Identity Security Glossary
Plain-language definitions for identity security terms.
A
- Access Review
- Periodic campaign where account owners certify whether users still need their access. Required by SOC 2, ISO 27001.
- AD (Active Directory)
- Microsoft on-premises directory service. Foundation of most enterprise identity estates.
B
- Blast Radius
- The potential scope of impact if an identity or credential is compromised. Used to prioritise containment.
C
- Canonical Identity
- A single authoritative representation of an identity, consolidated from multiple source systems.
- Conditional Access
- Microsoft Entra ID policies that enforce sign-in conditions (MFA, compliant device, location).
D
- Drift
- Deviation between the current identity state and an expected baseline. Stale accounts, privilege creep, and policy violations are forms of drift.
- DPA (Data Processing Agreement)
- A contract between a data controller and processor defining how personal data is handled.
G
- Ghost Account
- An account belonging to a departed employee that was never disabled.
I
- IAM (Identity and Access Management)
- Policies and technologies that ensure the right people access the right resources.
- ICR (Identity Coverage Ratio)
- IdentityFirst™ composite score: Discovery (30%) + Monitoring (25%) + Governance (25%) + Protection (15%) + Confidence (5%).
- IGA (Identity Governance and Administration)
- Processes for managing the identity lifecycle: joiner, mover, leaver.
J
- JIT (Just-in-Time) Access
- Providing access only when needed, for a defined period, rather than persistent standing privilege.
L
- Lateral Movement
- An attacker technique to progressively move through a network using compromised credentials.
M
- MFA (Multi-Factor Authentication)
- Requiring more than one form of verification to authenticate.
N
- NHI (Non-Human Identity)
- Service accounts, API keys, managed identities, OAuth apps — accounts not belonging to a human user.
P
- PAM (Privileged Access Management)
- Controls and monitoring for accounts with elevated access (admins, service accounts).
- Privilege Creep
- The gradual accumulation of access rights beyond what a user needs for their role.
S
- Shadow Admin
- An account that can reach Domain Admin or equivalent privilege through indirect group membership paths.
- SoD (Segregation of Duties)
- Ensuring no single individual can complete a sensitive process alone, reducing fraud risk.
- Stale Account
- An account that has not been used within a defined period (typically 90 days).
T
- Tiering (Identity)
- Separating admin accounts by privilege level (Tier 0 = DC/domain, Tier 1 = server, Tier 2 = workstation).
Z
- ZSP (Zero Standing Privilege)
- A model where no account holds persistent elevated access; privilege is granted just-in-time.
Put the theory into practice
See how IdentityFirst™ surfaces these issues across your real identity estate — in a guided 30-minute demo.