IAM Control Mapping
Status
Complete
Maturity
12 controls mapped to risks and governance themes
Evidence
Full mapping documented · Mobile-friendly control summary added
Next
Add control testing evidence
Introduction
This control mapping document connects 12 core IAM controls to the risks they address, the governance frameworks that require or recommend them, and the implementation patterns that make them operational. IAM engineering decisions are not made in isolation — they exist within a risk management and compliance context.
Frameworks referenced: NIST SP 800-53, CIS Controls v8, ISO/IEC 27001:2022, SOC 2 (AICPA Trust Services Criteria), and SOX IT General Controls.
Control Mapping
| ID | Control | Risk Addressed | Governance | Implementation |
|---|---|---|---|---|
| 1 | Privileged Access Management | Privileged account compromise | NIST AC-6, CIS Control 5, SOX | PAM tooling, credential vaulting, session recording, JIT elevation |
| 2 | Multi-Factor Authentication | Credential stuffing, phishing | NIST IA-2, ISO 27001 A.9.4.2, SOC 2 CC6.1 | TOTP, FIDO2/WebAuthn, push notifications; risk-based step-up |
| 3 | Least Privilege Access | Excessive blast radius on compromise | NIST AC-6, CIS Control 6 | Role mining, access reviews, entitlement management tooling |
| 4 | Role-Based Access Control | Inconsistent access model across systems | NIST AC-2, SOC 2 CC6.1, SOX | Role hierarchy design, SCIM group sync, SoD constraints enforced |
| 5 | Identity Lifecycle Management | Orphaned accounts, stale access | NIST AC-2, GDPR Art.17, SOC 2 CC6.2 | Joiner/Mover/Leaver process, SCIM provisioning and deprovisioning |
| 6 | Automated Provisioning (SCIM) | Manual provisioning errors, orphaned accounts | NIST AC-2, SOC 2 CC6.1 | SCIM v2 connector platform, automated sync with IdP on user events |
| 7 | Just-in-Time Access Elevation | Standing privileged access | NIST AC-2(5), CIS Control 5 | Time-boxed elevation requests, approval workflows, auto-expiry |
| 8 | Periodic Access Certification | Access creep, SoD violations | SOX 404, SOC 2 CC6.2, ISO 27001 A.9.2.5 | periodic review campaigns for access certification, certifier routing, automated revocation on non-response |
| 9 | Separation of Duties | Fraud, unauthorised transactions | SOX, COBIT, SOC 2 CC6.3 | SoD matrix definition, conflict detection at provisioning, compensating controls |
| 10 | Non-Human Identity Governance | Over-privileged service accounts, credential exposure | NIST IA-2, CIS Control 4, SOC 2 CC6.1 | OAuth2 client credentials, scope governance, rotation automation, NHI inventory |
| 11 | SSO and Federated Authentication | Authentication inconsistency, shadow IT | NIST IA-8, SOC 2 CC6.1, ISO 27001 A.9.4.4 | SAML/OIDC federation, IdP-initiated and SP-initiated flows, MFA enforcement at IdP |
| 12 | Audit Logging and Monitoring | Undetected access events, compliance gaps | NIST AU-2, SOC 2 CC7.2, ISO 27001 A.12.4 | Structured JSON audit events, SIEM integration, alert thresholds, retention policy |
Risk Themes
Credential and Authentication Risk
Controls: #1, #2, #10, #11
Controls that reduce the likelihood of credential compromise and authentication bypass
Access Creep and Excessive Privilege
Controls: #3, #4, #7, #8, #9
Controls that prevent and detect accumulation of unneeded access over time
Identity Lifecycle and Orphan Risk
Controls: #5, #6
Controls that ensure access is provisioned and deprovisioned in line with employment and role changes
Audit and Governance
Controls: #12
Controls that ensure access decisions and events are logged, attributable, and reviewable
Control Summary Cards
mobile-friendly summary of the 12 controls grouped by theme for quick reference. Full detail is in the mapping table above.
