top of page
Glossary
Identity security used to mean protecting employee accounts. That's no longer the whole picture.
AI agents, non-human identities, and automated pipelines now authenticate, pull data, and make decisions around the clock often with the same privileges as a senior employee. The security models built for human users weren't designed for this.
This glossary covers the key terms shaping that shift from agentic AI to identity observability written for security teams who need more than definitions. As identity becomes the primary control plane for modern infrastructure, a shared vocabulary isn't a nice-to-have. It's how you start seeing risk before it becomes a problem.
A-F
Access Certification
Periodic review of identity access rights by designated owners, used to confirm that access is still appropriate and to revoke anything that isn't. Often required for compliance; often treated as a checkbox.
Governance
Category:
Access Governance
The policies and processes that define, enforce, and regularly review access rights across an organization. Access governance means identities have what they need for their role and nothing extra that quietly accumulates.
Governance
Category:
Access Review
A systematic look at the access rights identities hold, used to find and fix over-privilege, orphaned access, and policy violations. The difference between this and access certification is mostly timing and scope.
Governance
Category:
Access Token Security
Protecting access tokens from theft, replay, and session hijacking, including detecting when tokens are used outside the context they were issued for.
Credential Security
Category:
Account Takeover Detection
Detecting unauthorized access to user or service accounts, typically through credential theft, MFA bypass, session hijacking, or social engineering. Behavioral anomalies and access pattern analysis are the main detection mechanisms.
ITDR
Category:
Active Directory Security
Protecting Active Directory infrastructure from attacks that commonly target it: privilege escalation, lateral movement, credential abuse, and directory service compromise. AD is a frequent attacker objective for good reason.
Identity Infrastructure
Category:
Adaptive Authentication
Authentication that adjusts the verification required based on real-time risk signals: location, device, behavior, access patterns. Low-risk logins get less friction; high-risk ones get stepped up.
Authentication
Category:
Agentic AI Identity Security
Securing the identity layer of agentic AI systems covers how agents authenticate, which credentials they use, what roles they assume, how their activity is governed across cloud, SaaS, and on-prem environments and unify the AI agent ideneity with the human creator and maintainer.
AI Identity Security
Category:
Agentic AI Security
Discovering, monitoring, and protecting AI agents as high privlidge identities that authenticate, assume roles, retrieve secrets, and act autonomously without per-step human approval. Policy controls at provisioning aren't enough here, you need continuous observability and access path observability across every agent's access activity.
AI Security
Category:
Agentic AI Security Posture Management (AI-SPM)
Agentic AI Security Posture Management (AI-SPM) is the method of continuously discovering, mapping, monitoring and governing AI agents as active, non-human identities within an environment. It focuses on visibility into what agents exist, what they access, how they behave, and whether their actions align with intended use, enabling organizations to detect risk, misuse, or behavioral drift in real time.
AI Security
Category:
AI Agent Access Analytics
Analyzing AI agent access data over time to find trends, flag anomalies, and surface over-privilege before it becomes a breach. The output should be actionable intelligence, not just dashboards.
Analytics
Category:
AI Agent Access Control
What limits an AI agent to only the systems, data, and services it's supposed to reach. This includes role assignments, permission scopes, and enforcement that happens at runtime, not just at setup.
Access Control
Category:
AI Agent Access Governance
The policies and controls that define, enforce, and continuously validate what AI agents are allowed to access. Access governance for agents isn't a one-time setup, it needs to adapt as environments and agent behavior evolve.
Governance
Category:
AI Agent Access Monitoring
Tracking in real time which systems, APIs, and data stores an AI agent touches during execution, so you can tell whether its access patterns match what it's actually supposed to be doing.
Monitoring
Category:
AI Agent Access Path Analysis
Mapping the full chain of steps an AI agent takes during execution, from initial authentication through role assumption, secret retrieval, and system interaction. This analysis is how you find risk and spot access patterns that don't belong.
Risk Analysis
Category:
AI Agent Activity Monitoring
Observing AI agent access events and actions across identity systems, network flows, and cloud environments as they happen, so anomalies and policy violations surface in real time rather than in a post-breach log review.
Monitoring
Category:
AI Agent Authorization
Deciding and enforcing what an AI agent is allowed to do inside a system, based on its assigned roles, policies, and the context of the access request. Authorization is distinct from authentication and often where controls are weakest.
