CIAM Study Guide 2026

Everything you need to pass the CIAM exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.

📋 CIAM Exam Format at a Glance

100
Questions
90 min
Time Limit
70%
Passing Score

📚 CIAM Topics to Study (69)

✍️ Sample CIAM Questions & Answers

1. What is the purpose of access certification campaigns?
Periodically verifying that users retain only appropriate access rights by having managers review and approve

Access certification campaigns periodically require managers or system owners to review and confirm that each user's access rights remain appropriate for their current role.

2. Which NIST 800-63B authenticator assurance level (AAL) requires the use of a phishing-resistant, hardware-bound authenticator?
AAL3

NIST AAL3 requires a hardware-based authenticator with verifier impersonation resistance (phishing-resistant), providing the highest level of authentication assurance.

3. What is the main purpose of Role-Based Access Control (RBAC) in an IAM framework?
To control the access of individual users based on their role within the organization

Role-Based Access Control (RBAC) is a method of restricting system access based on the roles of individual users within an organization. It ensures that users are granted only the necessary permissions to perform their job functions, simplifying access management and enhancing security.

4. Which standard defines a common schema for representing user and group objects across identity systems?
SCIM 2.0

SCIM 2.0 defines a standardized schema and REST API for user and group provisioning across cloud-based systems.

5. What is 'orphan account' detection in IAM?
Identifying active accounts that remain after the associated employee has left or changed roles

Orphan account detection identifies accounts that remain enabled after the associated user has been terminated or transferred, reducing the attack surface from stale credentials.

6. A CIAM platform uses JSON Web Tokens (JWTs) for session management. Which vulnerability arises when JWT signature verification is bypassed by setting the algorithm to 'none'?
Algorithm confusion attack

The 'alg:none' algorithm confusion attack allows attackers to forge tokens by stripping signature validation entirely.

🎯 Free CIAM Practice Tests

📖 CIAM Guides & Articles

Your CIAM Study Path
1. Learn with Flashcards → 2. Drill Practice Tests → 3. Take the Full Exam Simulation