Identity & Access Management for AI MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 2026~15 min practice 60 Questions · 3 Levels 60 Questions · 3 Levels
Identity and Access Management (IAM) for AI MCQ practice questions are critical for mastering cloud security certifications, AI governance roles, and enterprise IAM implementation. This platform provides 60 carefully curated IAM practice questions covering service accounts, OAuth 2.0, OIDC, JWTs, ephemeral credentials, Zero Trust architecture, and agentic AI authorization patterns.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering core IAM definitions, RBAC, SSO, MFA fundamentals), Concepts (covering OAuth 2.0, OIDC, ABAC, JWTs, ephemeral credentials, agentic AI patterns), and Advanced (covering token exchange, mTLS, SPIFFE, OPA, CARTA, and architectural patterns). Each question includes a verified, in-depth explanation.
Practice in Study Mode to reveal answers and explanations instantly, or switch to Exam Mode for timed testing that simulates real security certification conditions. The engine tracks your progress and identifies knowledge gaps across IAM fundamentals, token-based security, and Zero Trust.
Contents
- 1.Basics (20 Questions)Auth/Authz · Service accounts · MFA · RBAC · SSO · Zero Trust fundamentals
- 2.Concepts (20 Questions)OAuth 2.0 · OIDC · ABAC · JWTs · Ephemeral tokens · Agentic patterns
- 3.Advanced (20 Questions)Token exchange · mTLS · SPIFFE · OPA · CARTA · Policy engines
- 4.Conclusionsummary · next steps · study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept · definition · key fact table
- 7.FAQcommon questions answered
Identity & Access Management for AI — Basics
1What is the fundamental difference between Authentication and Authorization in IAM?
CorrectB: Authentication verifies *who* the entity is, while Authorization determines *what* they are allowed to do
Authentication is the process of verifying identity (proving who you are), while Authorization determines the permissions and resources an authenticated entity can access (what they can do). Both are essential: authentication proves you are Alice, authorization says Alice can read file X but not delete file Y.
IncorrectB: Authentication verifies *who* the entity is, while Authorization determines *what* they are allowed to do
Authentication is the process of verifying identity (proving who you are), while Authorization determines the permissions and resources an authenticated entity can access (what they can do). Both are essential: authentication proves you are Alice, authorization says Alice can read file X but not delete file Y.
2Which principle dictates that an AI service account should only possess the minimum permissions necessary to perform its assigned task?
CorrectC: The Principle of Least Privilege
The Principle of Least Privilege is a core security tenet requiring entities to have only the minimum permissions necessary. For example, an AI data pipeline service should have read-only access to specific tables, not root access to the entire database.
IncorrectC: The Principle of Least Privilege
The Principle of Least Privilege is a core security tenet requiring entities to have only the minimum permissions necessary. For example, an AI data pipeline service should have read-only access to specific tables, not root access to the entire database.
3In the context of AI development, what is a "Service Account"?
CorrectD: A specialized, non-human identity used by an application or AI agent to interact securely with other APIs and databases
A service account is a non-human identity—essentially a digital "user" for applications. AI systems, microservices, and automated processes auth with service accounts (via tokens or keys) to access APIs and resources programmatically.
IncorrectD: A specialized, non-human identity used by an application or AI agent to interact securely with other APIs and databases
A service account is a non-human identity—essentially a digital "user" for applications. AI systems, microservices, and automated processes auth with service accounts (via tokens or keys) to access APIs and resources programmatically.
4Why is implementing Multi-Factor Authentication (MFA) critical for human data scientists accessing AI training environments?
CorrectA: It provides an additional layer of security beyond just a password, mitigating the risk of compromised credentials
MFA (e.g., password + phone-based code) requires multiple factors to prove identity. Even if a password is stolen, an attacker cannot access the system without the second factor, reducing breach risk substantially.
IncorrectA: It provides an additional layer of security beyond just a password, mitigating the risk of compromised credentials
MFA (e.g., password + phone-based code) requires multiple factors to prove identity. Even if a password is stolen, an attacker cannot access the system without the second factor, reducing breach risk substantially.
5What does "RBAC" stand for in enterprise IAM systems?
CorrectA: Role-Based Access Control
RBAC (Role-Based Access Control) assigns permissions to pre-defined roles (e.g., "Data Scientist", "QA Engineer"). Users are assigned roles, and roles carry bundles of permissions.
IncorrectA: Role-Based Access Control
RBAC (Role-Based Access Control) assigns permissions to pre-defined roles (e.g., "Data Scientist", "QA Engineer"). Users are assigned roles, and roles carry bundles of permissions.
6Under the RBAC model, how are permissions typically assigned to an AI developer?
CorrectC: The developer is assigned a specific Role (e.g., "Data Scientist"), and that Role has predefined permissions attached to it
In RBAC, permissions are bundled into roles. A developer is assigned a role, inheriting all permissions associated with that role. This simplifies management: changing the role definition automatically updates all users with that role.
IncorrectC: The developer is assigned a specific Role (e.g., "Data Scientist"), and that Role has predefined permissions attached to it
In RBAC, permissions are bundled into roles. A developer is assigned a role, inheriting all permissions associated with that role. This simplifies management: changing the role definition automatically updates all users with that role.
7What is a "Token" in modern API-based AI interactions?
CorrectB: A digital string of characters passed in an API header that cryptographically proves the identity and authorization of the caller
A token is a short-lived credential (e.g., JWT, OAuth token) that an authenticated entity presents to prove its identity to an API. Tokens typically expire, requiring refresh or re-authentication.
