Control Library
The AXIS Control Library
The AXIS assessment scores 37 IAM controls across 9 identity domains, from privileged access to customer identity. Each entry below shows what the control asks and what failure looks like at low maturity, plus the compliance frameworks that cite it. 9 of them are domino controls: foundational capabilities that cap an organization's overall maturity score when they are weak, because everything downstream depends on them.
IGA
Identity Governance & Administration (IGA)
- IGA-01Lifecycle Management (Joiner / Mover / Leaver)Domino
Zombie accounts and access creep. Terminated users retain access far beyond employment end dates.
- IGA-02Access Requests & Approvals
No audit trail. Access decisions cannot be justified after the fact, creating systemic compliance exposure.
- IGA-03Access Reviews & Recertification
Rubber-stamping. Reviews confirm existing access rather than challenge it, allowing access creep to persist indefinitely.
- IGA-04Role-Based Access Control (RBAC) & Access Modeling
Access entropy. Every new hire increases complexity, and toxic access combinations proliferate unnoticed.
- IGA-05Entitlement Discovery and Classification
Invisible risk from accumulated permissions. Over-provisioned access proliferates because no one knows what entitlements exist.
- IGA-06Segregation of Duties (SoD)
Fraud risk from uncontrolled transaction combinations. Audit failures become recurring cost and reputational burden.
PAM
Privileged Access Management (PAM)
- PAM-01Admin Credential ProtectionDomino
A single compromised admin workstation or credential leak becomes full environment compromise with limited ability to investigate.
- PAM-02Secrets Management (Non-Human & Application Credentials)Domino
Credential leakage through source code exposure or insider error. Secrets cannot be rotated quickly during an incident, leading to prolonged compromise.
- PAM-03Endpoint Privilege & Local Admin Control
Any malware executed by a user immediately gains system-level persistence, credential access, and lateral movement capability.
- PAM-04Just-In-Time (JIT) Cloud & Infrastructure Access
Any stolen credential immediately grants unrestricted production access.
- PAM-05Session Management and Recording
No accountability for privileged actions. Incidents cannot be investigated, and insider threats are undetectable.
Auth/SSO
Workforce Authentication & Access
- AUTH-01Adaptive MFADomino
Attackers choose the weakest entry point. MFA becomes irrelevant due to gaps and inconsistent enforcement.
- AUTH-02Single Sign-On (SSO) Coverage & Enforcement
Credential reuse and phishing attacks spread laterally across applications. Compromise of one low-value app enables access escalation.
- AUTH-03Device Trust & Zero Trust Enforcement
Malware on personal or compromised devices hijacks authenticated sessions. Data exfiltration occurs without triggering identity controls.
- AUTH-04Phishing-Resistant MFA & Session Integrity
Single-factor credential compromise leads directly to account takeover and lateral movement.
- AUTH-05Account Recovery & Identity Verification Resistance
Helpdesk social engineering. An attacker with LinkedIn-level knowledge of an employee gets credentials reset and MFA re-enrolled onto their own device, bypassing every downstream control.
Cloud
Cloud & SaaS IAM
- CLOUD-01Multi-Cloud Permission Management (CIEM)Domino
Over-privilege + leaked keys leads to full cloud compromise. You won’t know what’s exposed until after the incident.
- CLOUD-02Non-Human Identity (NHI) Governance
Credential leakage leads to silent, persistent access. Breaches go undetected because activity appears 'legitimate.'
- CLOUD-03SaaS Application Discovery & Shadow IT Control
Sensitive data enters unmanaged SaaS with no identity controls, logging, or contractual safeguards.
- CLOUD-04Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control
Over-privileged roles proliferate. Risky wildcard permissions enter production unnoticed and persist indefinitely.
- CLOUD-05AI Agent Identity Governance
Invisible autonomous access. AI agents operate with inherited permissions that are never reviewed, creating a growing shadow attack surface that traditional IAM tools cannot see.
Security
Identity Security & Posture
- SEC-01Identity Threat Detection & Response (ITDR)Domino
MTTD measured in weeks. Attackers establish persistence and move laterally before detection.
- SEC-02Identity Resilience & Disaster Recovery
Total business paralysis during IdP outage. Users cannot authenticate, admins cannot respond, and recovery actions are blocked.
- SEC-03User Behavioral Analytics (UBA)
Attackers operate undetected using valid credentials. Lateral movement and data access continue until damage is discovered externally.
- SEC-04Data Security Posture & Identity-to-Data Risk Mapping (DSPM)
Breach impact is unknowable. Incident response defaults to worst-case disclosure and over-reporting.
- SEC-05Identity Posture & Attack-Surface Management (ISPM)
Attackers enumerate what defenders never look at: stale accounts, legacy auth endpoints, and misconfigured trust relationships persist for years.
Governance
Operating Model & Governance
- GOV-01Identity Data OwnershipDomino
No accountability. Access is granted because someone asked, not because it is justified. Audits fail by default.
- GOV-02IAM Metrics, Risk & Executive Visibility
Leadership has no visibility into identity risk accumulation. Budget decisions are made blindly until a breach or audit failure forces action.
- GOV-03IAM Policy Definition, Enforcement & Drift Control
Inconsistent enforcement and total audit fragility. Every exception becomes a precedent that expands risk.
- GOV-04IAM Operating Model and Skills
Fragmentation and inconsistent decisions. IAM priorities are overridden by operational urgency, and no one owns the outcome.
CIAM
Customer Identity (CIAM)
- CIAM-01Registration & OnboardingDomino
Unknown abandonment. Security controls are irrelevant because users drop before identity is established.
- CIAM-02Consent & Privacy ManagementDomino
You cannot prove lawful basis for processing. Any complaint becomes a high-cost legal scramble.
- CIAM-03Performance, Reliability & Scale
Authentication outages during promotions or traffic spikes. Login queues and timeouts cause silent revenue loss.
- CIAM-04B2B Delegated Administration & Partner Identity
High operational cost, slow onboarding, and frequent access errors. Support becomes a bottleneck for revenue.
- CIAM-05Customer Onboarding, Identity Proofing & KYC
Bot-driven account creation, synthetic identities, and polluted customer data. Marketing, analytics, and risk teams operate on fiction.
CIAM × PAM
Customer Identity × Privileged Access Management
The Domino Concept
Why Some Controls Cap Your Score
A program with excellent access reviews but unmanaged admin credentials has a mature audit trail around an open door. The AXIS model encodes this: the weakest domino control caps the overall score, and the cap only lifts once that control reaches solid ground. The exact cap schedule is part of the scoring model. Averages hide weak foundations. The cap does not.
Score Your Program Against All 37 Controls
These pages show the teaser layer. The assessment itself walks you through the full rubric behind every control, applies the domino cap, and benchmarks the result against your industry. No signup required to start.