An access control model is a structured framework within Identity & Access Management (IAM) that governs how subjects—such as users, applications, or processes—are authorized or denied interaction with objects like data, systems, or network resources. This foundational security control establishes policies and mechanisms for enforcing permissions, ensuring that only authenticated and authorized entities can perform specific actions based on factors such as organizational roles, assigned attributes, or clearance levels.

By systematically defining who can access what and under what conditions, access control models are essential for implementing core security principles including least privilege and separation of duties. Common implementations include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Mandatory Access Control (MAC). An effective model minimizes vulnerabilities, enhances data confidentiality, integrity, and availability, streamlines compliance efforts, and maintains a consistent security posture across an organization's digital infrastructure.