IncorrectB: A digital string of characters passed in an API header that cryptographically proves the identity and authorization of the caller
A token is a short-lived credential (e.g., JWT, OAuth token) that an authenticated entity presents to prove its identity to an API. Tokens typically expire, requiring refresh or re-authentication.
8Which IAM risk is created when an AI developer hardcodes an API key directly into their Python script?
CorrectD: If the script is uploaded to a public repository (like GitHub), anyone can steal the key and impersonate the developer's AI service
Hardcoding secrets into code is a critical vulnerability. If the code is committed to a public repo, attackers can scrape the key and use it to access the AI API maliciously. Secrets should be stored in secure vaults.
IncorrectD: If the script is uploaded to a public repository (like GitHub), anyone can steal the key and impersonate the developer's AI service
Hardcoding secrets into code is a critical vulnerability. If the code is committed to a public repo, attackers can scrape the key and use it to access the AI API maliciously. Secrets should be stored in secure vaults.
9What is the primary purpose of an Identity Provider (IdP) in an enterprise AI environment?
CorrectA: To manage, authenticate, and assert the digital identities of users and AI services across various applications
An Identity Provider (e.g., Okta, Azure AD) is a centralized service that verifies user and service identities, issues tokens, and coordinates identity information across multiple applications.
IncorrectA: To manage, authenticate, and assert the digital identities of users and AI services across various applications
An Identity Provider (e.g., Okta, Azure AD) is a centralized service that verifies user and service identities, issues tokens, and coordinates identity information across multiple applications.
10What does "SSO" stand for, and why is it beneficial?
CorrectB: Single Sign-On; it allows a user to log in once and access multiple independent AI applications without re-entering credentials
SSO (Single Sign-On) enables a user to authenticate once with a central IdP and gain access to many applications without re-entering credentials. This improves usability and security by centralizing authentication.
IncorrectB: Single Sign-On; it allows a user to log in once and access multiple independent AI applications without re-entering credentials
SSO (Single Sign-On) enables a user to authenticate once with a central IdP and gain access to many applications without re-entering credentials. This improves usability and security by centralizing authentication.
11Why should AI API keys be rotated regularly?
CorrectC: To limit the window of opportunity an attacker has if a key is accidentally leaked or compromised
Key rotation limits the lifespan of any leaked key. Even if an attacker steals an old key, short rotation intervals mean the key will soon expire and become useless.
IncorrectC: To limit the window of opportunity an attacker has if a key is accidentally leaked or compromised
Key rotation limits the lifespan of any leaked key. Even if an attacker steals an old key, short rotation intervals mean the key will soon expire and become useless.
12In an IAM policy, what does an "Allow" statement specifically do?
CorrectD: It explicitly grants an identity permission to perform a specific action on a specific resource
An Allow statement grants permission. For example: "Allow user DataScientist to describe S3 buckets" explicitly permits that action. Default is Deny (deny by default, allow by exception).
IncorrectD: It explicitly grants an identity permission to perform a specific action on a specific resource
An Allow statement grants permission. For example: "Allow user DataScientist to describe S3 buckets" explicitly permits that action. Default is Deny (deny by default, allow by exception).
13What is a "Directory Service" (like Microsoft Active Directory) used for?
CorrectA: Storing and organizing information about network resources, users, groups, and devices to facilitate IAM decisions
A directory service (e.g., Active Directory, LDAP) is a centralized database of users, groups, devices, and their attributes. IAM systems query it to determine access rights.
IncorrectA: Storing and organizing information about network resources, users, groups, and devices to facilitate IAM decisions
A directory service (e.g., Active Directory, LDAP) is a centralized database of users, groups, devices, and their attributes. IAM systems query it to determine access rights.
14What is the main danger of "Privilege Creep" regarding AI developers?
CorrectB: Developers accumulating excess permissions over time as they change roles, violating the principle of least privilege
Privilege creep occurs when developers accumulate permissions over time—they get "dev" rights, then "QA" rights, then "ops" rights, but old permissions are never removed. Regular audits prevent this.
IncorrectB: Developers accumulating excess permissions over time as they change roles, violating the principle of least privilege
Privilege creep occurs when developers accumulate permissions over time—they get "dev" rights, then "QA" rights, then "ops" rights, but old permissions are never removed. Regular audits prevent this.
15How does IAM intersect with data privacy when training an AI model?
CorrectC: IAM ensures that only authorized data scientists or specific service accounts can access datasets containing sensitive Personally Identifiable Information (PII)
IAM controls *who* can access sensitive data. By restricting access to PII to authorized users/services, IAM reduces privacy breach risk. Complementary techniques like encryption and anonymization add deeper protection.
IncorrectC: IAM ensures that only authorized data scientists or specific service accounts can access datasets containing sensitive Personally Identifiable Information (PII)
IAM controls *who* can access sensitive data. By restricting access to PII to authorized users/services, IAM reduces privacy breach risk. Complementary techniques like encryption and anonymization add deeper protection.
16What is "Federated Identity"?
CorrectD: An agreement between multiple organizations that allows a user from one enterprise to use their home credentials to access an AI system in another enterprise
Federated identity allows a user's identity and credentials from one organization (the IdP) to be trusted by another organization (the service provider). Example: using your Google account to log into a SaaS tool.
IncorrectD: An agreement between multiple organizations that allows a user from one enterprise to use their home credentials to access an AI system in another enterprise
Federated identity allows a user's identity and credentials from one organization (the IdP) to be trusted by another organization (the service provider). Example: using your Google account to log into a SaaS tool.
