. Once inside, over the next 90 minutes he opens Salesforce, SAP, and an internal BI dashboard without re-authenticating — all are connected to the same IdP via SSO. At 17:30 he logs out and the session cookie is invalidated across all apps at the same time.
That’s AM operating correctly: a single initial authentication, persistent session, coordinated logout.
Emblematic vendors
| Vendor | Product | Notes |
|---|---|---|
| Microsoft | Entra ID (formerly Azure AD) | Dominant in organizations already on M365 |
| Okta | Workforce Identity Cloud | Historical leader in vendor-neutral IDaaS |
| Ping Identity | PingOne, PingFederate | Strong in large companies with intense regulation |
| ForgeRock | Identity Cloud | Acquired by Ping in 2023 |
| Auth0 | Auth0 Platform | Acquired by Okta in 2021, developer-focused |
Sources for tracking the AM market: Gartner Peer Insights — Access Management (verified reviews and comparisons), KuppingerCole Leadership Compass: Access Management (search “Access Management” in their listing), Forrester Wave: Identity-As-A-Service.
Where it overlaps with other domains
AM produces the logs and events that ITDR consumes to detect anomalies. The IdP is also the source that IGA uses to reflect lifecycle changes (new employee → account created → can log in). And the boundary with CIAM is fuzzy: technically CIAM also does AM, just for a customer audience and at a different scale.
2. Identity Governance and Administration (IGA): the guardian
What IGA does
While AM cares about the authentication of the moment, IGA cares about access over time. Its central question is: does the right identity have the right access today, and do we take it away the day they no longer need it?.
The core capabilities are six:
- Lifecycle management (JML): automate onboarding (Joiner), changes (Mover), and offboarding (Leaver) of identities.
- Access request: a catalog where users can request access with an approval workflow.
- Access certification (recertification): periodic review of granted access, where managers or app owners decide if it’s still valid.
- Role management: group permissions into functional roles to manage at scale.
- Separation of Duties (SoD): detect toxic combinations of permissions (e.g., “create vendor + approve payment” in SAP).
- Audit & reporting: evidence exportable to auditors to comply with SOX, HIPAA, PCI-DSS, etc.
Who uses it
Historically IGA was built thinking about workforce (employees, contractors, partners). It’s optimized for environments where HR triggers lifecycle events and where managers are the ones who approve access. In recent years IGA has begun expanding to non-human identities, but its conceptual core remains workforce.
Concrete example
Sara joins as a new credit analyst at a regional bank. HR creates her record in Workday on Tuesday. That same night, the company’s IGA platform (SailPoint) detects the event and triggers the workflows: it creates an account in Active Directory, assigns her the “credit analyst” role that automatically grants her access to the scoring app, the CRM, and the internal portal. Sara arrives Wednesday morning and everything works from the first click — no tickets, no waits.
Three months later, Sara moves to “senior analyst.” The new role includes additional permissions (approving loans up to a certain amount). But it also fires an SoD alert: the senior role + a permission inherited from the previous role create a toxic combination (she can create and approve the same operation). The system blocks the change until her manager removes the inherited permission. Sara gets her new role clean, without accumulating privileges.
A year later, Sara resigns. HR closes her record in Workday. IGA detects the state change to “terminated” and triggers cascading deprovisioning: revokes her AD account, removes the roles, closes active sessions, and notifies IT. In less than 30 minutes, Sara can’t log into anything in the company.
That’s IGA at its best: invisible when it works, brutal when needed.
Emblematic vendors
| Vendor | Product | Notes |
|---|---|---|
| SailPoint | IdentityIQ, Identity Security Cloud | Historical leader, on-prem and cloud |
| Saviynt | Enterprise Identity Cloud | Cloud-native, strong in SaaS-first companies |
| Omada | Omada Identity Cloud | Strong in Europe, recognized for simplicity |
| One Identity | Identity Manager | Integrated enterprise suite |
| Microsoft | Entra ID Governance | IGA capabilities within the Microsoft stack |
Sources for tracking the IGA market: Gartner Peer Insights — Identity Governance and Administration, Gartner Magic Quadrant for Identity Governance and Administration (annual, paywall), KuppingerCole Leadership Compass: Identity Governance and Administration, Forrester Wave: Identity Governance and Administration.
