TTechclick ⚡ XP 0% All lessons
ISC2 · CISSP Domain 5 · IAMInteractive · L1 / L2 / L3

CISSP Domain 5: Identity and Access Management (IAM) — Master IAM, SSO and PAM

Make CISSP Domain 5 (Identity and Access Management) your strongest scoring zone — turn AAA, federation, and access-control models from memorized terms into decisions you can defend on exam day and at work.

📅 2026-06-03 · ⏱ 14 min · 1 interactive demo · 5 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master CISSP Domain 5: Identity and Access Management (IAM). AAA, MFA factors, SAML/OIDC/SCIM federation, RBAC/ABAC and PAM — exam-ready, with NIST 800-63B and DPDP context.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

AAA & identity lifecycle

Identify, authenticate, authorize, then hold accountable; review and revoke access on time.

 2

Authentication factors

Real MFA mixes factor categories; FAR is the dangerous biometric error; protect KRBTGT.

 3

Federation & SSO

OAuth authorizes API access; OIDC and SAML authenticate users — never confuse the two.

 4

Access control models & PAM

Identify the decision-maker to name the model; PAM = least privilege for admin accounts.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. In the AAA model, which step answers the question "what is this verified subject allowed to do?"

Answered in AAA & identity lifecycle.

2. Which protocol is designed for automated user provisioning and deprovisioning across systems — not for authentication?

Answered in Federation & SSO.

3. An access model that grants permissions based on attributes like department, device, location, and data sensitivity is best described as:

Answered in Authentication factors.

Most engineers think…

"IAM is just login screens and passwords — once a user authenticates, the access part is basically done."

Authentication only proves who you are; CISSP Domain 5 is mostly about what happens after — authorization, accountability, lifecycle, and privileged access. The 2024 outline now even spans AI agents and non-human identities. Treating IAM as "just login" is exactly how over-provisioned accounts and orphaned admin credentials become the breach.

Identity and Access Management is the heart of practical security: deciding which people, services, devices, and now AI agents get to touch which resources, and proving it afterward. CISSP Domain 5 carries 13% of the exam and shows up constantly on the job — every breach post-mortem eventually points back to a credential that should not have worked. This deep-dive walks the four pillars: AAA and the identity lifecycle (provision → manage → deprovision), authentication factors and when MFA must be phishing-resistant, federation and SSO (SAML, OIDC/OAuth 2.0, SCIM), and access-control models plus PAM (RBAC/ABAC enforcing least privilege, privileged access vaulting and just-in-time elevation). An AI-angle section closes the loop on adaptive, behavior-aware identity.

Figure 1 — Domain 5 in the CBK
Where Domain 5 sits inside the eight-domain CISSP Common Body of Knowledge.The eight CISSP domains as tiles with their exam weights; Domain 5 (IAM) is highlighted to show its place in the wider certification.Domain 5 in the bigger picture1Security & Risk Mgmt16% of the exam2Asset Security10% of the exam3Architecture & Eng13% of the exam4Network Security13% of the exam5IAM13% of the exam · YOU ARE HERE6Assessment & Testing12% of the exam7Security Operations13% of the exam8Software Dev Security10% of the exam
Domain 5 is undefined of the CISSP exam. This deep dive is one of eight — the others are linked at the bottom.
Colour key:active / key steppass / allowedcautionfail / attacker
Figure 2 — The four areas of Domain 5
The four areas that make up CISSP Domain 5: Identity and Access Management.Domain 5 broken into its four study areas — AAA & identity lifecycle, Authentication factors, Federation & SSO, Access control models & PAM — each with its single most important takeaway.The four areas of Domain 51AAA & identity lifecycleIdentify, authenticate, authorize, then holdaccountable; review and revoke access o2Authentication factorsReal MFA mixes factor categories; FAR is thedangerous biometric error; protect KRBT3Federation & SSOOAuth authorizes API access; OIDC and SAMLauthenticate users — never confuse the tw4Access control models & PAMIdentify the decision-maker to name themodel; PAM = least privilege for admin accou
This blog walks all four areas in order. Tap the path cards above to jump to any one.

Domain 5 at a glance

Flip each card for the one-line essence of each area before you dive in.

🧩
AAA & identity lifecycle
tap to flip

Identify, authenticate, authorize, then hold accountable; review and revoke access on time.

🔎
Authentication factors
tap to flip

Real MFA mixes factor categories; FAR is the dangerous biometric error; protect KRBTGT.