Authentication & Access Enforcement
Privileged Access Management
Risk Privileged account compromise
Pattern PAM tooling, credential vaulting, session recording, JIT elevation
Governance NIST AC-6, CIS Control 5, SOX
Multi-Factor Authentication
Risk Credential stuffing, phishing
Pattern TOTP, FIDO2/WebAuthn, push notifications; risk-based step-up
Governance NIST IA-2, ISO 27001 A.9.4.2, SOC 2 CC6.1
Least Privilege Access
Risk Excessive blast radius on compromise
Pattern Role mining, access reviews, entitlement management tooling
Governance NIST AC-6, CIS Control 6
Role-Based Access Control
Risk Inconsistent access model across systems
Pattern Role hierarchy design, SCIM group sync, SoD constraints enforced
Governance NIST AC-2, SOC 2 CC6.1, SOX
Identity Lifecycle & Governance
Identity Lifecycle Management
Risk Orphaned accounts, stale access
Pattern Joiner/Mover/Leaver process, SCIM provisioning and deprovisioning
Governance NIST AC-2, GDPR Art.17, SOC 2 CC6.2
Automated Provisioning (SCIM)
Risk Manual provisioning errors, orphaned accounts
Pattern SCIM v2 connector platform, automated sync with IdP on user events
Governance NIST AC-2, SOC 2 CC6.1
Periodic Access Certification
Risk Access creep, SoD violations
Pattern periodic review campaigns for access certification, certifier routing, automated revocation on non-response
Governance SOX 404, SOC 2 CC6.2, ISO 27001 A.9.2.5
Separation of Duties
Risk Fraud, unauthorised transactions
Pattern SoD matrix definition, conflict detection at provisioning, compensating controls
Governance SOX, COBIT, SOC 2 CC6.3
Machine Identity & Federation
Non-Human Identity Governance
Risk Over-privileged service accounts, credential exposure
Pattern OAuth2 client credentials, scope governance, rotation automation, NHI inventory
Governance NIST IA-2, CIS Control 4, SOC 2 CC6.1
SSO and Federated Authentication
Risk Authentication inconsistency, shadow IT
Pattern SAML/OIDC federation, IdP-initiated and SP-initiated flows, MFA enforcement at IdP
Governance NIST IA-8, SOC 2 CC6.1, ISO 27001 A.9.4.4
Just-in-Time Access Elevation
Risk Standing privileged access
Pattern Time-boxed elevation requests, approval workflows, auto-expiry
Governance NIST AC-2(5), CIS Control 5
Audit Logging and Monitoring
Risk Undetected access events, compliance gaps
Pattern Structured JSON audit events, SIEM integration, alert thresholds, retention policy
Governance NIST AU-2, SOC 2 CC7.2, ISO 27001 A.12.4
Governance Framework Coverage
NIST SP 800-53
AC-2, AC-6, AU-2, IA-2, IA-8
Federal information system baseline; widely adopted in commercial enterprise
CIS Controls v8
Controls 4, 5, 6
Prescriptive implementation guidance for access management and account hygiene
ISO/IEC 27001:2022
A.9.2.5, A.9.4.2, A.9.4.4, A.12.4
International ISMS standard; required for ISO certification audits
SOC 2 (TSC)
CC6.1, CC6.2, CC6.3, CC7.2
Trust Services Criteria; required for service organisation reporting
SOX ITGC
Access controls, change management
IT General Controls for financial system integrity; mandatory for public companies
GDPR
Art. 17 (right to erasure)
Identity lifecycle: deprovisioning must include data deletion or anonymisation
Employer Value
Risk reduced
Uncontrolled access, credential exposure, audit blind spots
Operational value
Connects technical controls to governance requirements
IAM domain
Access governance, risk management, control frameworks
Seniority signal
Security thinking applied systematically — not ad hoc
Evidence Roadmap
The following evidence items are planned or in progress. Documentation and architecture content is complete; screenshots, repos, and demos will be added as the project matures.
Mobile-friendly control summary added
Control mapping table
[ Documented above — 12 controls ]
Risk theme analysis
[ Documented above ]
Control Summary Cards
[ Mobile-friendly summary added ]
Framework crosswalk
[ Documented above ]
Control testing evidence
[ Pending — next milestone ]