Where it overlaps with other domains
IGA is the source of truth on “who should have access to what,” and that’s why it connects with AM (which applies that access at login time) and with PAM (which takes elevated identities and manages them under stricter controls). With ITDR the boundary is interesting: IGA detects static toxic combinations (SoD), while ITDR detects anomalous behavior in real time.
3. Privileged Access Management (PAM): the safe
What PAM does
PAM focuses on a critical subset: accounts with elevated privileges. Linux root, Windows Domain Admin, AWS root, DBA accounts, service accounts with broad permissions. These accounts are different because their compromise means game over for an entire organization, so they deserve disproportionately strong controls.
Its central question: how do I control, monitor, and audit every use of privileged credentials?.
The core capabilities are five:
- Credential vault: administrative passwords are stored encrypted, nobody knows them by heart, they’re checked out on demand with check-out/check-in flows.
- Automatic rotation: after each use or on a schedule, privileged passwords get changed automatically.
- Privileged Session Management (PSM): administrative sessions go through a proxy that records video/keystrokes for forensics.
- Just-In-Time (JIT) access: privileges are granted only when needed, for the minimum time, and revoked automatically.
- Endpoint Privilege Management (EPM): remove “local admin” from users and elevate specific commands instead of the whole session.
Who uses it
PAM covers every identity with privileges, whether human or non-human. System administrators are the obvious users. But also service accounts running batch processes, machine certificates signing releases, API tokens with admin permissions over cloud, AI agents with broad scopes.
Concrete example
Daniel is a platform engineer at a fintech. He needs access to the production Kubernetes cluster to investigate an incident. Instead of having a permanent kubectl-admin account, he does the following:
- He opens the PAM portal (CyberArk in this case) and requests JIT access to the cluster with justification: “investigating incident INC-4521.”
- The request requires manager approval. The manager approves in 4 minutes.
- PAM issues temporary credentials with a 60-minute TTL. Daniel receives them and connects. His entire session is recorded on video.
- Daniel debugs the problem, fixes it, and closes the session.
- The credentials expire after 60 minutes. PAM closes the ticket. The recording remains available for audit.
If instead of Daniel an attacker had entered with his personal credentials, they would have had to go through human approval, would not have been able to stay indefinitely, and everything they did would have been recorded. Those three controls dramatically reduce the possible damage.
Emblematic vendors
| Vendor | Product | Notes |
|---|---|---|
| CyberArk | Privileged Access Manager, Endpoint PM | Historical leader, considered “the Microsoft of PAM” |
| BeyondTrust | Privileged Remote Access, Password Safe | Strong in endpoint privilege management |
| Delinea | Secret Server, Privilege Manager | Result of the Thycotic + Centrify merger |
| HashiCorp | Vault | Open-source, strong in DevOps and NHI secrets |
| One Identity | Safeguard | Integrated suite with their IGA |
Sources for tracking the PAM market: Gartner Peer Insights — Privileged Access Management, Gartner Magic Quadrant for Privileged Access Management (annual), KuppingerCole Leadership Compass: Privileged Access Management, Forrester Wave: Privileged Identity Management.
Where it overlaps with other domains
PAM strongly overlaps with IGA in governance of privileged accounts (who should have admin access? who certifies it?). It overlaps with AM in reinforced authentication (specific MFA for admins). And it overlaps with ITDR in monitoring anomalous behavior on privileged sessions — an admin who suddenly exports an entire database at 3 AM should raise alarms.
4. Customer IAM (CIAM): the customer-facing layer
What CIAM does
CIAM is identity for an external audience: customers, prospects, subscribers. While workforce IAM measures its success in operational efficiency and compliance, CIAM measures it in conversion, retention, and experience. Each additional step in the signup flow loses a percentage of users; each failed login lowers satisfaction. The economics are brutal and very different from those of employees.
Its central question: how do I give secure access to millions of external users without sacrificing UX?.
The core capabilities are seven:
- Self-registration and onboarding: the user creates their account, validates email/phone, completes profile progressively.
- Authentication with optimized UX: passkeys, social login, magic links, mobile biometrics.
