identity and access management

Designing and operating authentication, authorization and provisioning systems that control who can access which resources using methods like OAuth/OIDC, SAML, RBAC, ACLs and MFA; implementing IAM involves defining roles/policies, integrating SSO/LDAP, issuing/verifying tokens, and auditing access logs for compliance.

identityandaccessmanagement

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Enterprise open-source software (OSS) frequently lacks native support for standard authentication protocols such as SAML and OIDC, hindering seamless single sign-on (SSO) integration and creating security governance gaps. To address this, we propose and formally define the “Auth Shim” architectural pattern—a lightweight, external proxy service that transparently bridges enterprise identity providers (e.g., Okta) with standalone OSS without modifying application source code. The Auth Shim programmatically translates authentication protocols via management APIs and automatically maps Identity and Access Management (IAM) groups to fine-grained Role-Based Access Control (RBAC) policies. Evaluated in a production Adobe environment, the pattern successfully integrated an open-source business intelligence tool with corporate SSO, enabling fully automated user provisioning and permission management. This eliminated manual configuration, strengthened compliance with security policies, and significantly improved operational efficiency.

Enabling secure authentication without modifying original application codeIntegrating enterprise SSO with standalone open-source applications lacking native protocol supportProviding a lightweight architectural pattern to bridge security integration gaps

Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure

Apr 24, 2025
ST
Surya Teja Avirneni
🏛️ IEEE | ACM | ISC2

In zero-trust architectures, fragmented identities across human users, workloads, and automated systems hinder unified access control. Method: This paper introduces the Identity Control Plane (ICP)—the first cross-domain identity governance framework integrating SPIFFE identity primitives, OIDC/SAML-based federated authentication, and scoped transactional tokens. It designs a composable, standards-compliant ABAC enforcement layer aligned with IETF WIMSE and OAuth specifications; integrates OPA/Cedar policy engines; and establishes FedRAMP/SLSA compliance mapping mechanisms. Contributions: (1) Unified multi-source identity modeling with fine-grained, dynamic authorization; (2) Transaction-token-driven real-time credential lifecycle management; and (3) A complete theoretical architecture, component specifications, performance modeling, comparative analysis against mainstream zero-trust models, and a production-ready, compliance-validated deployment pathway.

Enforcing identity-aware Zero Trust access across diverse systemsProposing composable ABAC policy engines for access controlUnifying SPIFFE, OIDC/SAML, and automation credentials via tokens

Existing Web data storage platforms struggle to meet the demands of decentralized, semantically rich, and legally compliant data usage control. This work proposes a novel approach that integrates the User-Managed Access (UMA) authorization framework with the W3C Open Digital Rights Language (ODRL) policy language to replace Solid’s native access control mechanism, thereby decoupling authorization from storage. For the first time within the Solid ecosystem, this integration advances access control from mere permission management toward legally aware usage control. The authors also design a policy evaluation mechanism tailored for non-standardized semantic environments. A prototype implementation demonstrates that the proposed method maintains compatibility with Solid while enabling flexible, interoperable, and legally aligned data governance.

access controldata governancedecentralized data ecosystems

Authenticated Delegation and Authorized AI Agents

Jan 16, 2025
TS
Tobin South
🏛️ MIT | University of Oxford | Harvard Law School | University of California, Berkeley | Centre for the Governance of AI | Stanford University

To address the challenge of simultaneously ensuring security, accountability, and cross-modal access control in AI assistant permission management, this paper proposes a trustworthy authorization and auditable delegation framework for AI agents. Methodologically, it introduces the first agent-centric identity authentication architecture that integrates natural-language permission translation with extended OAuth 2.0 and OpenID Connect protocols, establishing agent-specific credential issuance and a semantic parsing model to enable end-to-end traceable mapping from human intent to machine-executable policies. It further incorporates an auditable access control engine supporting fine-grained, compliance-aware permission enforcement. The key contribution is the first automated translation of natural-language policies into standardized, enforceable access control rules—significantly enhancing AI agent controllability, interpretability, and accountability. The framework has been validated across multiple Web service prototypes, demonstrating plug-and-play secure integration.

AI AuthorizationCybersecurityTrustworthy AI

SkyEye: When Your Vision Reaches Beyond IAM Boundary Scope in AWS Cloud

Jul 01, 2025
MH
Minh Hoang Nguyen
🏛️ Université Libre de Bruxelles | Technische Universität Darmstadt | KrisShop | Singapore Airlines

In AWS cloud environments, IAM permission boundaries enforce isolation across principals, rendering global permissions invisible and hindering comprehensive privilege analysis. Method: This paper introduces the first collaborative, multi-principal IAM enumeration framework, overcoming the limitations of single-principal analysis. It integrates multi-principal cooperative enumeration, policy dependency modeling, and access-path inference with deep API call analysis and fine-grained permission semantics to construct cross-account and cross-role global permission mappings with contextual awareness. Contribution/Results: Compared to conventional tools, our approach significantly enhances detection capability for privilege escalation and unauthorized access vulnerabilities. Evaluated in real-world deployments, it achieves a 3.2× average improvement in detection coverage. The framework natively supports compliance auditing (e.g., GDPR, SOC 2) and enables proactive security defense through precise, actionable privilege insights.

