Programming code displayed on a screen

Home / IT Security / IAM

Identity is the control plane. Everything else is downstream.

Who can reach what, proven and enforced — designed to the assurance levels of NIST SP 800-63-4.

What IAM is

The perimeter moved. It is now an identity, and it is being phished.

Credential abuse is not an edge case. It is the front door.

Once network location stopped meaning anything, identity became the thing an attacker actually needs. Which is why identity is where the engineering effort belongs: strong authentication, minimal standing privilege, and access that disappears the day someone leaves.

We design to NIST SP 800-63-4, the current revision of the Digital Identity Guidelines, which superseded Revision 3 on 1 August 2025. It separates assurance into three axes, and being explicit about them is what turns "we have MFA" into a defensible design.


Assurance levels

SP 800-63-4 splits identity into three independent questions.

IAL — Identity
How confident are you that the person is who they claim to be? Governs proofing and enrolment: evidence, validation, verification.
AAL — Authentication
How strong is the login itself? Under SP 800-63-4, SMS one-time passcodes no longer satisfy AAL2 — which retires a control a great many organizations still rely on.
FAL — Federation
How much do you trust an assertion arriving from another party? Governs SSO, federation, and the handling of assertions.
Scope of work

What we build.

Authentication
Phishing-resistant MFA using FIDO2/WebAuthn and platform authenticators; passwordless where the estate allows it. Deliberate retirement of SMS OTP.
Single sign-on
SAML 2.0 and OAuth 2.0 / OpenID Connect. One identity, one revocation point.
Authorization
RBAC where roles are stable, ABAC where they are not. Least privilege and segregation of duties enforced, not documented.
Lifecycle (JML)
Joiner-mover-leaver automated through SCIM provisioning. Access granted on day one and removed on the last day — the leaver step is the one that is usually broken.
Privileged access
PAM with just-in-time elevation, session recording, and credential vaulting. No permanent administrators.
Directory services
Active Directory, Microsoft Entra ID, LDAP. Hygiene, group sprawl, and stale-account cleanup.
Governance
Periodic access reviews and certification, with evidence an auditor accepts.
Zero trust
Continuous verification: device posture and context evaluated per request, not once at the VPN.
Standards

What this maps to.

NIST SP 800-63-4FIDO2 / WebAuthnSAML 2.0OAuth 2.0OpenID ConnectSCIMISO/IEC 27001NIST CSF 2.0

Can you revoke every access a leaver had, today, from one place?

If not, that is the engagement. Tell us what your identity estate looks like now.

Contact us
Response
Within one business day
Engagement
Project, managed retainer, or advisory