The identity security landscape has fragmented into a sprawl of acronyms, such as ISPM, ITDR, IGA, CIEM, PAM, NHI, that overlap, contradict, and confuse. A CISO evaluating tools in 2026 needs a clear map, not a glossary that reads like a vendor brochure.
This reference is written by the team at 8Layers, who built an integrated identity security platform from scratch. It covers established industry terms.
Foundations
IAM - Identity and Access Management
IAM answers two questions: who are you? (authentication) and what can you do? (authorization). It is the umbrella under which every other term in this glossary lives. The practice has evolved dramatically, from a single on-premises Active Directory to sprawling multi-cloud, multi-IdP environments where an identity may exist simultaneously in Okta, Microsoft Entra ID, Google Workspace, and AWS IAM, with federation gluing them together. Every concept below - ISPM, ITDR, IGA, CIEM - is a specialized discipline within this larger field.
ISPM - Identity Security Posture Management
ISPM is proactive: it finds misconfigurations before attackers do. That distinguishes it from IGA (governance workflows) and PAM (privileged account vaulting). A well-implemented ISPM engine tracks dormant accounts, excessive privileges, missing MFA, and over-permissioned service accounts in real time. Octagon goes beyond traditional ISPM by offering the capability of calculating the risk of an identity across all IdPs simultaneously, including SAML and OIDC federation trust chains. An identity that looks low-risk in Okta may be high-risk when you factor in that it accesses production via federation with Entra ID, and Octagon surfaces that as a single, unified risk score per identity.
Dashboard Octagon - 8layers ISPM
ITDR - Identity Threat Detection and Response
The discipline of detecting and responding to active attacks targeting identities like credential theft, privilege escalation, and lateral movement, in real time. Where traditional security tools monitor networks or endpoints, ITDR focuses specifically on identity: who authenticated, from where, with what permissions, and whether that behavior is consistent with their normal pattern. The goal is to catch an attack while it is still in progress, not after the damage is done. Thor goes beyond traditional ITDR with two capabilities: an unbounded detection window that can correlate current activity against events from months ago, and the ability to identify full attack campaigns, not just isolated alerts. Every detection maps to a MITRE ATT&CK technique and carries full identity context, behavioral history, entitlements, session data, and group memberships.
Dashboard Thor - 8layers ITDR
Related Disciplines
IGA - Identity Governance and Administration
IGA is predominantly a workflow and governance discipline: access certifications, role mining, joiner/mover/leaver processes. While ISPM is a security discipline, risk scoring and misconfiguration detection, IGA tools manage the intent of access policies. The two are complementary: IGA defines who should have access to what; ISPM monitors whether that intent is actually enforced in the live environment. If IGA says a user should have read-only access and ISPM finds they have admin rights, that gap is exactly what posture management exists to surface.
CIEM - Cloud Infrastructure Entitlement Management
Cloud environments grant far more permissions than are ever used. CIEM tools surface entitlement sprawl and recommend least-privilege remediation. The distinction from ISPM is scope: CIEM is cloud infrastructure-centric (focusing on what roles and policies exist in AWS/Azure/GCP), while ISPM is identity-centric (focusing on all identities - human and non-human - regardless of where they authenticate from). Octagon, the 8Layers ISPM, covers CIEM use cases as part of its IASM layer, including AWS IAM roles, Entra ID service principals, and entitlement analysis across cloud providers.
PAM - Privileged Access Management
PAM is a mature, well-understood category focused primarily on vault-and-rotate workflows for human privileged accounts. The gap: PAM does not cover the full identity attack surface. It misses non-human identities, OAuth applications, and federated access paths where a low-privilege identity can effectively reach privileged resources through SAML (Security Assertion Markup Language) trust chains. 8Layers platform sees all privileged identities, human and non-human, as part of a unified risk surface, with risk waivers that allow security teams to formally accept and document exceptions.