17If an AI system needs to read data from an Amazon S3 bucket, which IAM entity should be assigned to the system?
CorrectB: A dedicated IAM Role or Service Account specifically configured for that AI system
The AI system should use a dedicated IAM Role or service account with only read access to that specific S3 bucket. This follows least privilege and creates an audit trail specific to that service.
IncorrectB: A dedicated IAM Role or Service Account specifically configured for that AI system
The AI system should use a dedicated IAM Role or service account with only read access to that specific S3 bucket. This follows least privilege and creates an audit trail specific to that service.
18What is the purpose of an "Audit Log" in an IAM system managing AI resources?
CorrectA: To record exactly which identity accessed which AI resource, what action they took, and when, for security and compliance reviews
Audit logs provide an immutable record of who did what and when. Essential for forensics, compliance audits, and detecting unauthorized access.
IncorrectA: To record exactly which identity accessed which AI resource, what action they took, and when, for security and compliance reviews
Audit logs provide an immutable record of who did what and when. Essential for forensics, compliance audits, and detecting unauthorized access.
19Which of the following is a biometric authentication factor?
CorrectC: A user scanning their fingerprint or facial structure
Biometric factors authenticate based on unique physical or behavioral characteristics (fingerprint, face recognition, iris scan). YubiKey is "something you have", SMS is "something you receive", password is "something you know".
IncorrectC: A user scanning their fingerprint or facial structure
Biometric factors authenticate based on unique physical or behavioral characteristics (fingerprint, face recognition, iris scan). YubiKey is "something you have", SMS is "something you receive", password is "something you know".
20What does the concept of "Zero Trust" architecture fundamentally assume?
CorrectD: That no entity (user, device, or AI service) should be automatically trusted, regardless of whether they are inside or outside the network perimeter
Zero Trust assumes no trust by default. Every access request—whether from inside or outside—must be verified. Requires continuous authentication, authorization, and device validation.
IncorrectD: That no entity (user, device, or AI service) should be automatically trusted, regardless of whether they are inside or outside the network perimeter
Zero Trust assumes no trust by default. Every access request—whether from inside or outside—must be verified. Requires continuous authentication, authorization, and device validation.
Identity & Access Management for AI — Concepts
1In the OAuth 2.0 authorization framework, what is the role of the "Resource Server"?
CorrectA: It is the API or service hosting the protected data that the AI application wants to access
The Resource Server hosts protected resources (e.g., APIs, data). The Authorization Server issues tokens. The Client (AI app) exchanges an auth code for a token from the Auth Server, then uses that token to call the Resource Server.
IncorrectA: It is the API or service hosting the protected data that the AI application wants to access
The Resource Server hosts protected resources (e.g., APIs, data). The Authorization Server issues tokens. The Client (AI app) exchanges an auth code for a token from the Auth Server, then uses that token to call the Resource Server.
2How does OpenID Connect (OIDC) differ from standard OAuth 2.0?
CorrectB: OAuth 2.0 is an authorization framework, whereas OIDC adds an identity layer on top of OAuth to provide authentication (verifying who the user is) via an ID Token
OAuth 2.0 is authorization-only (granting access). OIDC adds authentication (verifying identity) via an additional ID Token containing claims like email, name, etc. OIDC = OAuth 2.0 + identity layer.
IncorrectB: OAuth 2.0 is an authorization framework, whereas OIDC adds an identity layer on top of OAuth to provide authentication (verifying who the user is) via an ID Token
OAuth 2.0 is authorization-only (granting access). OIDC adds authentication (verifying identity) via an additional ID Token containing claims like email, name, etc. OIDC = OAuth 2.0 + identity layer.
3What represents the payload structure of a standard JSON Web Token (JWT) used frequently in AI API authentication?
CorrectC: Three Base64-URL encoded strings separated by dots: Header, Payload, and Signature
JWT format: Header.Payload.Signature (all Base64-URL encoded). The payload contains claims (e.g., sub, aud, exp). The signature verifies the token hasn't been tampered with.
IncorrectC: Three Base64-URL encoded strings separated by dots: Header, Payload, and Signature
JWT format: Header.Payload.Signature (all Base64-URL encoded). The payload contains claims (e.g., sub, aud, exp). The signature verifies the token hasn't been tampered with.
4In Attribute-Based Access Control (ABAC), how are access decisions calculated?
CorrectD: By evaluating a complex set of attributes (e.g., user department, time of day, resource sensitivity level) against dynamic policies
ABAC evaluates multiple attributes dynamically. Example: "Allow Data Scientist from Finance department to access Prod DB between 9 AM–5 PM on weekdays from corp IP only." Far more granular than static RBAC.
IncorrectD: By evaluating a complex set of attributes (e.g., user department, time of day, resource sensitivity level) against dynamic policies
ABAC evaluates multiple attributes dynamically. Example: "Allow Data Scientist from Finance department to access Prod DB between 9 AM–5 PM on weekdays from corp IP only." Far more granular than static RBAC.
5Why is ABAC often preferred over RBAC for complex, dynamic AI environments?
CorrectA: ABAC allows for fine-grained, context-aware decisions (like denying access to an AI model outside of business hours), which static RBAC roles struggle to implement
RBAC is static (e.g., "Developer role has these permissions"). ABAC is dynamic (e.g., "Only if time is business hours AND device is managed AND location is company IP"). Ideal for complex AI governance.