Authorization
Category:
AI Agent Credential Lifecycle
Managing the credentials used by AI agents from issuance through rotation, expiration, and revocation. No credential should be reused, shared, or left active after it's no longer needed.
Credential Security
Category:
AI Agent Credential Security
Protecting the credentials, tokens, secrets, and API keys that AI agents rely on to authenticate and access systems. Detection of credential misuse, unexpected retrieval, and exposure is the core of this practice.
Credential Security
Category:
AI Agent Discovery
Continuously discovering every AI agent in your environment, including the ones nobody officially sanctioned and the integrations that slipped in outside normal governance. If you can't see it, you can't govern it.
Discovery
Category:
AI Agent Execution Monitoring
Watching what an AI agent actually does during execution, including the sequence of actions it takes, the systems it reaches, and the decisions it makes. The goal is to verify it's doing what it's supposed to and catch any misuse.
Monitoring
Category:
AI Agent Governance
The policies and controls that define how AI agents get approved, provisioned, monitored, and eventually decommissioned. The goal is simple: agents should only operate within sanctioned boundaries and always have a human owner on the hook.
AI Security
Category:
AI Agent Identity Governance
The policies and controls that ensure AI agents are provisioned, monitored, and decommissioned in line with organizational security and compliance requirements. It's governance applied specifically to agent identities.
Governance
Category:
AI Agent Identity Management
Managing AI agent identities across their full lifecycle: provisioning, role assignment, access review, and decommissioning. Every agent should have a human owner and move through the same governance processes as other identities.
Identity Management
Category:
AI Agent Identity Risk
The security exposure created by AI agents through misconfigured access, over-privilege, unmanaged credentials, or behavioral drift. Any of these can become a path for unauthorized access or data exposure.
Risk
Category:
AI Agent Identity Security
Treating every AI agent as a governed identity that gets inventoried, continuously observed, and held to defined access boundaries. It's a subset of identity security, but one that most organizations and current identity tools aren't ready for yet.
AI Identity Security
Category:
AI Agent Identity Visibility
Seeing every AI agent identity in your environment clearly: who owns it, what it can access, how it's behaving, and how it relates to other identities and systems. You can't govern what you can't see.
Visibility
Category:
AI Agent Observability
Real-time visibility into how AI agents authenticate, which roles they take on, what secrets they pull, and which systems they touch. Security teams need this level of detail to actually understand agent behavior, not just assume it.
Observability
Category:
AI Agent Privilege Management
Keeping AI agents under least privilege means their access rights are scoped to what's actually needed for their function, then continuously checked against what they're actually using. Anything beyond that increases risk exposure.
Privilege Management
Category:
AI Agent Risk Management
Finding, measuring, and practively protecting from the security risks that AI agents may introduce if not properly managed: over-privilege, shadow agents, credential misuse, and access that's drifted from what was originally intended.
Risk
Category:
AI Agent Runtime Security
Security monitoring applied to the lifecycle of AI agents while they're actually running: real-time detection of unexpected behavior, unauthorized access attempts, and policy violations as they occur during execution.
AI Security
Category:
AI Agent Security
The controls and practices used to discover, monitor, and protect AI agents present inside an enterprise environment, including catching unauthorized access, unusual behavior, and credential misuse before they cause damage.
AI Security
Category:
AI Agent Shadow Access
AI Agent Shadow Access refers to AI agents operating within an environment without clear organizational awareness, ownership, or oversight. These agents may have active permissions and access to systems, but exist outside formal governance processes, creating hidden identity risk that is difficult to monitor, manage, or control.
AI Security
Category:
API Token Security
Protecting API tokens from unauthorized access, theft, and misuse, with monitoring for anomalous usage patterns and enforcement of rotation and expiration policies.
Credential Security
Category:
Attribute-Based Access Control (ABAC)
An access control model that evaluates multiple attributes of the identity, the resource, and the environment to make access decisions dynamically based on defined policy. More flexible than RBAC, but harder to audit.
Access Control
Category:
Authentication
Verifying that an identity is who or what it claims to be before granting access to a resource. Credentials, tokens, certificates, and biometric factors are all authentication mechanisms.
Authentication
Category:
Authorization
Determining what an authenticated identity is allowed to do in a system, based on its assigned roles, policies, and context. Authentication confirms who you are; authorization decides what you can do.
Authorization
Category:
Autonomous AI Security
Security practices applied to AI systems that make independent decisions and act on them autonomously. The focus is governing that autonomous behavior, preventing unauthorized access, and detecting misuse that happens at machine speed.
