Most access control protects systems: this database, that app, this bucket. It says nothing about the sensitivity of what is inside, so the same permission guards a marketing list and a table of social security numbers. Data-centric access ties the control to the data's classification, so protection follows the data across the systems that hold it. Here's how classification, labeling, and policy fit together, and why it's the hardest pillar to finish.
PDLC, SDLC, and the AI development lifecycle overlap more than their acronyms suggest, and forcing teams onto one rigid process to satisfy auditors kills the autonomy that makes them work. Standardize the control gates where evidence gets collected, let teams own the steps in between, and give AI-DLC its own branch only where it adds gates the others never had.
An API gateway can check whether you may call an endpoint. It cannot see whether this row, this document, this tenant is yours, because the object lives inside the application. Fine-grained authorization, policy engines like OPA and Cedar and relationship models like Google's Zanzibar, moves the decision next to the data. Here's when you need it and what it costs to run.
A VPN authenticates you to a network and then trusts you on all of it, which is how one phished laptop reaches the whole subnet. The network pillar of zero trust replaces that with identity-aware, per-application access: you reach the one app you are entitled to and never see the rest. Here's what replaces the VPN, and what the migration actually costs.
Zero trust gets sold as a posture you either have or don't, and as a product you can buy. It's neither. It's a set of controls that pay off in an order, and most organizations can't reach the end state at once. Here's the sequence and when each piece earns its place.
User authentication answers who is making a request and says nothing about the machine it comes from. Device-based authentication, a hardware-bound certificate plus live posture, makes the machine part of the decision: is this one of ours, and is it healthy right now. Here's how to build it, and where the friction stops being worth it.
Passwords and one-time codes both fall to a convincing fake login page. FIDO2 security keys and passkeys don't, because the browser checks the site's identity before it releases the credential. Here's how the pieces fit, what each one costs to roll out, and why account recovery is the part that decides whether it sticks.
Role-based access ends the per-hire negotiation over who gets what, and then it collapses under its own weight: a role for every exception, thousands of roles nobody can audit. The model that survives is a few coarse birthright roles plus requested access for the rest, with attributes doing the work roles can't. Here's how to design for the hybrid you'll actually run.
Single sign-on made logging in a solved problem. Logging out never did: disabling an account leaves live sessions running, and the single-logout standards meant to fix it are fragile or unevenly adopted. What works is a newer approach, near-real-time session-revocation signals, and here's why logout is the hard half and what actually ends a session now.
Automated provisioning is the Scale-stage IAM investment, and the joiner-mover-leaver lifecycle is where it lives. The grant is the easy, visible half. The access that should have been removed and was not is the half that becomes a breach, which is why deprovisioning is the part to automate first, ahead of provisioning.