🛠
Federation & SSO
tap to flip

OAuth authorizes API access; OIDC and SAML authenticate users — never confuse the two.

🧠
Access control models & PAM
tap to flip

Identify the decision-maker to name the model; PAM = least privilege for admin accounts.

AAA & identity lifecycle

Think of a corporate office: the gate guard checks your face against an ID, the badge reader unlocks only your floor, and the CCTV logs every door you open. That is AAA in the physical world, and CISSP Domain 5 tests the digital version constantly.

The four pillars must never be blurred. Identification is the claim of identity, like entering a username or employee ID. Authentication proves that claim using something you know, have, or are. Authorization then decides what that proven identity may actually do. Accountability records the actions so you can trace them to one individual later. Accountability only works when identities are unique and logs are tamper-resistant, which is why shared accounts destroy it.

The identity lifecycle is the journey of an account from birth to death. Provisioning creates the account and grants least-privilege access, ideally driven by HR data. During employment, periodic access reviews (recertification) catch privilege creep, where people keep old rights after changing roles. De-provisioning promptly disables access when someone leaves or transfers. The 2024 outline also stresses identities for non-human entities like AI agents and service accounts, which need lifecycles too.

Exam tip

If a question describes orphaned accounts or a fired employee still logging in, the failed control is de-provisioning, not authentication.

SSO versus federation trips up many candidates. SSO lets a user log in once and reach many apps inside one organization. Federation extends that trust across organizational boundaries using standards like SAML assertions or OpenID Connect tokens, so a partner's identity provider vouches for your users.

Priya at Infosys faces this

A contractor who left three months ago still appears in the SaaS admin login report at 10.20.4.55.

Likely cause

De-provisioning fired in Active Directory but the federated SaaS app kept a stale local account.

CISSP move

Run an access recertification, enforce SCIM-based de-provisioning, and centralize identity through the federated IdP.

Quick check · Q1 of 10

In the AAA model, which step decides what a successfully logged-in user is permitted to do?

Correct: a. Authorization happens after authentication and determines the permitted actions or resources. Identification is the claim, authentication proves it, and accountability logs the actions afterward.

Pause & Predict

In one line, what is the single most important idea in "AAA & identity lifecycle"? Type your guess.

Answer: Re-read the recap box above — if you can say it in one sentence, you own it.

Authentication factors

Think of authentication factors like checks at an airport gate: your boarding pass (something you have), your face on the ID (something you are), and your booking PIN (something you know). The more independent checks, the harder it is to fake your way through.

CISSP groups identity proof into three classic categories. Something you know is a password, passphrase, or PIN. Something you have is a token, smart card, or phone running an authenticator app. Something you are is a biometric like a fingerprint or iris. The 2024 outline also recognises somewhere you are (location) and something you do (behaviour like gait or typing rhythm) as supporting factors.

Multi-factor authentication (MFA) must combine two or more different categories. A password plus a PIN is still single-factor, because both are "something you know." A password plus a phone push is true MFA. The strongest, phishing-resistant MFA today is FIDO2/WebAuthn, the standard behind passkeys. A public-private key pair lives on your device; the private key signs a server challenge and never travels, so attackers cannot replay or phish it.

Biometrics carry measurable error. FRR (False Rejection Rate, Type I) wrongly blocks a valid user. FAR (False Acceptance Rate, Type II) wrongly admits an impostor, which is the security-critical error. The CER (Crossover Error Rate) is where FAR equals FRR, and a lower CER means a more accurate sensor.

Kerberos is the ticket-based protocol behind Active Directory logins. The KDC issues a Ticket-Granting Ticket (TGT), which you later exchange for service tickets, so your password is never resent. The grave risk is the golden ticket: if an attacker steals the KRBTGT account hash, they forge valid TGTs for any user, even after password resets, and logs will not flag them.

Exam tip

FAR (Type II, lets the impostor in) is the dangerous error. If a question asks which to minimise for high security, choose FAR, not FRR.

Priya at HDFC Bank faces this

Fraud spikes after attackers phish OTP codes from customers using fake bank pages.

Likely cause

SMS OTP is a shared secret that phishing proxies relay in real time, so it is not phishing-resistant.

CISSP move

Priya migrates high-value logins to FIDO2 passkeys, where the private key never leaves the device and cannot be relayed.

Quick check · Q2 of 10

Aditya at Infosys must enable MFA on an admin portal. He proposes requiring a password plus a 6-digit PIN at login. Why does this fail to provide true multi-factor authentication?