IncorrectA: ABAC allows for fine-grained, context-aware decisions (like denying access to an AI model outside of business hours), which static RBAC roles struggle to implement
RBAC is static (e.g., "Developer role has these permissions"). ABAC is dynamic (e.g., "Only if time is business hours AND device is managed AND location is company IP"). Ideal for complex AI governance.
6What is the primary security advantage of using "Ephemeral" (short-lived) credentials for an AI service account rather than static, long-lived API keys?
CorrectB: If an attacker intercepts an ephemeral token, its brief lifespan (e.g., 15 minutes) severely limits the window of opportunity to exploit it
Ephemeral credentials expire quickly (15 min–1 hour). Even if stolen, they become useless fast. Contrast with static API keys that remain valid indefinitely unless manually rotated.
IncorrectB: If an attacker intercepts an ephemeral token, its brief lifespan (e.g., 15 minutes) severely limits the window of opportunity to exploit it
Ephemeral credentials expire quickly (15 min–1 hour). Even if stolen, they become useless fast. Contrast with static API keys that remain valid indefinitely unless manually rotated.
7In the context of Agentic AI, what is the "Confused Deputy" problem?
CorrectC: A privileged AI agent is tricked by a malicious user's input into executing a highly authorized action (like querying a secure database) on behalf of that unauthorized user
The confused deputy problem: an attacker tricks a privileged service into performing an action the attacker couldn't do directly. Example: An AI agent with database access is tricked into deleting rows an unauthorized user can't delete themselves.
IncorrectC: A privileged AI agent is tricked by a malicious user's input into executing a highly authorized action (like querying a secure database) on behalf of that unauthorized user
The confused deputy problem: an attacker tricks a privileged service into performing an action the attacker couldn't do directly. Example: An AI agent with database access is tricked into deleting rows an unauthorized user can't delete themselves.
8How does the AWS "AssumeRole" function (or similar cloud STS services) enhance security for AI workloads?
CorrectD: It allows an AI application to temporarily trade its baseline credentials for a set of short-lived, highly specific permissions to perform a critical task, then relinquish them
AssumeRole provides temporary, scoped credentials via STS. An AI app auth as a low-privilege identity, assumes a restricted role for 1 hour to perform a specific task, then credentials expire. Limits blast radius.
IncorrectD: It allows an AI application to temporarily trade its baseline credentials for a set of short-lived, highly specific permissions to perform a critical task, then relinquish them
AssumeRole provides temporary, scoped credentials via STS. An AI app auth as a low-privilege identity, assumes a restricted role for 1 hour to perform a specific task, then credentials expire. Limits blast radius.
9When an AI agent needs to act on behalf of a human user (e.g., reading their specific calendar), which OAuth 2.0 grant type is most appropriate to obtain authorization?
CorrectA: Authorization Code Grant (often with PKCE)
Authorization Code Grant requires the human user to explicitly consent via a login/approval screen. The app receives an auth code, exchanges it for a token. Ensures user consent, unlike Client Credentials (M2M only).
IncorrectA: Authorization Code Grant (often with PKCE)
Authorization Code Grant requires the human user to explicitly consent via a login/approval screen. The app receives an auth code, exchanges it for a token. Ensures user consent, unlike Client Credentials (M2M only).
10Why is the "Client Credentials" grant type in OAuth 2.0 typically used for machine-to-machine (M2M) communication, such as a backend AI microservice syncing with a database?
CorrectB: Because there is no human user involved to provide consent via a web browser; the application authenticates itself using its own pre-registered ID and secret
Client Credentials grant: application authenticates directly (client_id + client_secret) without a human in the loop. Perfect for service-to-service auth where no user consent is needed.
IncorrectB: Because there is no human user involved to provide consent via a web browser; the application authenticates itself using its own pre-registered ID and secret
Client Credentials grant: application authenticates directly (client_id + client_secret) without a human in the loop. Perfect for service-to-service auth where no user consent is needed.
11What is the purpose of a "Refresh Token" in the OAuth 2.0 lifecycle?
CorrectC: To obtain a new, short-lived Access Token when the current one expires, without forcing the human user to re-authenticate manually
Access tokens are short-lived (e.g., 15 min). When they expire, the app presents a long-lived refresh token to the auth server to get a new access token silently, without bugging the user to log in again.
IncorrectC: To obtain a new, short-lived Access Token when the current one expires, without forcing the human user to re-authenticate manually
Access tokens are short-lived (e.g., 15 min). When they expire, the app presents a long-lived refresh token to the auth server to get a new access token silently, without bugging the user to log in again.
12In a Zero Trust architecture, what is "Micro-segmentation"?
CorrectD: Creating highly granular, secure zones within a network to isolate workloads (like a specific AI model) and restrict lateral movement if a breach occurs
Micro-segmentation: divide the network into tiny, heavily controlled zones. Each zone has strict firewall rules. Even if an attacker breaches zone A, they can't freely move to zone B without additional auth/authorization.
IncorrectD: Creating highly granular, secure zones within a network to isolate workloads (like a specific AI model) and restrict lateral movement if a breach occurs
Micro-segmentation: divide the network into tiny, heavily controlled zones. Each zone has strict firewall rules. Even if an attacker breaches zone A, they can't freely move to zone B without additional auth/authorization.
13How does "Just-In-Time" (JIT) access provisioning minimize risk for AI administrators?
CorrectA: By dynamically granting elevated privileges to an administrator for a strictly limited duration only when they actively need it, rather than leaving standing privileges open 24/7
JIT provisioning grants admin rights temporarily (e.g., 2 hours) only when requested. After expiry, rights disappear automatically. Dramatically reduces the window of exposure if the admin account is compromised.