AI Security
Category:
Credential Abuse Detection
Catching unauthorized or anomalous use of credentials, whether unauthorized tokens, reused passwords, or shared secrets, across identity and access activity in an environment.
ITDR
Category:
Credential Leakage
Credentials, tokens, or secrets ending up where they shouldn't: exposed through misconfiguration, insecure storage, logging, or transmission. Each instance is a potential path to unauthorized access.
Threat
Category:
Credential Rotation
Regularly replacing credentials, tokens, and secrets with new values to shorten the exposure window if a credential is ever compromised. How often you rotate and how you automate it matters a lot in practice.
Credential Security
Category:
Federated Identity
An identity model where a single identity can be used across multiple systems or organizations through established trust relationships between identity providers.
Identity Infrastructure
Category:
Identity Access Analytics
Analyzing identity access data to find trends, flag anomalies, surface risk, and produce intelligence that's actually useful for improving security posture and governance decisions.
Analytics
Category:
Identity Activity Monitoring
Continuously recording and observing identity actions, authentication events, and access activity so you can detect threats in real time and reconstruct what happened after an incident.
Monitoring
Category:
Identity and Access Management (IAM)
The framework of policies, processes, and technologies that manages digital identities and controls access to systems and resources. The goal is giving the right identities the right access at the right time, nothing more.
Identity Management
Category:
Identity Attack Path Analysis
Mapping the sequence of identity-based steps an attacker could take to move through an environment, from initial access through lateral movement to whatever they're actually after.
ITDR
Category:
Identity Attack Surface Management
Continuously assessing and shrinking the attack surface exposed by your identity infrastructure: shadow identities, over-privileged accounts, unmanaged credentials, and access paths that nobody has mapped.
Attack Surface
Category:
Identity Behavior Analytics
Analyzing how identities behave over time to build baselines and spot anomalies that might indicate compromise, misuse, or policy violations. The value is in detecting what shouldn't be there, not just what is.
Analytics
Category:
Identity Blast Radius
How far a compromised identity can reach. Blast radius is determined by what the identity can access, which systems it connects to, and what data it can get to. Minimizing it is why least privilege matters.
Risk
Category:
Identity Compromise Detection
Identifying identities that have been compromised through credential theft, token replay, or similar attack vectors, using behavioral analysis and access monitoring to surface suspicious activity before damage is done.
ITDR
Category:
Identity Control Plane
The identity control plane is the centralized decision-making layer that governs how all identities, including agentic AI, NHI, and human users, authenticate, access resources, and interact across an enterprise environment. Originating from network engineering, where the control plane governs routing decisions rather than carrying traffic, the identity control plane sits above individual authentication systems and enforces access policies in real time across distributed environments. As traditional network perimeters have dissolved, identity has emerged as the primary control plane through which every access decision in the enterprise flows.
IAM
Category:
Identity Federation
The technology and standards that enable identity providers to build trust relationships and share authentication across organizational or system boundaries. SAML and OAuth are the most common underlying standards.
Identity Infrastructure
Category:
Identity Governance and Administration (IGA)
The tools and processes used to manage identity lifecycles and access rights: provisioning, access reviews, role management, and compliance reporting. IGA is how you know who has access to what and whether they should.
Identity Management
Category:
Identity Graph
An Identity Graph is a structured representation of relationships between identities, resources, and access paths within an environment. It maps how human, NHI, and agentic AI identities connect to systems, data, and permissions, enabling organizations to visualize access patterns, detect risk, and understand the full context of identity activity.
Observability
Category:
Identity Lifecycle Management
Managing an identity from creation through every change to its access rights, right through to deprovisioning. The goal is making sure access stays appropriate throughout, not just at day one.
IAM
Category:
Identity Observability
Real-time visibility into what identities exist, AI agents, NHIs, humans, managed, unmanaged and what they are actually accessing and doing across an environment, which is often quite different from what their policies say they're allowed to do.
Observability
Category:
Identity Provider (IdP)
A system or service that creates, manages, and authenticates digital identities, providing authentication to applications through standards like SAML, OAuth, and OpenID Connect.
Identity Infrastructure
Category:
Identity Risk Exposure
The aggregate identity-related risk an organization is carrying: over-privileged accounts, unmanaged credentials, shadow identities, and governance gaps across human, NHI, and AI agent identities.