Correct: c. MFA requires two different factor categories. A password and a PIN are both 'something you know', so combining them stays single-factor; adding a token or push (something you have) or a biometric (something you are) would make it true MFA.
Figure 3 — A SAML single sign-on login
A SAML single sign-on login — the ordered steps, where step 2 is the decisive one.A SAML single sign-on login: User opens the app (SP) → SP redirects to the IdP → IdP authenticates the user → IdP returns a signed assertion → SP grants access.A SAML single sign-on login1User opens theapp (SP)2SP redirects tothe IdP3IdP authenticatesthe user4IdP returns asigned assertion5SP grants access
A SAML single sign-on login — examiners test the ORDER, so learn it as a sequence, not a list.

▶ A SAML single sign-on login

Press Play to step through it, then Break it to see how it fails.

① Step 1User opens the app (SP)
② Step 2SP redirects to the IdP
③ Step 3IdP authenticates the user
④ Step 4IdP returns a signed assertion
Press Play to walk the healthy path. Then press Break it.

Federation & SSO

Think of federation like an airport visa-on-arrival deal: your home country vouches for you, so the foreign airport lets you in without re-verifying your whole life. Federation extends trust across organisational boundaries so one login works everywhere. The two starring roles are the Identity Provider (IdP) and the Service Provider (SP). The IdP proves who you are; the SP consumes that proof and grants access.

SAML 2.0 is the veteran. It is an XML-based standard that carries signed assertions between IdP and SP, and it powers most enterprise browser SSO to SaaS apps like Salesforce and Workday. SAML handles both authentication and some authorization attributes in one document.

OAuth 2.0 is where students get trapped. OAuth is an authorization framework, not authentication. It lets an app obtain a limited access token to call an API on your behalf (e.g. read your Google Drive) without sharing your password. It answers "what can this app do," never "who is this user."

OpenID Connect (OIDC) fixes that gap. OIDC is a thin identity layer on top of OAuth 2.0 that adds an ID token (a signed JWT) proving the user's identity. It is the modern choice for mobile, API-first, and cloud-native apps. SAML for legacy enterprise; OIDC for new builds.

Just-in-time (JIT) provisioning creates the SP-side account automatically on first successful login, using attributes from the assertion (email, name, group). No pre-loading thousands of users; the account appears when needed.

Common trap

The exam loves "use OAuth to authenticate users." Wrong. OAuth authorizes API access; if the question is about proving identity, the answer is OIDC (or SAML for browser SSO).

Priya at Infosys faces this

A new contractor logs into the partner portal once and an account silently appears, but with no department or roles attached.

Likely cause

JIT provisioning fired correctly, but the IdP assertion omitted the group and department attributes the SP maps to roles.

CISSP move

Fix the IdP attribute release (claims mapping) so the SAML assertion carries authorization attributes, enforcing least privilege at provisioning time.

Quick check · Q3 of 10

Aditya at HDFC must let a third-party budgeting app pull a customer's transaction history via API, without the app ever seeing the customer's banking password or login identity. Which protocol fits this need exactly?

Correct: b. The requirement is delegated, limited API access without sharing credentials or asserting identity — that is exactly OAuth 2.0's authorization role. SAML and OIDC focus on authentication (proving who the user is), which the scenario explicitly does not need, and Kerberos is an intra-domain authentication protocol, not a cross-org API delegation framework.
Figure 4 — RBAC vs ABAC
RBAC vs ABAC — side by side so the trade-off is obvious.A comparison of RBAC versus ABAC across Decides by, Granularity, Scales, Example.RBAC vs ABACRBACABACDecides byRoleAttributes + policyGranularityCoarseFineScalesSimplyPowerfully but complexExample"Manager" roledept=finance AND hours=work
RBAC vs ABAC — most domain questions hinge on telling these apart.

Pause & Predict

Without scrolling up: name the biggest difference in "RBAC vs ABAC". Type your guess.

Answer: If it didn't come instantly, that comparison is your highest-value revision target.

Access control models & PAM

Think of access control models as different doormen guarding the same building. Each doorman uses a different rulebook to decide who walks in. CISSP Domain 5 expects you to know five rulebooks cold, because the exam loves asking "who actually decides access here?"