IncorrectA: By dynamically granting elevated privileges to an administrator for a strictly limited duration only when they actively need it, rather than leaving standing privileges open 24/7
JIT provisioning grants admin rights temporarily (e.g., 2 hours) only when requested. After expiry, rights disappear automatically. Dramatically reduces the window of exposure if the admin account is compromised.
14If an AI system uses a JWT for authentication, how does the receiving API verify that the token has not been tampered with in transit?
CorrectB: By cryptographically verifying the Signature section of the JWT using a shared secret or a public key
JWT Signature: the issuer signs the header.payload using a secret (HS256) or private key (RS256). The API verifies the signature using the shared secret or public key. If the payload is modified, the signature becomes invalid.
IncorrectB: By cryptographically verifying the Signature section of the JWT using a shared secret or a public key
JWT Signature: the issuer signs the header.payload using a secret (HS256) or private key (RS256). The API verifies the signature using the shared secret or public key. If the payload is modified, the signature becomes invalid.
15What is "Identity Federation" via SAML (Security Assertion Markup Language) typically used for?
CorrectC: Exchanging authentication and authorization data between an Identity Provider and a Service Provider to enable cross-domain Single Sign-On (SSO)
SAML: an XML-based federation standard. User authenticates at their company's IdP, which issues a SAML assertion. The assertion is presented to a third-party app (service provider) for SSO.
IncorrectC: Exchanging authentication and authorization data between an Identity Provider and a Service Provider to enable cross-domain Single Sign-On (SSO)
SAML: an XML-based federation standard. User authenticates at their company's IdP, which issues a SAML assertion. The assertion is presented to a third-party app (service provider) for SSO.
16Why is managing IAM for Retrieval-Augmented Generation (RAG) systems particularly challenging?
CorrectD: The vector database must perfectly map the original source document's access control lists (ACLs) to the semantic chunks, ensuring the AI agent only retrieves context the end-user is actually authorized to see
RAG IAM challenge: documents are chunked and vectorized. If a user shouldn't see document X, the AI must not retrieve *any* chunk from X. Requires careful ACL mapping from original docs to embeddings.
IncorrectD: The vector database must perfectly map the original source document's access control lists (ACLs) to the semantic chunks, ensuring the AI agent only retrieves context the end-user is actually authorized to see
RAG IAM challenge: documents are chunked and vectorized. If a user shouldn't see document X, the AI must not retrieve *any* chunk from X. Requires careful ACL mapping from original docs to embeddings.
17What does the "Audience" (`aud`) claim in a JSON Web Token (JWT) specify?
CorrectA: The intended recipient or target API that the token is meant for, preventing a token issued for one AI service from being maliciously used on another
JWT claim `aud` specifies the intended audience (e.g., "api.example.com"). If a token is stolen and misused on a different API, that API should reject it because the `aud` claim doesn't match.
IncorrectA: The intended recipient or target API that the token is meant for, preventing a token issued for one AI service from being maliciously used on another
JWT claim `aud` specifies the intended audience (e.g., "api.example.com"). If a token is stolen and misused on a different API, that API should reject it because the `aud` claim doesn't match.
18What is a "Managed Identity" (in cloud platforms like Azure)?
CorrectB: An automatically managed identity that an application (like an AI service) can use to connect to resources, eliminating the need for developers to manage credentials
Managed Identity: Azure/cloud automatically creates and rotates credentials for an app. The app doesn't manage keys; the cloud provider does. Reduces credential sprawl and the risk of hardcoded secrets.
IncorrectB: An automatically managed identity that an application (like an AI service) can use to connect to resources, eliminating the need for developers to manage credentials
Managed Identity: Azure/cloud automatically creates and rotates credentials for an app. The app doesn't manage keys; the cloud provider does. Reduces credential sprawl and the risk of hardcoded secrets.
19In IAM terminology, what is a "Principal"?
CorrectC: An entity (such as a user, group, or service account) that can request to perform an action on a resource
Principal: any entity that can be granted permissions. Users, groups, services, roles—all are principals. IAM policies grant principals permissions (Allow/Deny statements).
IncorrectC: An entity (such as a user, group, or service account) that can request to perform an action on a resource
Principal: any entity that can be granted permissions. Users, groups, services, roles—all are principals. IAM policies grant principals permissions (Allow/Deny statements).
20How does a "Pass-the-Role" (or `iam:PassRole` in AWS) permission function?
CorrectD: It permits a user or service to grant an existing IAM Role to an AI service (like SageMaker or EC2), effectively defining what permissions that service will assume when it executes
PassRole allows a service to assume a role. Example: developer has PassRole permission for "DataScientistRole". They launch an EC2 instance with that role, and the instance inherits all of DataScientistRole's permissions.
IncorrectD: It permits a user or service to grant an existing IAM Role to an AI service (like SageMaker or EC2), effectively defining what permissions that service will assume when it executes
PassRole allows a service to assume a role. Example: developer has PassRole permission for "DataScientistRole". They launch an EC2 instance with that role, and the instance inherits all of DataScientistRole's permissions.
Identity & Access Management for AI — Advanced
1In a complex microservices architecture where an AI agent calls Service A, which must then call Service B on behalf of the user, what is the OAuth 2.0 "Token Exchange" (RFC 8693) designed to facilitate?
CorrectD: It allows Service A to trade the original user's token for a new, scoped token explicitly minted for calling Service B, maintaining an auditable chain of delegation
Token Exchange: Service A receives a user token, calls an STS (Security Token Service) to exchange it for a token that Service B trusts and that carries the original user's identity. Maintains delegation chain.