Risk
Category:
Identity Security
Protecting identities across the all types: human users, NHIs, and AI agents, from unauthorized access, compromise, and misuse across an organization's full technology environment.
Identity Security
Category:
Identity Security Control Plane
The identity security control plane is the layer of security controls, policies, and real-time monitoring that governs and validates identity access decisions across an enterprise environment, treating identity as the primary security enforcement point in architectures where network perimeters no longer provide meaningful protection. Unlike the broader identity control plane which focuses on access orchestration, the identity security control plane emphasizes continuous behavioral validation, threat detection, and automated response to ensure that authorized identities are operating within intended boundaries.
IAM
Category:
Identity Security Posture Management (ISPM)
Continuously assessing and improving your organization's identity security posture, which means finding misconfigurations, policy gaps, over-privilege, and shadow access across all identity types and environments.
Identity Security
Category:
Identity Telemetry
The collection of identity-related data signals from across an environment: authentication events, access logs, network flows, cloud activity. The goal is a complete picture of identity behavior, not just what the IdP sees.
Observability
Category:
Identity Threat Detection
Identifying active threats against identity systems and access infrastructure: credential theft, account takeover, privilege escalation, and authentication activity that doesn't fit normal patterns.
ITDR
Category:
Identity Threat Detection and Response (ITDR)
A security discipline focused on detecting, investigating, and responding to threats that target identity infrastructure. Compromised credentials, privilege abuse, MFA bypass, and lateral movement through identity access paths are the core threat scenarios.
Identity Security
Category:
Identity Visibility
Seeing all identities in your environment clearly: their access rights, behavioral patterns, and relationships to systems and data. Without this, security and governance decisions are made on incomplete information.
Visibility
Category:
Identity Visibility and Intelligence Platforms (IVIP)
Identity Visibility and Intelligence Platforms (IVIP) is a security category introduced by Gartner in July 2025 to describe platforms that gather, categorize, and visualize identity data across directories, tools, and multiple IAM domains, providing a single view of identity activity, relationships, configuration, and posture to enable rapid improvement of all integrated IAM controls. IVIPs act as an intelligence layer that complements existing IAM, PAM, IGA, and CIEM tools without replacing them, addressing the fragmented visibility gap that prevents organizations from answering basic questions about who has access to what across their full technology environment.
Visibility
Category:
Identity-Centric Security
A security model where identity is the primary security perimeter. Every human, non-human, and AI agent identity is at the center of access control and threat detection decisions.
Security Framework
Category:
Least Privilege Access
Identities should get the minimum access required to do their job. That's the principle. It's harder to enforce than it sounds, especially across non-human identities and AI agents that accumulate permissions over time.
Privilege Management
Category:
Machine Identity
A digital identity assigned to a non-human entity, such as a server, container, application, or AI agent, that lets it authenticate and interact with other systems in a network or cloud environment.
Identity Type
Category:
Machine Identity Security
Protecting machine identities through continuous discovery, credential management, access governance, and behavioral monitoring so they can't be misused, compromised, or leveraged for unauthorized access.
Identity Security
Category:
MFA Bypass
Techniques attackers use to get around MFA: push fatigue attacks, adversary-in-the-middle proxies, SIM swapping, helpdesk social engineering. MFA is better than a password alone, but it's not the end of the conversation.
Threat
Category:
MFA Fatigue Attack
An attack where the adversary sends repeated MFA push notifications, counting on the target approving one out of frustration or confusion. It works more often than it should.
Threat
Category:
MFA Governance
The policies and monitoring that define and enforce MFA requirements across an organization. Good MFA governance means you know where MFA is missing or bypassable, not just where it's theoretically in place.
Governance
Category:
MFA Security
Ensuring MFA is actually enforced across the environment, which means detecting gaps, catching bypass attempts, and finding authentication flows that are misconfigured or missing MFA entirely.
Authentication
Category:
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent verification factors, such as a password and a one-time code or biometric. The goal is making credential theft alone insufficient to gain access.
Authentication
Category:
NHI Access Monitoring
Watching how NHIs access systems, retrieve secrets, and interact with infrastructure in real time. The goal is to proactively catch anomalous behavior and unauthorized access as it happens.
Monitoring
Category:
NHI Discovery
Continuously identifying and inventorying every non-human identity in your environment, including the managed ones and the ones that slipped in unmanaged, across cloud, SaaS, and on-prem systems.