Discretionary Access Control (DAC) lets the resource owner decide. When you share a Google Drive file and pick who can edit, that is DAC. It is flexible but risky, because owners make mistakes. Mandatory Access Control (MAC) removes that human discretion. The system enforces labels, and even a file's owner cannot loosen access. Military and defence systems use MAC. Role-Based Access Control (RBAC) grants permissions to a role (like "Accounts-Payable Clerk"), then assigns people to roles. Onboarding becomes one role assignment, not fifty individual grants. Attribute-Based Access Control (ABAC) evaluates many conditions together: user department, device health, data sensitivity, even time of day. Rule-Based (RuBAC) applies blanket "if-then" rules to everyone, like a firewall blocking all traffic after 9 PM regardless of role.

The principle of least privilege threads through all five models. Privileged Access Management (PAM) applies least privilege to the riskiest accounts: domain admins, root, service accounts. PAM vaults these credentials, rotates them, brokers each login through a gateway, and uses session recording to capture full video plus keystrokes as a forensic trail. The modern direction is just-in-time (JIT) access: no account holds standing admin rights; the system grants elevation only for a task, then revokes it automatically. The endgame is zero standing privilege.

Exam tip

Spot the decision-maker. Owner decides → DAC. System-enforced labels → MAC. Job role → RBAC. Many attributes evaluated together → ABAC. Same rule for everyone → Rule-Based.

Priya at HDFC faces this

A departed contractor's domain-admin password still works three weeks after offboarding, and nobody can say who used it last.

Likely cause

Admin credentials were standing and shared, never vaulted, never rotated, with no session trail.

CISSP move

Onboard those accounts into PAM: vault and rotate passwords, broker logins through a recorded gateway, and move to JIT elevation so no standing admin rights remain.

Quick check · Q4 of 10

Karthik, a security architect at Infosys, must let access depend on the user's department, the data's classification, the device's patch status, AND the time of day, all evaluated in one decision. Which model fits best?

Correct: d. ABAC evaluates multiple attributes of the user, resource, and environment together in a single policy decision. DAC relies on owner discretion, MAC on fixed labels only, and RBAC on a single role assignment, so none can combine department, classification, device health, and time the way ABAC does.

Domain 5 in the AI era (2026)

The identity you must now defend most often isn't human. In CISSP Domain 5 you learn to manage the identity lifecycle — provisioning, authentication, authorisation, de-provisioning. In 2026 that lifecycle is dominated by non-human identities (NHIs): service accounts, workload identities, API keys, and the fastest-growing class of all, autonomous AI agents. CyberArk's 2026 landscape report found machine identities outnumber humans by roughly 82-to-1, and ManageEngine's 2026 outlook saw some firms hit 500:1. Yet 88% of organisations still classify only humans as "privileged," and two-thirds have already suffered a breach through a compromised NHI.

AI agents are a subclass of NHI that needs stricter controls. Unlike a static API key, an agent decides at runtime, chains tool calls, and can be hijacked by prompt injection — making it a genuine 2026 insider-threat vector. The CSA-OASIS State of NHI and AI Security 2026 found 78% of organisations have no policy for creating or removing AI identities, and 51% cite over-permissioning as their top pain.

The emerging fix maps cleanly onto Domain 5 vocabulary. Give every agent a cryptographically verifiable identity — a SPIFFE/SPIRE SVID or OIDC-federated token, not a shared secret. For "act on behalf of a user" calls, use OAuth 2.0 Token Exchange (RFC 8693) with the act claim so the delegation chain stays auditable (delegation, not impersonation). NIST launched its AI Agent Standards Initiative in February 2026, and CSA's Agentic Identity Governance Framework is converging the field.

At Bengaluru fintech Greenboard Pay, IAM lead Sneha Iyer discovered a reconciliation AI agent reused one admin token across 40 jobs. She re-issued it a scoped SPIRE SVID with just-in-time, per-task credentials — turning an over-privileged ghost into a least-privilege, fully-logged actor.

The AI-era angle, in four cards

What 2026 adds to this domain — flip to see why each matters.

🤖
Agent ≠ Service Account
tap to flip

Agents decide at runtime, chain tool calls, and can be prompt-injected. So what: they need per-task credentials and behavioural monitoring, not a static API key.

📈
82-to-1 Ratio
tap to flip

Machine identities outnumber humans ~82:1 (some firms 500:1), yet 88% treat only humans as privileged. So what: your biggest attack surface is ungoverned.

🪪
SPIFFE SVID
tap to flip

A short-lived, attested identity document (X.509/JWT) per workload from SPIRE. So what: kills the shared-secret leaks that cause two-thirds of NHI breaches.

🔗
act Claim (RFC 8693)
tap to flip

Token Exchange records 'agent X acted for user Y' in the act claim. So what: turns risky impersonation into auditable, accountable delegation.