IncorrectD: It allows Service A to trade the original user's token for a new, scoped token explicitly minted for calling Service B, maintaining an auditable chain of delegation
Token Exchange: Service A receives a user token, calls an STS (Security Token Service) to exchange it for a token that Service B trusts and that carries the original user's identity. Maintains delegation chain.
2How does Mutual TLS (mTLS) provide an extreme level of authentication for highly secure, backend AI microservices?
CorrectA: It requires both the client (the AI service) and the server to present valid X.509 certificates to cryptographically prove their identities to each other during the TLS handshake
mTLS (mutual TLS): standard TLS authenticates server only (server cert). mTLS authenticates both: client presents cert, server presents cert. Both verify each other's X.509 cert. Gold standard for backend security.
IncorrectA: It requires both the client (the AI service) and the server to present valid X.509 certificates to cryptographically prove their identities to each other during the TLS handshake
mTLS (mutual TLS): standard TLS authenticates server only (server cert). mTLS authenticates both: client presents cert, server presents cert. Both verify each other's X.509 cert. Gold standard for backend security.
3What is the fundamental security challenge when implementing "Impersonation" (Delegation) in autonomous Agentic AI systems?
CorrectB: If the agent acts exactly as the user, it bypasses the "Confused Deputy" problem but makes it impossible via standard audit logs to distinguish between actions taken directly by the human and autonomous actions taken by the agent on their behalf
Delegation challenge: if agent truly impersonates the user, audit logs show the user performed the action (non-repudiation lost). Best practice: agent acts as agent (own identity) but with delegated permissions, maintaining audit trail.
IncorrectB: If the agent acts exactly as the user, it bypasses the "Confused Deputy" problem but makes it impossible via standard audit logs to distinguish between actions taken directly by the human and autonomous actions taken by the agent on their behalf
Delegation challenge: if agent truly impersonates the user, audit logs show the user performed the action (non-repudiation lost). Best practice: agent acts as agent (own identity) but with delegated permissions, maintaining audit trail.
4In a Zero Trust architecture utilizing Continuous Adaptive Risk and Trust Assessment (CARTA), how is an active AI session managed?
CorrectC: The system continuously evaluates contextual risk factors (e.g., sudden behavioral changes, rapid data extraction) and can dynamically revoke or step-up authentication requirements mid-session
CARTA: continuous assessment, not one-time login. If risk increases (e.g., unusual API calls, giga-byte extraction), session is challenged or revoked. Adapts dynamically to threats.
IncorrectC: The system continuously evaluates contextual risk factors (e.g., sudden behavioral changes, rapid data extraction) and can dynamically revoke or step-up authentication requirements mid-session
CARTA: continuous assessment, not one-time login. If risk increases (e.g., unusual API calls, giga-byte extraction), session is challenged or revoked. Adapts dynamically to threats.
5What is the primary purpose of OPA (Open Policy Agent) in a cloud-native AI environment?
CorrectD: To act as a unified, decoupled policy engine that evaluates policies written in Rego to make fine-grained authorization decisions across the entire microservice stack
OPA: a policy-as-code engine. Define authorization rules in Rego, OPA evaluates them across Kubernetes, APIs, databases. Single source of truth for all access decisions.
IncorrectD: To act as a unified, decoupled policy engine that evaluates policies written in Rego to make fine-grained authorization decisions across the entire microservice stack
OPA: a policy-as-code engine. Define authorization rules in Rego, OPA evaluates them across Kubernetes, APIs, databases. Single source of truth for all access decisions.
6When configuring an IAM policy for a highly sensitive AI training bucket, what does an "Explicit Deny" achieve in a standard policy evaluation logic?
CorrectA: An Explicit Deny universally overrides any and all Allow statements, guaranteeing that the action is blocked regardless of other assigned permissions
AWS IAM evaluation: default Deny. If ANY policy has Explicit Deny, access is Denied (Deny always wins). Use Explicit Deny to permanently block sensitive actions, e.g., preventing developers from deleting backups.
IncorrectA: An Explicit Deny universally overrides any and all Allow statements, guaranteeing that the action is blocked regardless of other assigned permissions
AWS IAM evaluation: default Deny. If ANY policy has Explicit Deny, access is Denied (Deny always wins). Use Explicit Deny to permanently block sensitive actions, e.g., preventing developers from deleting backups.
7In the context of JSON Web Keys (JWKS), how does an API validate a JWT signed with an asymmetric algorithm (like RS256)?
CorrectB: It fetches the Identity Provider's public keys from the JWKS endpoint and uses the corresponding public key to verify the cryptographic signature generated by the IdP's private key
JWKS (JSON Web Key Set): IdP publishes public keys at a JWKS endpoint. API fetches the correct public key (matching the JWT's `kid` header), uses it to verify the signature. Enables rotation without app redeployment.
IncorrectB: It fetches the Identity Provider's public keys from the JWKS endpoint and uses the corresponding public key to verify the cryptographic signature generated by the IdP's private key
JWKS (JSON Web Key Set): IdP publishes public keys at a JWKS endpoint. API fetches the correct public key (matching the JWT's `kid` header), uses it to verify the signature. Enables rotation without app redeployment.
8How do "Claims-Based" authorization models specifically benefit multi-tenant AI SaaS platforms?
