This markdown document provides a comprehensive list of IAM controls applicable to SaaS, PaaS, and IaaS platforms, covering authentication, access control, identity lifecycle, privileged access, and governance.

Each control includes:

• Control Name
• Description (NIST-aligned)
• Expected Implementation Evidence
• Platform Applicability

Due to length, only the summary description is presented here. Full detail is provided in the exported document.

Control Name	Description	Expected Implementation Evidence	Platform Applicability
IAM Governance Policy & Procedures	Establish documented IAM policy defining responsibilities and processes.	Policy document, governance role assignments, periodic reviews.	All
Identity Lifecycle Management	Manage full user and service identity lifecycle with defined owners.	Provisioning/deprovisioning records, inactive account reports.	All
Multi-Factor Authentication (MFA)	Enforce MFA for all users, especially privileged roles.	Config settings, enforcement policies, logs.	All
Federated Single Sign-On (SSO)	Use SAML/OIDC with centralized IdP to unify identity policies.	SSO configs, IdP metadata, authentication flow evidence.	All
Authenticator Management & Password Policy	Securely manage passwords, keys, certificates, API secrets.	Password policies, secrets vault logs, rotation evidence.	All
Role-Based Access Control (RBAC)	Access decisions based on job-role-aligned permissions.	Role definitions, mappings, assignment logs.	All
Attribute-Based Access Control (ABAC)	Dynamic access decisions based on attributes/tags.	Attribute policies, enforcement tests.	PaaS, IaaS
Least Privilege Enforcement	Enforce minimum necessary access to perform duties.	Role reviews, scope validation.	All
Separation of Duties (SoD)	Prevent conflicting role assignments and ensure oversight.	SoD matrix, review logs, conflict resolution process.	All
Privileged Access Management	Strict control of privileged identities and vaulting.	Inventory of privileged accounts, session logs, MFA proofs.	All
Non-Human Identities & Service Accounts	Govern service and app identities with least privilege.	Inventory, credential rotation records, ownership mappings.	All
IAM Activity Logging & Monitoring	Monitor all identity events, logins, role changes.	SIEM rules, log samples, alerts on abnormal behavior.	All
Periodic Access Reviews & Recertification	Regular access certification by managers.	Review logs, attestation reports, revocation actions.	All
Exception and Emergency Access Handling	Manage break-glass accounts and policy exceptions.	Usage logs, exception approvals, expiration monitoring.	All

For complete descriptions and validations, refer to the full report or request a formatted PDF/Excel export.