Pause & Predict

Name one thing AI changes about Domain 5 — and one fundamental it does NOT change. Type your guess.

Answer: AI shifts the tooling and widens the attack surface, but the four areas above still decide the right answer. Tools change; principles don't.

🎯 Prove it — your Domain 5 practice exam

You have read the theory. Now do the reps. This is the free, timed Techclick assessment built for exactly this domain, with full reasoning on every question — plus the full-length mock for when you are close to your exam date.

📝 Domain 5 assessment → Full CISSP mock → 8-week roadmap →

Part of the 8-part series · start from the CISSP overview → · all assessments live on exam.techclick.in (sign in with your Techclick account).

Figure 5 — Domain 5 on one card
Domain 5 on one card: the four areas plus the two things examiners love to test.A one-glance revision card for CISSP Domain 5 with each area's key takeaway and the core comparison and process to memorize.📌 Domain 5: IAM — one-card recapArea 1 · AAA & identity lifecycleIdentify, authenticate, authorize, then holdaccountable; review and revoke access on time.Area 2 · Authentication factorsReal MFA mixes factor categories; FAR is thedangerous biometric error; protect KRBTGT.Area 3 · Federation & SSOOAuth authorizes API access; OIDC and SAMLauthenticate users — never confuse the two.Area 4 · Access control models & PAMIdentify the decision-maker to name the model;PAM = least privilege for admin accounts.RememberRBAC vs ABAC: know the trade-off cold.RememberA SAML single sign-on login — memorize the order.
Print this for the night before. Everything in Domain 5 on a single page.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from ISC2 docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

An auditor finds three accounts of resigned staff still active in a cloud HR app, though their Active Directory accounts were disabled on their last day. Which control most directly failed?

Correct: c. AD was de-provisioned, but the federated cloud app retained active local accounts, so the lifecycle de-provisioning step failed to propagate. MFA, password policy, and proofing do not remove access for users who have left.
Q6 · Analyze

After a breach at a Bengaluru startup, Meera finds attackers still authenticate as domain admin even though every user password was reset and the intrusion was contained. Which root cause best explains this persistence?

Correct: b. A golden ticket is a forged TGT signed with the KRBTGT key. Because the KDC trusts anything encrypted with that key, the forged tickets stay valid through user password resets; only rotating the KRBTGT account twice invalidates them.
Q7 · Evaluate

Sneha, an architect at a Bengaluru startup, is choosing a federation approach for a new mobile-first app that needs both verified user identity and API access, integrating with modern cloud IdPs. A teammate proposes plain OAuth 2.0 for login. How should she evaluate this proposal?

Correct: a. Plain OAuth 2.0 only authorizes API access and cannot prove user identity, so using it for login is a classic misconception. OIDC layers an ID token on OAuth, delivering both authentication and authorization and suiting mobile/API-first apps. SAML is not mobile-only, and JIT provisioning creates accounts from assertions but does not turn OAuth into an authentication protocol.
Q8 · Apply

Sneha at TCS needs to remove all standing domain-admin rights so attackers cannot reuse a compromised admin account at any time. Which PAM capability should she implement first?

Correct: d. JIT access grants elevation only for a task and revokes it automatically, achieving zero standing privilege so there is no permanent admin right to steal. Longer passwords and permanent roles still leave standing privilege, and DAC does not address privileged-account exposure.
Q9 · Analyze

A reconciliation AI agent at a fintech holds one long-lived admin token shared across 40 jobs and can be steered by data it reads. Analysing this against 2026 NHI guidance, which factor makes it MORE dangerous than a traditional scripted service account?

Correct: b. The defining 2026 risk is that an agent decides at runtime and can be steered by prompt injection — turning its valid, in-boundary credentials into an insider-threat vector. A scripted service account only ever does what it was coded to do. Frequency, token format, and department don't change the threat class.
Q10 · Evaluate

Two teams propose fixes for over-permissioned agents. Team A keeps the shared admin API key but adds more logging. Team B issues each agent a short-lived SPIFFE/SPIRE SVID with just-in-time scoped permissions and uses RFC 8693 Token Exchange with the act claim for on-behalf-of calls. Evaluate which better satisfies CISSP Domain 5 principles and why.

