Implement secure, compliant and resilient Identity and Access Management (IAM) capabilities that enforce least privilege across human users, devices, service accounts and other Non-Person Entities (NPEs).
Organizations enforce least privilege by limiting access to Technology Assets, Applications, Services and Data (TAASD) to authorized users, services and entities with Need to Know (NTK) / Need to Access (NTA) based on approved identities, authentication strength, attributes and access rights.
Identity is the control plane for access. The IAC domain governs the full Identity and Access Management (IAM) discipline: how identities are established, how authentication strength is set, how access rights are defined and enforced and how the principle of least privilege is applied to both human users and Non-Person Entities (NPEs). NPEs include service accounts, APIs, automated processes and devices, all of which can carry significant privilege and are frequently under-governed compared to human accounts.
The SCF's intent for IAC centers around Need to Know (NTK) and Need to Access (NTA). Those two concepts are distinct. NTK applies to information access based on role and purpose. NTA applies to system access based on function. An account should have only the access required for its specific function, verified by approved identity and authentication. That sounds simple; in practice most organizations have significant privilege sprawl that accumulated over years of provisioning without corresponding deprovisioning.
IAC is the control domain most directly exploited by attackers. Credential-based attacks, including phishing, password spray and credential stuffing, succeed when authentication controls are weak. Lateral movement succeeds when privileges are excessive. IAC controls are not optional security improvements; they are the primary defense against the techniques most commonly used in actual breaches.