CorrectC: They embed specific tenant IDs, roles, and context directly into the token's claims, allowing the application to enforce strict data isolation without constantly querying a centralized database
Claims-based: tenant ID embedded in JWT claim. API checks claim to determine which tenant's data the user can access. Scales better than constant DB lookups; no shared state.
IncorrectC: They embed specific tenant IDs, roles, and context directly into the token's claims, allowing the application to enforce strict data isolation without constantly querying a centralized database
Claims-based: tenant ID embedded in JWT claim. API checks claim to determine which tenant's data the user can access. Scales better than constant DB lookups; no shared state.
9What is the critical vulnerability associated with the "None" algorithm in older or misconfigured JWT implementations?
CorrectD: An attacker can modify the token payload, set the algorithm header to 'none', and strip the signature, potentially tricking a vulnerable API into accepting the forged token as valid
JWT algorithm: "none" means no signature. Vulnerable APIs that don't validate the algorithm field accept unsigned tokens. Attacker sets alg="none", modifies payload. Always validate: alg is expected AND signature is valid.
IncorrectD: An attacker can modify the token payload, set the algorithm header to 'none', and strip the signature, potentially tricking a vulnerable API into accepting the forged token as valid
JWT algorithm: "none" means no signature. Vulnerable APIs that don't validate the algorithm field accept unsigned tokens. Attacker sets alg="none", modifies payload. Always validate: alg is expected AND signature is valid.
10In a highly secure Agentic AI workflow using OAuth 2.0, what does Proof Key for Code Exchange (PKCE) protect against?
CorrectA: It prevents Authorization Code interception attacks (especially in public or mobile clients) by tying the authorization request to a cryptographically hashed challenge/verifier generated dynamically by the client
PKCE (RFC 7636): client generates a random code_verifier, hashes it (code_challenge), includes in auth request. Auth server validates the hash when client exchanges auth code. Prevents auth code theft.
IncorrectA: It prevents Authorization Code interception attacks (especially in public or mobile clients) by tying the authorization request to a cryptographically hashed challenge/verifier generated dynamically by the client
PKCE (RFC 7636): client generates a random code_verifier, hashes it (code_challenge), includes in auth request. Auth server validates the hash when client exchanges auth code. Prevents auth code theft.
11What is "SPIFFE" (Secure Production Identity Framework for Everyone) used for in Kubernetes-based AI deployments?
CorrectB: Providing a standardized way to issue short-lived, cryptographically verifiable identities (SVIDs) to workloads/microservices to facilitate secure mTLS communication
SPIFFE: standard for workload identity in Kubernetes. SPIRE (SPIFFE Runtime Environment) issues SVIDs (certificates) to pods. Enables automatic mTLS between microservices without manual cert management.
IncorrectB: Providing a standardized way to issue short-lived, cryptographically verifiable identities (SVIDs) to workloads/microservices to facilitate secure mTLS communication
SPIFFE: standard for workload identity in Kubernetes. SPIRE (SPIFFE Runtime Environment) issues SVIDs (certificates) to pods. Enables automatic mTLS between microservices without manual cert management.
12How does "Macaroons" (a decentralized authorization token architecture) differ fundamentally from standard JWTs?
CorrectC: Macaroons support delegation with attenuation; a bearer can append specific, restrictive caveats to the token before passing it to a third party, securely narrowing its permissions without contacting the central issuer
Macaroons: bearer can add restrictive caveats (e.g., "valid only until 5 PM", "only for this IP"). Caveats are cryptographically signed. Enables decentralized delegation without issuer involvement.
IncorrectC: Macaroons support delegation with attenuation; a bearer can append specific, restrictive caveats to the token before passing it to a third party, securely narrowing its permissions without contacting the central issuer
Macaroons: bearer can add restrictive caveats (e.g., "valid only until 5 PM", "only for this IP"). Caveats are cryptographically signed. Enables decentralized delegation without issuer involvement.
13When designing IAM for an AI data pipeline, what is "Data Masking" at the database driver/proxy level designed to complement?
CorrectD: It complements IAM by dynamically obfuscating or redacting sensitive columns (like SSNs) in the query result set based on the specific authorization role of the requesting identity
Data masking (e.g., showing "***-**-1234" instead of full SSN) is a defense-in-depth layer. Even if IAM grants access to a column, masking redacts sensitive bits based on role. Complements, doesn't replace, IAM.
IncorrectD: It complements IAM by dynamically obfuscating or redacting sensitive columns (like SSNs) in the query result set based on the specific authorization role of the requesting identity
Data masking (e.g., showing "***-**-1234" instead of full SSN) is a defense-in-depth layer. Even if IAM grants access to a column, masking redacts sensitive bits based on role. Complements, doesn't replace, IAM.
14What is the precise function of the `sub` (Subject) claim in a standard OIDC ID Token?
CorrectA: It represents a unique, immutable identifier for the authenticated user within the issuer's system, acting as the primary key for identity federation
JWT/OIDC claim `sub` (subject): unique user ID. `sub` + `iss` (issuer) together uniquely identify a user across security domains. Primary key for federation.
IncorrectA: It represents a unique, immutable identifier for the authenticated user within the issuer's system, acting as the primary key for identity federation
JWT/OIDC claim `sub` (subject): unique user ID. `sub` + `iss` (issuer) together uniquely identify a user across security domains. Primary key for federation.
15How do "Context-Aware" access policies restrict an AI developer's ability to exfiltrate proprietary training data?
CorrectB: By evaluating dynamic signals—such as requiring the developer to originate from a corporate IP, use a managed device, and connect during business hours—before allowing access to the data bucket
Context-aware policies: grant access only if multiple conditions are met (corp IP, managed device, business hours, etc.). Prevents attackers/insiders from exfiltrating data from unusual contexts.
