IAM-002 Identity Inventory and Unique Identifiers
Description
An inventory of all identities — human users, service accounts, and non-human identities — is maintained. Every identity is assigned a unique identifier. Shared or generic accounts are prohibited except where documented and justified.
Rationale
Non-unique identifiers make it impossible to attribute actions to individuals and undermine audit trail integrity. An up-to-date identity inventory is the prerequisite for access reviews and offboarding.
Framework Mappings (5)
| IAM-03 | Identity Inventory | full |
| IAM-12 | Unique Identities | full |
| 5.16 | Identity management | full |
| IA-2 | Identification and Authentication (Organizational Users) | partial |
| IA-4 | Identifier Management | full |
Evidence (2)
Identity inventory export from the IdP or privileged access management tool listing all human, service, and non-human accounts with their unique identifiers.
Example: Okta, Azure AD, or AWS IAM user/service-account export (CSV or API JSON) showing every identity with a distinct username or principal identifier, account type, and status.
Test: Query the IdP API (e.g. Okta GET /api/v1/users, Azure AD GET /users, AWS IAM list-users and list-roles). Verify: (1) no two entries share the same identifier, (2) any shared/generic accounts have a documented justification record, (3) the total count matches HR or HRIS records for human accounts.
Policy or standard prohibiting shared and generic accounts, with defined exceptions and a documented approval process for any permitted exceptions.
Example: Identity Management Policy or Access Control Standard document containing a clause explicitly prohibiting shared credentials, specifying that any exception requires documented approval with a named business justification.
Test: Request the identity management policy or equivalent standard. Verify: (1) the document explicitly prohibits shared or generic accounts, (2) an exception process is defined with approval requirements, (3) any in-scope exceptions are backed by a completed approval record.
Questions (2)
Is a centralised inventory of all identities — including human users, service accounts, and other non-human identities — maintained?
The inventory should be sourced from the IdP or IAM platform (e.g. Okta, Azure AD, AWS IAM), not maintained only in a spreadsheet. It must include both human and non-human identities.
Are shared or generic accounts in use in any of your production systems?
Shared accounts undermine audit trail integrity. Any active shared accounts must have a documented justification and a named individual accountable for activity on that account.