Own the identity lifecycle from joiner to leaver, cleanly.
IAM Analysts run the identity plane: SSO, MFA, conditional access, PAM, and the joiner/mover/leaver process. Done well, you're invisible. Done poorly, you're the reason a leaver still has prod access three months later.
Tools in scope
Enterprise
Heavy on JML processes, SoD, audit evidence.
SaaS platform
More SCIM, OIDC, and customer-facing IAM (CIAM) questions.
// Sample question
A leaver was off-boarded but their refresh token kept their Slack and Google sessions alive for days. What broke and how do you fix it?
Off-boarding only revoked the upstream IdP session, not downstream OIDC refresh tokens. Fix: enforce SSO-backed session revocation via SCIM deprovisioning, set short refresh-token lifetimes, and require re-auth for any session older than the leaver event. Add a check to the leaver runbook for every SaaS in scope.
AI-graded, role-specific, feedback on every answer. Free to start.