Identity compliance requirements Reference guide Last updated August 2025

Identity requirements

Ready to simplify access management?

We'd love to help you get to more maintainable access controls

Auditing and logging

Identity-related audit requirements ensure organizations record access activities and detect unauthorized use of access. This includes maintaining logs of events, implementing monitoring and alerting for unusual activity, and regularly reporting on access usage and conformance to processes for managing access.

Types and content of logs

Authentication logs

Authentication logs record user authentication events, that is, the verification of a user's identity, for both successful as well as attempted logins. These logs typically include:

  • Username or identifier
  • Timestamp
  • Source IP address/location
  • Target system or application
  • Authentication method used
  • Success/failure
  • Session identifier

Access usage logs

Access usage logs record user activities within a system after authentication, that is, what a user actually accesses within a system. These logs typically include:

  • Username or identifier
  • Timestamp
  • Target resource
  • Action performed or permission used
  • Success/failure
  • Session identifier

Access change logs

Access change logs document modifications to permissions or access rights. These are audit logs (who did what, where and when) to change access in an environment. These logs typically include:

  • Username or identifier for the person or system taking the action
  • Timestamp
  • Target user, group, system, application, or resource
  • Action performed
  • Roles or permissions changed
  • Business justification
  • Username or identifier for the approver of the action, if required
  • Previous and new values

Privileged activity logs

Privileged activity logs record actions performed as part of a privileged or elevated access session. These logs typically include:

Typical required log elements
  • Username or identifier for the privileged account
  • Timestamp
  • Target resource
  • Action performed, permission used, or command executed
  • Success/failure
  • Authorization or justification used
  • Changes made
  • Session identifier

Log management

Identity-related audit logs should be stored in case they need to be referenced as part of an investigation. These logs should be handled in line with how an organization handles its other security logs.

Common compliance requirements

  • Minimum retention periods
  • Log format
  • Log aggregation, i.e. capturing, normalizing, and consolidating logs from multiple systems
  • Timestamp formatting and joining
  • Restrictions on access to logs
  • Log backup and recovery procedures
  • Log integrity verification

Real-time monitoring

Continuously monitoring identity-related logs helps detect suspicious activities in an environment in real time. Logs from multiple systems are often centralized in a Security Information and Event Management (SIEM) system for monitoring.

Common compliance requirements

  • Monitoring identity infrastructure, including single sign-on and identity directory
  • Monitoring of privileged access sessions
  • Log format
  • Log aggregation, i.e. capturing, normalizing, and consolidating logs from multiple systems
  • Timestamp formatting and joining
  • Restrictions on access to logs
  • Detection of suspicious patterns, e.g., "impossible travel" scenarios where a user authenticates or performs actions minutes apart in different parts of the world
  • Detection of unusual activity, i.e. behavioral analysis

Alerting

When unusual actions are detected through monitoring, alerting is used to notify administrators to review the issue and take action. Typical alerts include:

  • Failed authentication attempts
  • Locked out accounts
  • Unauthorized access attempts
  • Privileged access usage
  • Just-in-time access usage
  • Emergency access usage
  • Out-of-hours access
  • Anomalous access
  • Access changes, including changes to permissions or groups

Identity-related security alerts should be quickly triaged and actioned. As an organization matures, it will tune alerts to reduce false positives so that there are fewer but higher signal alerts over time.

Common compliance requirements

  • Process for alert classification, investigation, escalation, and resolution
  • Alert classification based on severity or criticality
  • Maximum response time
  • Post-incident reviews of alert criteria

Compliance Reporting

Organizations use logging and monitoring to demonstrate compliance with identity controls. This includes auditing access controls to verify they meet regulatory requirements, and confirming the organization follows its established policies. This might be done as part of an audit for a specific compliance framework.

Common compliance requirements

  • Reports of access changes
  • Reports of access usage, including privileged and/or emergency access usage
  • Reports of access review processes
  • Metrics on the effectiveness of security controls
  • Minimum retention periods
  • Minimum frequency of reports
  • Requirements for the distribution or publication of reports