Correct: a. Team B operationalises Domain 5's core tenets: cryptographically verifiable identity (SVID), least privilege via just-in-time scoped tokens, and accountable delegation (act claim) instead of impersonation. Team A's shared, long-lived key violates least privilege and accountability — logging a shared secret can't attribute actions to a specific actor.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Your company federates 40 SaaS apps. A contractor's project ends but their accounts stay live for weeks, and they retained admin rights to a billing tool. Using Domain 5 concepts, explain which IAM controls failed and how AAA, the identity lifecycle, SCIM, RBAC, and PAM each would have prevented or limited this. Then compare to the expert version.

Expert version: This is a deprovisioning and least-privilege failure. The identity lifecycle broke at offboarding: timely deprovisioning should revoke access the moment the project ends. SCIM should have automated account deactivation across the 40 federated apps from the authoritative HR/IdP source, so no app retained a live account. Authorization and RBAC failed because a contractor held admin (not least-privilege) entitlements — access creep that periodic access reviews/recertification should have caught. PAM should have governed the billing-tool admin rights with vaulting, just-in-time elevation, and session monitoring rather than standing admin access; zero standing privilege would have left nothing to abuse. Finally, accountability (the second A in AAA) — logging and review — is what surfaces such orphaned accounts before they are exploited.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Provisioning
Creating an identity and granting it least-privilege access, ideally automated from an HR system.
De-provisioning
Promptly disabling or removing access when a user leaves or changes roles, preventing orphaned accounts.
Federation
A trust relationship that lets one organization's identity provider authenticate users for another's applications via SAML or OIDC.
FIDO2/WebAuthn
Open standard for passwordless, phishing-resistant login using a device-bound private key that signs a server challenge; the basis for passkeys.
Crossover Error Rate (CER)
The point where a biometric system's false-accept rate equals its false-reject rate; lower CER means a more accurate system.
Golden ticket
A forged Kerberos TGT created from a stolen KRBTGT hash that grants long-term, undetectable access to any account in the domain.
SAML assertion
A signed XML statement from the IdP telling the SP who the user is and, optionally, what they may access.
ID token
A signed JWT issued by OIDC that proves the user's identity — the piece OAuth alone never provides.
JIT provisioning
Auto-creating the service-provider account on first login using attributes carried in the federation assertion.
Just-in-Time (JIT) access
Granting privileged access only for the duration of a specific task, then auto-revoking it, so no account holds permanent admin rights.
Credential vaulting
Storing privileged passwords and keys in an encrypted central vault that rotates them and hides them from end users.
Least privilege
Giving every user, process, or account the minimum access required to do its job, and nothing more.
Non-Human Identity (NHI)
Any credentialed actor that isn't a person — service account, API key, workload, or AI agent. In 2026 these outnumber human identities by roughly 82:1 and are a top breach vector.
SPIFFE / SPIRE
An open standard (SPIFFE) and its runtime engine (SPIRE) that issue each workload a short-lived, cryptographically verifiable identity (an SVID) instead of a shared API key.
OAuth 2.0 Token Exchange (RFC 8693)
A standard letting a service swap one token for another to act on behalf of a user; its 'act' claim records the delegation chain, enabling auditable delegation rather than untraceable impersonation.

📚 Sources

  1. ISC2 — CISSP Certification Exam Outline (effective 2024, Domain 5 = 13%). isc2.org
  2. NIST — SP 800-63B-4 Digital Identity Guidelines: Authentication and Lifecycle Management (Rev. 4, 2025; AAL1–AAL3, phishing-resistant MFA, passkeys, SMS/email-OTP deprecation). nvlpubs.nist.gov
  3. NIST — SP 800-63-4 Digital Identity Guidelines (identity, authenticator, and federation assurance levels). pages.nist.gov/800-63-4
  4. NIST — SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations. csrc.nist.gov
  5. NIST — SP 800-207 Zero Trust Architecture (continuous verification, least privilege, policy decision/enforcement points). csrc.nist.gov
  6. IETF — RFC 6749 OAuth 2.0 Authorization Framework and RFC 7644 SCIM 2.0 Protocol (provisioning). ietf.org
  7. OASIS / OpenID Foundation — SAML 2.0 standard and OpenID Connect Core 1.0 specification (federation and token-based SSO). openid.net
  8. Ministry of Electronics and IT (India) — Digital Personal Data Protection Act 2023 + DPDP Rules 2025 (RBAC, least privilege, MFA, access logging, verifiable consent). meity.gov.in

What's next?

Domain 5 done. Keep the momentum — next is Domain 6: Assessment & Testing.

Next · Domain 6: Assessment & Testing → Practice on exam.techclick.in →