Identity Types
Human Identity
A Human Identity is a digital identity associated with a specific person, an employee, contractor, partner, or administrator, who authenticates interactively to access systems and resources. They are the most visible layer of the identity surface: they have owners, they appear in org charts, and they are subject to the governance processes most organizations have invested in for decades. That visibility, however, creates a false sense of coverage. Human identities remain the primary target of social engineering, credential phishing, and session hijacking, the entry point from which most identity-based attacks begin.
NHI - Non-Human Identity
Any digital identity that is not associated with a human user: service accounts, API keys, OAuth applications, machine certificates, bots, and CI/CD pipeline credentials. Most organizations have 10–50× more NHIs than human identities, yet NHIs are rarely reviewed, frequently over-privileged, and rarely rotated on schedule. They are the silent attack surface. Octagon inventories and risk scores all NHIs alongside human accounts. Thor's automated response is tailored by NHI subtype: service accounts, API keys, and OAuth apps each receive context-appropriate containment - not the same "suspend user" action designed for human accounts, which would break critical integrations rather than contain the threat.
AI Agent Identity
A distinct identity type for autonomous systems that act, reason, and execute tasks across enterprise environments without direct human oversight. AI agent identities differ from traditional service accounts in two fundamental ways: they operate dynamically, adapting their actions based on context and task complexity rather than following predictable, linear sequences; and they can delegate authority to other agents, creating inter-agent chains where accountability must be preserved end-to-end. At 8Layers, AI agent identities are treated as first-class identities, governed with the same rigor as human accounts, inventoried alongside them, and subject to the same risk scoring, posture checks, and behavioral monitoring that apply across the full identity surface
Hybrid Identity
A human identity that also has programmatic credentials (PATs, API keys, etc.) associated with it. The security challenge is asymmetric: the human side of a hybrid identity is typically governed, while the programmatic side operates in a parallel track with none of those controls. A developer authenticated via Okta with MFA may have three PATs and two API keys that authenticate silently, carry the same or broader permissions, and have never been reviewed. Octagon surfaces hybrid identities by correlating human account profiles with their associated programmatic credentials, scoring the combined risk surface rather than treating each credential in isolation
Detection and Attack Context
UEBA - User and Entity Behavior Analytics
UEBA is the use of machine learning and statistical baselines to detect anomalous user behavior, such as unusual login times, impossible travel, and atypical data access patterns. It is a powerful signal, but it generates significant false positives when operating in isolation, without a rich identity context. Knowing that a user logged in from an unusual location is less useful than knowing who they are, what they normally access, what their entitlements look like, and whether they were involved in a correlated event three weeks ago. Thor incorporates behavioral signals as inputs into its detection engine alongside identity context, treating behavior as one dimension of a multi-dimensional detection, rather than the whole signal.
Identity Attack Kill Chain
The sequence of stages an attacker follows to achieve their objective - initial access, persistence, privilege escalation, lateral movement, and exfiltration, is mapped specifically to identity-based attack techniques. MITRE ATT&CK is the standard taxonomy for this mapping. Thor tags every detection, out-of-the-box and custom, to the ATT&CK techniques it covers, giving security teams a live view of their detection coverage across the identity attack surface. The kill chain framing is important because it reinforces why single-event detection fails: identity attacks are not events; they are campaigns, which means a sequence of stages where each step builds on the last. Detecting only the final stage (data exfiltration) is far less effective than detecting the chain from initial compromise forward.
Agent Attack Surface
The expanded attack surface that emerges when AI agents operate autonomously inside an organization's environment. An agent with access to APIs, data stores, and internal tools can read, write, and execute across systems at machine speed, under credentials that are rarely reviewed and permissions that are rarely scoped to the minimum required. The risk is not only that an agent can be compromised, but that a compromised or misbehaving agent can move laterally, exfiltrate data, and chain actions across systems before any human notices. There are few established detection patterns for agent-specific threats, and existing ITDR rules were built around human and service account behavior, not autonomous reasoning chains. As agent deployments grow, this layer represents one of the least monitored and fastest-expanding areas of the identity attack surface.