- Identity proofing and KYC: verify the person is real (document + selfie + liveness), especially regulated in banking and online gaming.
- Consent management: granular, revocable, auditable (GDPR, CCPA, LGPD).
- Progressive profiling: ask for the minimum at signup, expand as engagement grows.
- Fraud detection: ATO, credential stuffing, bots, SIM swapping, phishing.
- Omnichannel: identity follows the customer across web, mobile, kiosk, IVR.
Who uses it
Any digital business with external customers: banking, retail, streaming, telco, government, healthcare, gaming. Scale matters: an app with 10,000 users can survive with a generic IdP; one with 10 million needs a dedicated CIAM.
Concrete example
A new e-commerce platform is about to launch. The signup flow designer has to make decisions that directly affect conversion:
- Email + password, or just email with magic link? They choose magic link to reduce friction.
- Verify email before purchase? No, they defer it to the first transaction over $50.
- Ask for ID + photo from day one? No, only when attempting a P2P transfer.
- Allow login with Apple/Google? Yes, so they don’t lose users who hate creating new accounts.
- Mandatory MFA? Only for sensitive actions (password change, adding a card, transaction over $200).
Every decision is a negotiation between security and conversion. The team measures every cohort: “the magic link flow converts 14% better than the password one, but generates 2% more duplicate accounts.” That kind of measurement would never exist in a workforce IAM project, and is the essence of CIAM.
Emblematic vendors
| Vendor | Product | Notes |
|---|---|---|
| Okta | Customer Identity Cloud (Auth0) | Leader in developer experience |
| Microsoft | Entra External ID | Successor to Azure AD B2C |
| Ping Identity | PingOne for Customers | Strong in regulated companies |
| Transmit Security | Identity Security for Consumers | Focus on passwordless and fraud |
| ForgeRock | Identity Cloud | CIAM capabilities within the suite |
| Curity | Identity Server | OIDC and OAuth at pro level |
Sources for tracking the CIAM market: Gartner Peer Insights — Customer Identity and Access Management, Gartner Magic Quadrant for Customer Identity and Access Management (annual), KuppingerCole Leadership Compass: Consumer Identity and Access Management, Forrester Wave: Customer Identity and Access Management.
Where it overlaps with other domains
CIAM technically does everything AM does (login, MFA, SSO) but with opposite priorities — UX over control. It overlaps with ITDR very strongly in fraud detection, but CIAM’s ITDR is different from workforce ITDR: here the threats are mass ATOs and bots, not privilege escalation.
5. Identity Threat Detection and Response (ITDR): the sentinel
What ITDR does
ITDR is the newest domain, formalized by Gartner around 2022. Its role is to watch all the previous domains in real time, detect threats, and respond automatically. It’s the identity equivalent of what EDR (Endpoint Detection and Response) is for endpoints.
Its central question: is anyone behaving suspiciously on my identity plane, right now?.
The core capabilities are four:
- Exposure discovery: finds latent attack paths — golden tickets, Kerberoasting paths, shadow admins, accounts with inflated permissions.
- Real-time detection: applies analytics and ML over identity events to catch anomalies that static rules don’t.
- Orchestrated response: in the face of an alert, it can revoke sessions, disable accounts, force re-authentication, alert the SOC.
- Forensic investigation: when the incident is over, allows reconstructing what identity did what and when, with timeline and traceability.
Who uses it
ITDR covers every identity under monitoring, especially those at higher risk: administrators, service accounts, federated identities. It’s transversal — it doesn’t protect a specific group of identities, but watches the entire plane.
Concrete example
At 2:14 AM, a fintech’s ITDR (Microsoft Defender for Identity) detects three correlated signals in less than 30 seconds:
- An admin user (
admin_db_prod) starts a session from an IP in a country where they had never appeared before. - The same user attempts a massive query on the
customerstable in the database. - The account of that admin’s manager has an MFA bombing in progress (15 pushes in 60 seconds).
The ITDR engine correlates the three events into a single high-severity alert. Automatically:
- Revokes the active
admin_db_prodsession. - Locks the account until manual intervention.
- Cancels all the manager’s pending MFA pushes.
- Generates a SOC ticket with detailed timeline.