Discovery
Category:
NHI Governance
The policies and processes that govern how NHIs are created, managed, reviewed, and retired. Accountability and least-privilege access are the two things these processes need to deliver.
Governance
Category:
NHI Inventory
A continuously maintained record of all non-human identities in an environment: their type, owner, access rights, associated workloads, and current activity status.
Discovery
Category:
NHI Posture Management
Ongoing assessment of how well your NHIs are secured, including finding misconfigurations, over-privilege, orphaned accounts, and hygiene gaps across every NHI type.
Posture
Category:
NHI Privilege Management
Applying least-privilege to NHIs means service accounts, tokens, and AI agents get only what they need for their specific function, and those permissions get reviewed regularly.
Privilege Management
Category:
NHI Risk Management
Finding and fixing the security risks tied to non-human identities: over-privilege, orphaned accounts, exposed credentials, and access patterns that don't match intended use.
Risk
Category:
NHI Security
Discovering, governing, and protecting non-human identities including service accounts, API keys, tokens, and AI agents so they operate within intended boundaries and don't get misused or compromised.
Identity Security
Category:
NHI Threat Detection
Identifying threats that originate from or target NHIs: credential theft, account compromise, privilege abuse, and lateral movement through machine identity access paths.
Threat Detection
Category:
NHI Visibility
Real-time insight into every NHI in your environment, including what it can access, how it's behaving, who owns it, and how it connects to workloads and systems.
Visibility
Category:
Non-Human Identity (NHI)
Any identity that isn't a human user, service accounts, workloads, API keys, tokens, certificates, AI agents. These identities authenticate and access systems programmatically, and most organizations have far more of them than they realize.
Identity Type
Category:
OAuth Security
The security practices around OAuth-based authorization flows, including protecting authorization codes, tokens, and client credentials from theft and misuse.
Authentication
Category:
OAuth Token Security
Protecting OAuth access tokens and refresh tokens from theft, replay, and unauthorized use. Anomalous token usage patterns are often the first indicator that something has gone wrong.
Credential Security
Category:
Privilege Escalation Detection
Detecting when an identity tries to gain more access than it was assigned, whether through misconfigured roles, token manipulation, or moving laterally through identity trust relationships.
ITDR
Category:
Privileged Access Management (PAM)
The controls, monitoring, and auditing applied to privileged accounts, including administrators, service accounts, and other high-risk identities. PAM exists because privileged access is what attackers are usually after.
Access Control
Category:
Privileged Session Management
Monitoring and controlling sessions started by privileged identities, with session recording, real-time oversight, and audit trails for high-risk access. If a privileged session goes wrong, you want the full story.
PAM
Category:
Role-Based Access Control (RBAC)
An access control model where permissions are attached to roles rather than individual identities. Users and systems get access by being assigned to a role, which makes permission management more consistent and scalable.
Access Control
Category:
SAML Authentication
An XML-based standard for passing authentication and authorization data between an IdP and a service provider. Widely used for enterprise SSO, though it's showing its age in cloud-native environments.
Authentication
Category:
Secret Exposure Detection
Finding secrets, credentials, or tokens that have left their intended security boundary: hardcoded secrets in code, leaked tokens, unauthorized secret access. Early detection limits the damage.
Threat Detection
Category:
Secrets Management
The tools and practices used to securely store, distribute, rotate, and audit the credentials, API keys, tokens, and other sensitive values that applications and automated systems depend on.
Credential Security
Category:
Service Account Security
Governing and protecting the service accounts that applications and automated processes use to access systems. The main risks are credential misuse, over-privilege, and access activity that nobody is watching.
Identity Security
Category:
Unified Identity Security
A single integrated approach to identity security that provides consistent visibility, governance, and threat detection across human users, non-human identities, and AI agents, without separate tools and blind spots between them.
Identity Security
Category:
Workload Identity
The identity assigned to a workload, whether a container, serverless function, or microservice, that lets it authenticate and access other services and resources in cloud or hybrid environments.
Identity Type
Category:
Workload Identity Security
Discovering and protecting workload identities encompasses how they authenticate, which credentials they use, what resources they reach, and whether their behavior stays within expected boundaries.
Identity Security
Category:
Zero Trust Identity
An identity security approach built on never implicitly trusting any identity. Every access request requires continuous verification of identity, device, and context before anything is granted.
Security Framework
Category:
G-L
M-R
S-Z
bottom of page