IAM Governance
An employee argues, “I once had access to this folder in 2019, so legally, I should still have it.”
Question:
What’s the governance response?
A) Revoke access and cite policy
B) Hire a cybersecurity lawyer
C) Create a folder called “Access History”
D) Let them debate with the firewall
A) Revoke access and cite policy
The “Weekend Warrior”
Scenario:
An admin logs in every Saturday night, runs scripts, and logs out before anyone notices. No one knows what the scripts do.
Question:
What’s the PAM concern?
A) No session recording
B) Admin is moonlighting as a hacker
C) Scripts are secretly ordering pizza
D) Admin is training AI to take over
A) No session recording
What does IAM stand for?
A) I Am Marvelous
B) Identity and Access Management
C) Instant Access Machine
D) I Ate Maggi
B) Identity and Access Management
Onboarding Scenario
Jack joins the company as Manager - IAM. What is the first step in his identity lifecycle?
A) Assigning access to applications
B) Creating her digital identity in the IAM system
C) Granting admin privileges
D) Auditing her activities
B) Creating her digital identity in the IAM system
The “I Forgot My Role” Request
Scenario:
A user says, “I don’t remember what my role is, but I need access to everything I had last year.”
Question:
How do you respond?
A) “Let’s go back in time!”
B) Ask for current role and responsibilities
C) Reassign last year’s access blindly
D) Give them access to the time machine
B) Ask for current role and responsibilities
The Magical Admin Account
Scenario:
An admin account named “Gandalf_TheRoot” has access to everything, including HR, Finance, and even the cafeteria menu system.
Question:
What’s the best way to manage this account?
A) Let Gandalf keep the power—he’s wise
B) RotatWhat PAM control was missing?e its password every 5 years
C) Implement PAM and session monitoring
D) Rename it to “Sauron” for better intimidation
C) Implement PAM and session monitoring
What does IAM primarily manage?
A) Who can access what
B) Who can access when
C) Who can access where
D) Who can access why
A) Who can access what
Role Change Scenario
X is promoted to Manager. What should happen in the IAM system?
A) Her old access should remain unchanged
B) Her identity should be deleted
C) Her access should be updated based on the new role
D) She should manually request all new access
C) Her access should be updated based on the new role
IAM Governance – The “Creative Access Justification”
Scenario:
An employee writes a poem to justify access:
"Roses are red, access is due,
Give me the rights, or I’ll feel blue."
Question:
What’s the governance response?
A) Appreciate the poem, deny the access
B) Approve if it rhymes well
C) Send it to HR for emotional review
D) Publish it in the access policy
A) Appreciate the poem, deny the access
The Vampire Account That Never Dies
Scenario:
An ex-employee’s account is still active and has access to sensitive systems. It’s been 6 months since they left, but the account is still lurking.
Question:
What is this an example of?
A) Zombie access
B) Ghost in the machine
C) Poor offboarding process
D) All of the above
D) All of the above
What is the principle of Least Privilege?
A) Giving users the least amount of work
B) Giving users the least amount of access
C) Giving users the least amount of coffee
D) Giving users the least amount of attention
B) Giving users the least amount of access
Offboarding Scenario
❌🧑💻
An employee resigns. What is the most critical IAM action?
A) Send a farewell email
B) Revoke all access immediately
C) Archive their emails
D) Change their password
B) Revoke all access immediately
The “Birthday Access Request”
Scenario:
An employee sends a ticket: “It’s my birthday today. Can I get access to the VIP folder as a gift?”
Question:
What’s the IAM response?
A) Deny and send cake instead
B) Approve with a birthday discount
C) Grant access for 24 hours only
D) Ask them to blow out the access request
A) Deny add send cake instead
The Juice Shop Login
Scenario:
Your colleague uses the same password for the company portal and his favorite juice shop website: “MangoLover@123”.
Question:
What’s the risk here?
A) He might get hacked through the juice shop
B) His mango obsession is unhealthy
C) Password reuse across platforms is dangerous
D) All of the above
D) All of the above
What’s good IAM practice?
A) Role-based access control
B) Roll-based access control
C) Ruler-based access control
D) Rock-based access control
A) Role-based access control
Access Review Scenario
👀📊
During a quarterly audit, it’s found that a user has access to an app they no longer use. What should be done?
A) Ignore it
B) Reassign the access to someone else
C) Remove the unnecessary access
D) Notify the user to use the app
C) Remove the unnecessary access
The Bob Case of Raj from Finance
Bob from Finance keeps requesting access to HR systems “just to check salary trends.” What should you do?
A) Approve it because Bob is curious
B) Deny and report the request
C) Ask Bob to mind his own business
D) Give access but only on weekends
B) Deny and report the reques
The Genie Access Request
Scenario:
A user raises a ticket: “I want access to everything. Just in case I need it someday.”
Question:
What should you do?
A) Grant access and call them “The Chosen One”
B) Ask them to submit a business justification
C) Deny and educate them on least privilege
D) Send them a meme about access greed
C) Deny and educate them on least privilege
What’s an Access Review?
A) A movie review about access
B) A periodic check of who has access
C) A periodic check of who wants access
D) A periodic check of who dreams of access
B) A periodic check of who has access
Provisioning Scenario
⚙️📲
A new intern joins for a 3-month project. What is the best practice for provisioning?
A) Give full access to all systems
B) Provision access manually
C) Use automated provisioning with time-bound access
D) Skip provisioning since it’s temporary
C) Use automated provisioning with time-bound access