Access control is a fundamental cybersecurity mechanism that regulates who or what can view, use, or interact with resources within an information system. It serves as a critical security control designed to enforce an organization's security policies by ensuring that only authorized entities—whether users, applications, or devices—are granted appropriate levels of access to sensitive data, network services, and other digital assets. This systematic management of permissions is essential for effective risk management, helping to mitigate unauthorized access, data breaches, and system misuse by minimizing the attack surface.

The access control process typically involves three key steps: identification (claiming an identity), authentication (verifying that identity through credentials), and authorization (determining what actions or resources the authenticated entity may access based on predefined rules). Common security models include role-based access control (RBAC) and attribute-based access control (ABAC). Implementing robust access control is paramount for safeguarding the confidentiality, integrity, and availability of information while supporting compliance with regulatory requirements across an organization's digital infrastructure.