- Notifies the CISO via SMS.
At 2:18 AM (4 minutes later), the SOC has enough context to confirm this was a real breach attempt. Action is already taken; only forensic investigation and closing the original entry remain.
Without ITDR, those same events would have stayed in separate logs of the database, the IdP, and the MFA provider. A human would have had to correlate them the next day — too late.
Emblematic vendors
| Vendor | Product | Notes |
|---|---|---|
| Microsoft | Defender for Identity | Strong in AD/Entra environments |
| CrowdStrike | Falcon Identity Protection | Aggressive growth since 2022 |
| Silverfort | Unified Identity Protection | Agentless approach, covers legacy |
| Semperis | Directory Services Protector | Specialized in AD |
| Quest (One Identity) | Active Roles, Change Auditor | Veteran in AD monitoring |
Sources for tracking the ITDR market: Forrester Wave: Identity Threat Detection and Response (first published in 2024), Gartner research on ITDR (category formalized in 2022), KuppingerCole Leadership Compass — search “Identity Threat Detection” and Identity Security reports.
Where it overlaps with other domains
ITDR is by definition transversal. It consumes signals from AM (auth events), from PAM (privileged sessions), from IGA (suspicious changes in access), and from CIAM (fraud attempts). In SIEM/SOC terms, ITDR can be thought of as a specialized layer that lives between the IAM plane and the general detection plane.
How the five domains relate to each other
So far we’ve seen them individually. Now let’s see how they interact in reality.
Common confusions and how to resolve them
| Typical confusion | How to resolve it |
|---|---|
| ”AM and IGA are the same” | AM authenticates in the moment; IGA governs over time. AM says “you may come in”; IGA says “you should be able to come in." |
| "PAM is a subset of IGA” | Conceptually yes, but PAM has operational capabilities (vault, PSM, JIT) that IGA doesn’t. In practice they’re different products. |
| ”CIAM is just Workforce with another label” | They share protocols but priorities are opposite: Workforce optimizes control, CIAM optimizes UX. Confusing them leads to bad designs. |
| ”ITDR is just SIEM with another label” | SIEM consumes all logs; ITDR is specialized in the identity plane and knows the context (AD, Kerberos, OIDC, golden tickets). |
Which domain to invest in first by maturity
A common question in consulting: if an organization has limited budget, which domain should they invest in first? A practical guide:
| Maturity level | Typical symptom | Domain to prioritize |
|---|---|---|
| 0 — Chaos | Passwords in spreadsheets, no SSO | AM: deploy a centralized IdP |
| 1 — Basic | AM exists but no automated lifecycle | IGA: implement basic JML |
| 2 — Intermediate | IGA works but admins lack control | PAM: vault + privileged rotation |
| 3 — Advanced | PAM and MFA everywhere, no detection | ITDR: watch the identity plane |
| Parallel | Business depends on external customers | CIAM: separate from workforce from day one |
Integrated case: five domains on a regular Friday
To close, let’s follow a typical Friday at a regional fintech with 800 employees and 1.2 million customers. Over the next two hours, all five domains act.
sequenceDiagram accTitle: Five IAM domains interacting on a regular Friday accDescr: A manager and five domain participants exchange eleven messages between 14:00 and 15:42, showing how IGA, AM, PAM, CIAM, and ITDR collaborate during access approval, a Black Friday login surge, a JIT request, and an anomalous geo-login. actor M as Manager participant IGA as IGA participant AM as AM participant PAM as PAM participant CIAM as CIAM participant ITDR as ITDR M->>IGA: 14:00 — Approves senior access for Sara IGA->>AM: 14:01 — Syncs new role Note over CIAM: 14:32 — 200k customers attempt login (Black Friday) CIAM->>ITDR: 14:33 — Detects 3k credential stuffing attempts ITDR->>CIAM: 14:33 — Activates CAPTCHA + rate limit Note over PAM: 15:10 — Daniel requests JIT to K8s cluster PAM->>M: 15:10 — Requests approval M->>PAM: 15:14 — Approves PAM->>AM: 15:14 — Issues temporary credentials Note over ITDR: 15:42 — Anomaly: admin logs in from new geo ITDR->>AM: 15:42 — Revokes session ITDR->>M: 15:42 — Notifies the SOC
Reading the journey:
- 14:00: A manager approves Sara’s promotion. IGA executes the change and propagates the new role to AM, which now lets Sara into systems she couldn’t before.