European and International regulatory frameworks
NIS2
The EU's updated Network and Information Security Directive, effective October 2024, requires organizations in critical sectors to implement robust identity and access management controls and report significant incidents within 24–72 hours. NIS2 expanded the scope of the original directive significantly, more sectors, more organizations, and personal liability for executive management. For identity security teams, the critical articles cover MFA requirements, privileged account management, access control policies, and incident reporting obligations. Compass automates evidence collection for NIS2 access control articles, provides continuous gap analysis against NIS2 IAM domains, and generates executive reports ready for regulator submission.
ISO 27001
The international standard for information security management systems (ISMS), with identity and access management controls concentrated in Annex A domains A.5 (organizational controls) and A.8 (technological controls). ISO 27001 remains the foundational certification for enterprises demonstrating security maturity to customers, partners, and regulators. Compass maps technical checks simultaneously to ISO 27001, NIS2, and ENS - "test once, comply many" - so a single automated health check satisfies requirements across all frameworks at once.
SOC 2
A compliance framework developed by the AICPA, widely required by US-based customers and partners as proof that a service organization manages data securely. SOC 2 audits evaluate controls across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. While not an EU regulation, SOC 2 is increasingly relevant for European organizations operating globally or selling into North American markets. Compass supports SOC 2 alongside ENS, NIS2, and ISO 27001 within the same unified control framework.
ENS - Esquema Nacional de Seguridad
Spain's National Security Framework - mandatory for public administrations and any organization providing digital services to the Spanish public sector. ENS defines specific identity and access control requirements that overlap with, but differ structurally from, NIS2 and ISO 27001. A team preparing for ENS audit cannot assume that NIS2 controls transfer directly - ENS has its own article structure and its own evidence requirements. Compass is the only IAM compliance module on the market with native ENS mapping, linking every technical check to the precise ENS article it satisfies.
Dashboard Compass - 8layers Compliance
Operational Concepts
Drift Detection
Automated monitoring that identifies when a previously compliant configuration changes to a non-compliant state, triggering an alert before an auditor or attacker discovers the gap. A configuration that passes an audit in January can drift by February (an admin enables a legacy authentication protocol, a new integration is provisioned with excessive permissions, MFA is disabled on a service account during an emergency, and never re-enabled). Compass continuously monitors all technical controls and alerts immediately when a compliant environment becomes non-compliant. The gap between drift and detection is where attackers operate, and where regulators focus their scrutiny.
Risk Waiver
A formal, documented decision to accept a known security risk rather than remediate it immediately, with an assigned owner, written justification, and automatic expiry date that re-triggers review. Not every risk can be fixed immediately. Octagon's waiver system lets CISOs acknowledge a risk deliberately, with a full audit trail, rather than letting it disappear into an unreviewed backlog. Waivers in Octagon carry a granular scope (org-wide or per-identity), automatic expiry, so the risk does not become a permanent exception, and a full audit log that regulators in European banking explicitly expect to see during reviews. The distinction between "we accepted this risk knowingly" and "we forgot about it" can determine the outcome of a supervisory examination
How these pieces fit together
Every term in this glossary maps to a real capability, and together they form a complete picture of what identity security looks like in 2026. Most vendors offer one piece of this map.
8Layers offers all three in a single platform:
- Octagon covers the posture layer: continuous risk assessment across all identities, human and non-human, with cross-IdP scoring that includes federation trust chains and formal risk waivers.
- Thor covers the detection and response layer: identifying active attacks as full campaigns rather than isolated events, with an unbounded detection window that sees what other tools have already forgotten.
- Compass covers the compliance layer: automating evidence collection and gap analysis across NIS2, ISO 27001, SOC 2, and ENS simultaneously.