CIAM Cheat Sheet 2026

The 30 highest-yield CIAM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β€” free, no sign-up.

100 questions
90 min time limit
70% to pass
  1. A cloud administrator is granted temporary elevated access via an automated workflow that expires after 4 hours. This is an example of: β†’ Just-in-time (JIT) privileged access
  2. Which component of a PAM architecture acts as a proxy to enforce session control and policy without exposing target system credentials to end users? β†’ Privileged access gateway
  3. What is the primary purpose of IAM audit logs? β†’ Providing a record of who accessed what resources and when for security and compliance
  4. Which best practice addresses the risk of an administrator using a single account for both privileged and non-privileged tasks? β†’ Requiring separate admin and standard user accounts
  5. Which of the following is a security advantage of using OAuth 2.0 Authorization Code flow with PKCE over the Implicit flow for single-page applications? β†’ PKCE prevents authorization code interception attacks without requiring a client secret
  6. According to GDPR and privacy-by-design principles, which IAM practice directly supports the 'data minimization' principle? β†’ Provisioning only the attributes required for a specific transaction
  7. A 'ghost account' in IAM governance terminology refers to: β†’ An active account belonging to a user who no longer exists in the HR system
  8. Which authorization model assigns permissions based on a user's job function within an organization? β†’ Role-Based Access Control (RBAC)
  9. Which process ensures that users only retain access rights that are still required for their current job function? β†’ Access certification
  10. Which IAM governance activity should an organization perform quarterly to ensure privileged access remains appropriate? β†’ Access certification (recertification) campaign
  11. Which token format is most commonly used in modern OAuth 2.0 and OpenID Connect implementations? β†’ JSON Web Token (JWT)
  12. Which regulation most directly mandates timely access revocation as part of identity lifecycle controls for US healthcare organizations? β†’ HIPAA Security Rule
  13. Which OWASP category directly addresses broken or misconfigured access control mechanisms in web-based CIAM applications? β†’ Broken Access Control
  14. In identity lifecycle management, what is a 'role explosion' risk? β†’ An unmanageable proliferation of fine-grained roles that increases complexity
  15. What is PKCE (Proof Key for Code Exchange) designed to prevent in OAuth 2.0 public clients? β†’ Authorization code interception attacks
  16. A service account has been granted local administrator rights on 500 servers with the same password. Which PAM risk does this represent? β†’ Lateral movement risk
  17. What is the CIA triad in information security? β†’ Confidentiality, Integrity, Availability
  18. Which of the following best describes a 'possession factor' in multi-factor authentication? β†’ Something the user has, like a hardware token
  19. What is the purpose of the 'entryTTL' operational attribute in an LDAP directory? β†’ Specifies the remaining time-to-live for a dynamically created directory entry
  20. What is the CIA triad in information security? β†’ Confidentiality, Integrity, Availability
  21. Which standard protocol is commonly used for automated provisioning and deprovisioning of identities across cloud services? β†’ SCIM 2.0
  22. What LDAP control (OID 1.2.840.113556.1.4.319) enables a client to page through large search result sets? β†’ Simple Paged Results control
  23. Which standard protocol enables a client to obtain user identity information from an authorization server using a RESTful API after obtaining an access token? β†’ OpenID Connect (OIDC)
  24. Which access control model is considered the most flexible but also the most administratively complex due to policy rule management? β†’ ABAC
  25. What is 'role mining' used for in identity lifecycle management? β†’ Analyzing existing access patterns to discover and define roles
  26. What is the PRIMARY risk of allowing users to self-register without any verification in a CIAM system? β†’ Account enumeration and fake account creation enabling fraud
  27. Knowledge-Based Authentication (KBA) used during identity proofing is primarily intended to: β†’ Verify that a claimant has knowledge of information associated with their identity
  28. Which control provides assurance that access granted to a user matches what was formally approved in the provisioning request? β†’ Provisioning reconciliation
  29. Which regulation requires US federal agencies to use FIPS 201-compliant credentials for logical access to IT systems? β†’ FISMA
  30. Which control helps prevent 'ghost accounts'β€”active accounts belonging to users who have left the organization? β†’ Periodic access reconciliation against the HR system