Addressing security challenges in AWS cloud migration and IAM configurationsIdentifying misconfigurations to prevent unauthorized privilege escalation risksSystematically enumerating IAM identities, permissions, and resource authorizations

Latest Papers

What's happening recently
View more

Existing identity and access control models struggle to meet the requirements of autonomous agents operating across organizational boundaries for authorization that is explicit, constrained, auditable, revocable, and semantically consistent. This work proposes a portable authorization model tailored for autonomous agents, which decouples credential containers, authorization semantics, and enforcement engines. By integrating typed constraint algebras with a fail-closed evaluation mechanism, the model ensures unified authorization semantics across trust boundaries. It supports multi-protocol interoperability and incorporates delegation decay, governance-aware semantic resolution, and pre-flight discovery mechanisms. The design leverages established technologies such as JWT/JWS, verifiable credentials, and OAuth-rich authorization requests. Empirical validation in enterprise scenarios—including insurance claims processing and supply chain integrity—demonstrates the model’s consistency, security, and controllability in cross-system authorization.

Access ControlAutonomous AgentsDigital Identity

This work addresses the persistent account compromise risk in agent-based systems arising from the reuse of user credentials by formally introducing, for the first time, the Agent Secret Usage (ASU) problem and establishing a corresponding security property taxonomy. To mitigate this threat, the authors design a three-party delegation protocol wherein a requester initiates an operation, the user grants authorization via a single-use credential, and a custodian executes the operation within a constrained environment, ensuring that reusable privileges never cross into untrusted agent boundaries. By integrating one-time authorization tokens, authenticator-backed delegation, sealed storage, and key isolation techniques—and assuming environment-level key rotation—the protocol achieves operation binding, single-use semantics, and verifiable authorization while guaranteeing storage confidentiality, encapsulated epoch-wise key isolation, and forward secrecy.

Agent Secret Useagentic systemsauthorization without exposure

Current AI agent authorization mechanisms rely on static credentials, which struggle to ensure that tool invocations align with the user’s current intent and may lead to privilege escalation. This work proposes Intent-Governed Access Control (IGAC), the first framework to treat user intent as a monotonic and auditable authorization dimension. IGAC dynamically constrains agent behavior without expanding baseline permissions by introducing intent certificates, session-level permission narrowing, and consistency checks across intent, tool, and payload. Integrated into the OpenPort framework—which supports attribute-based access control (ABAC), pre-flight binding, and auditability—IGAC enables intent-driven, fine-grained authorization. This approach significantly enhances the controllability and compliance of AI agent actions while preserving existing security mechanisms.

Access ControlAI AgentsPolicy Enforcement

Existing authorization mechanisms struggle to meet the governance demands of autonomous agents, particularly regarding permission inheritance, dynamic scoping, and recursive delegation. This work proposes a composable governance framework that, for the first time, formalizes recursive delegation, contextual boundaries, and dynamic scoping as composable governance primitives. It introduces a resource scoping decay mechanism to model delegation relationships through contractual constructs. Built upon a relational authorization model, the framework defines stackable composition operators that formally express delegation types and permission decay rules while remaining compatible with mainstream identity and access management (IAM) systems. Theoretical analysis and empirical evaluation demonstrate that the framework effectively supports dynamic authorization governance in complex agent systems without compromising accountability.

Agentic AIAuthorizationDelegation

This study addresses the challenge of maintaining authorization invariance when non-human agents in multi-agent AI systems operate across trust boundaries—a problem inadequately handled by existing access control models. The work formally defines this issue for the first time, modeling it as a workflow-level property and identifying three core challenges: transitive delegation, aggregate inference, and temporal validity. It articulates seven architectural requirements, emphasizing that identity governance must serve as foundational infrastructure, enforced at every interaction boundary and prioritized over orchestration logic. The authors propose a novel authorization architecture incorporating capability-bound tokens, task-scoped authorization envelopes, dependency-graph-driven policy enforcement, and revocation based on execution counts. An initial implementation on an enterprise AI platform demonstrates that routine operations can readily trigger authorization violations, thereby validating the necessity and forward-looking nature of the proposed model.

access controlauthorization propagationidentity governance

Hot Scholars

MC

Mauro Conti

IEEE Fellow - Prof.@University of Padua - Wallenberg WASP Guest.Prof.@Örebro U.- Affiliate Prof.@UW
SecurityPrivacy
QW

Qin Wang

ETH Zurich
Domain AdaptationComputer Vision
AK

Ashish Kundu

Head of Cybersecurity Research, Cisco Research
SecurityPrivacy & Compliance
AC

Abel C. H. Chen

Information & Communications Security Laboratory, Chunghwa Telecom Laboratories
Cellular NetworksIntelligent Transportation SystemPost-Quantum CryptographyHealthcare System
DS

Dawn Song

Professor of Computer Science, UC Berkeley
Computer Security and Privacy