KSI-IAM-AAM—Automating Account Management
Formerly KSI-IAM-07
>Control Description
>NIST 800-53 Controls
>Trust Center Components5
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express access governance through automated IAM pipelines — RBAC/ABAC models enforced by identity platforms, access reviews triggered automatically on schedule, orphaned accounts detected and flagged by identity governance tools, and access review completion tracked as a dashboard metric. The access management policy becomes documentation of the automated enforcement model.
RBAC/ABAC Model Documentation
How the access control model is implemented and enforced — role-based or attribute-based controls as a product feature
Access Policy Enforcement
Automated enforcement of access policies — provisioning, deprovisioning, and access review workflows driven by identity governance platforms
Identity Provider Integration
Supported identity providers and SSO integration options — federated identity as a product feature
Access Review Cadence
How access reviews are conducted — cadence, scope, and escalation for quarterly privileged access reviews
Access Management Policy
Human-readable access management policy covering provisioning, review, and deprovisioning — documents intent behind automated IAM enforcement
>Programmatic Queries
CLI Commands
okta-aws-cli list-users --output json | jq '.[].profile.login'curl -s -H "Authorization: SSWS ${OKTA_API_TOKEN}" "https://${OKTA_DOMAIN}/api/v1/users?filter=status+eq+%22DEPROVISIONED%22" | jq '.[].profile.email'>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does automated account lifecycle management cover all account types — user accounts, service accounts, machine identities, shared accounts, and break-glass accounts?
- •Are there any accounts, roles, or groups managed manually outside the automated lifecycle system, and how are those exceptions tracked?
- •How do you ensure account deprovisioning covers all systems — not just the primary IdP but also local accounts, API keys, SSH keys, and third-party SaaS tools?
- •When a new system or application is added to the CSO, what process ensures it is integrated into automated account management before accounts are created?
Automation & Validation:
- •What is the maximum time between an employee termination event in HR and automatic account disablement across all systems, and how is this SLA measured?
- •What happens if the automated provisioning or deprovisioning system fails — how is the failure detected and what manual fallback applies?
- •How do you validate that automated role assignments match the principle of least privilege rather than granting overly broad access by default?
- •What automated access reviews detect orphaned accounts, stale group memberships, or privilege accumulation that the lifecycle system missed?
Inventory & Integration:
- •What identity governance platform manages the account lifecycle, and how does it integrate with your authoritative HR source for joiner/mover/leaver events?
- •How many systems and applications are integrated with automated provisioning and deprovisioning, and what percentage of total accounts does that represent?
- •What tools discover accounts that exist outside the lifecycle management system (shadow IT, local accounts, direct API key creation)?
- •How do role and group definitions integrate with your RBAC/ABAC model to ensure lifecycle automation enforces the correct privileges?
Continuous Evidence & Schedules:
- •How do you demonstrate that account lifecycle automation has operated continuously and correctly over the past 90 days?
- •Is account lifecycle data (provisioning events, deprovisioning timing, access reviews) available via API or structured logs?
- •What evidence shows that accounts for all departing employees were disabled within the required timeframe?
- •How frequently are automated access reviews conducted, and what evidence shows findings are remediated within defined SLAs?
Update History
Ask AI
Configure your API key to use AI features.