- 14:32: A Black Friday campaign starts. 200,000 customers try to log in simultaneously — that’s CIAM operating at scale.
- 14:33: Of those attempts, 3,000 come from credential stuffing (attackers trying leaked credentials). ITDR detects the pattern and asks CIAM to activate mitigations (CAPTCHA, rate limit). Legitimate customers see 200 ms of extra friction; bots stay out.
- 15:10: Daniel requests JIT access to the Kubernetes cluster. PAM orchestrates approval and issuance of temporary credentials. AM accepts them as valid for 60 minutes.
- 15:42: ITDR detects that a database admin logs in from an unusual country. Without waiting for a human, it revokes the session via AM and notifies the SOC.
Five domains, five different events, all happening within the same identity plane in less than two hours. Each one with its own logic, priority, response time. A single platform would never cover all of that well — that’s why five domains exist.
Recap
The five domains of IAM are the five questions a serious organization about identity needs to answer simultaneously:
- AM: who’s logging in right now?
- IGA: who should have access to what over time?
- PAM: who’s using elevated privileges and under what controls?
- CIAM: how do I give access to millions of customers without sacrificing conversion?
- ITDR: is anyone misbehaving on my identity plane?
An organization that only asks one or two of these questions has huge gaps. But trying to solve all five at the same time is also a common mistake: there isn’t budget, team, or executive attention for everything at once. Maturity is order — and knowing that order makes you useful in any IAM program conversation.
How to follow the pulse of the IAM market
If you want to keep up with who’s leading each domain, these are the four sources the industry routinely consults:
| Source | Type | Access |
|---|---|---|
| Gartner Magic Quadrant | Annual report per domain with vendor positioning (Leaders, Visionaries, Challengers, Niche) | Paid, but most leading vendors distribute it free upon request |
| Gartner Peer Insights | Verified reviews from real users by product category | Free with registration |
| KuppingerCole Leadership Compass | Independent European analysis, also with quadrants | Mix of free and paid, abstracts available |
| Forrester Wave | Alternative to Gartner, IT industry perspective | Paid; often distributed free by leading vendors |
Three questions to test yourself
- A retail company with a physical store and a mobile app hires you to “modernize IAM.” They have 600 internal employees and 2 million customers. In what order would you tackle the five domains and why?
- They tell you “we already have IGA, we don’t need PAM because IGA governs our privileged accounts.” What’s your counterargument in less than a minute?
- Your CISO asks: “what concrete problem does ITDR solve that our SIEM doesn’t?”. What three examples do you give?
Frequently asked questions
What are the five domains of IAM?
Access Management (AM) handles authentication and login; Identity Governance and Administration (IGA) governs who should have access over time; Privileged Access Management (PAM) controls elevated and admin accounts; Customer IAM (CIAM) serves external customers at scale; and Identity Threat Detection and Response (ITDR) watches the whole identity plane for threats.
What is the difference between Access Management and IGA?
AM authenticates in the moment — it decides whether you may log in right now. IGA governs access over time — it decides whether you should have that access at all and removes it when you no longer need it. AM says 'you may come in'; IGA says 'you should be able to come in.'
Is PAM just a part of IGA?
Conceptually PAM overlaps with IGA, but PAM has operational capabilities IGA doesn't — a credential vault, automatic rotation, recorded privileged sessions, and just-in-time access. In practice they are separate products solving different problems for privileged accounts.
How is CIAM different from workforce IAM?
They share protocols but optimize for opposite goals. Workforce IAM optimizes control and compliance for employees; CIAM optimizes user experience and conversion for millions of external customers. Using a workforce tool for a customer app usually destroys conversion.
What does ITDR do that a SIEM doesn't?
A SIEM consumes all logs generically. ITDR specializes in the identity plane and understands its context — Active Directory, Kerberos, OIDC, golden tickets, shadow admins — so it detects and responds to identity-specific attacks a general SIEM would miss or fail to correlate.