IncorrectB: By evaluating dynamic signals—such as requiring the developer to originate from a corporate IP, use a managed device, and connect during business hours—before allowing access to the data bucket
Context-aware policies: grant access only if multiple conditions are met (corp IP, managed device, business hours, etc.). Prevents attackers/insiders from exfiltrating data from unusual contexts.
16In the context of IAM for AI infrastructure, what does "IAM Privilege Escalation" imply?
CorrectC: An attacker exploiting a misconfigured IAM policy (e.g., the ability to create a new policy version) to grant themselves higher permissions, effectively gaining administrator access
IAM privilege escalation: attacker finds a misconfiguration (e.g., can create policies, can assume high-privilege roles) and exploits it to escalate from user → admin. Regular IAM audits catch these.
IncorrectC: An attacker exploiting a misconfigured IAM policy (e.g., the ability to create a new policy version) to grant themselves higher permissions, effectively gaining administrator access
IAM privilege escalation: attacker finds a misconfiguration (e.g., can create policies, can assume high-privilege roles) and exploits it to escalate from user → admin. Regular IAM audits catch these.
17What is the architectural goal of a "Policy Decision Point" (PDP) versus a "Policy Enforcement Point" (PEP) in Zero Trust?
CorrectD: The PDP evaluates the rules and makes the "Allow/Deny" decision, whereas the PEP sits in the traffic path to intercept the request and enforce the PDP's decision
PDP/PEP separation: PDP is centralized policy engine (OPA, etc.), makes decisions. PEP is distributed enforcer (proxy, firewall, sidecar), intercepts traffic and enforces PDP decisions.
IncorrectD: The PDP evaluates the rules and makes the "Allow/Deny" decision, whereas the PEP sits in the traffic path to intercept the request and enforce the PDP's decision
PDP/PEP separation: PDP is centralized policy engine (OPA, etc.), makes decisions. PEP is distributed enforcer (proxy, firewall, sidecar), intercepts traffic and enforces PDP decisions.
18How does an "Identity-Aware Proxy" (IAP) secure internal AI tools without requiring a VPN?
CorrectA: By verifying user identity, device context, and access policies at the application layer before proxying the web request to the internal AI application
IAP (e.g., Google BeyondCorp): proxy sits in front of internal app, verifies identity and context, then proxies auth'd requests to the app. No VPN needed; zero trust access.
IncorrectA: By verifying user identity, device context, and access policies at the application layer before proxying the web request to the internal AI application
IAP (e.g., Google BeyondCorp): proxy sits in front of internal app, verifies identity and context, then proxies auth'd requests to the app. No VPN needed; zero trust access.
19When an autonomous AI agent utilizes a "Service Mesh" (like Istio), how is authorization typically handled between the agent's sidecar proxy and the target service?
CorrectB: The sidecar proxy extracts the JWT, cryptographically validates the signature via the mesh's control plane, and evaluates embedded claims or local OPA policies before allowing the request through
Service mesh (Istio): sidecars validate JWTs, enforce mTLS cert validation, check OPA policies. All request-level auth happens in the mesh, decoupling from app code.
IncorrectB: The sidecar proxy extracts the JWT, cryptographically validates the signature via the mesh's control plane, and evaluates embedded claims or local OPA policies before allowing the request through
Service mesh (Istio): sidecars validate JWTs, enforce mTLS cert validation, check OPA policies. All request-level auth happens in the mesh, decoupling from app code.
20What is the primary security flaw of relying on "IP Allowlisting" as the sole method of authorization for a backend AI service?
CorrectC: In modern cloud environments, IPs are highly dynamic and easily spoofed or shared among multiple tenants, completely failing to establish the true *identity* or *context* of the caller
IP allowlisting alone is weak: IPs are shared (VPN, cloud, NAT), spoofable, and dynamic. Modern security requires identity-based authorization (certs, tokens, etc.), not just IP.
IncorrectC: In modern cloud environments, IPs are highly dynamic and easily spoofed or shared among multiple tenants, completely failing to establish the true *identity* or *context* of the caller
IP allowlisting alone is weak: IPs are shared (VPN, cloud, NAT), spoofable, and dynamic. Modern security requires identity-based authorization (certs, tokens, etc.), not just IP.
Conclusion: Master IAM for AI MCQs
These 60 MCQs cover the full spectrum of IAM knowledge for AI systems — from understanding the difference between authentication and authorization, to implementing OAuth 2.0 flows, to designing Zero Trust governance frameworks for autonomous agents.
The key to mastering IAM is recognizing that authentication proves identity, authorization grants permissions, and both must work together. Understanding modern token-based systems (JWTs, OAuth, OIDC) is critical in cloud-native AI deployments where services must communicate securely without human involvement.
After completing this MCQ set, deepen your knowledge with the full Identity & Access Management for AI theory notes and practice with AI & Cloud Security interview questions to see these concepts applied in real-world scenarios and design interviews.
📌 Key Takeaways — IAM for AI
- Authentication ≠ Authorization: Auth verifies WHO you are (login). Authz determines WHAT you can do (permissions).
- Principle of Least Privilege: Every user/service should have only minimum permissions for their role.
- Service Account: Non-human identity for apps/AI to auth with APIs/databases. Examples: AWS IAM roles, Kubernetes service accounts.
- OAuth 2.0 = Authorization framework. OIDC = OAuth 2.0 + Identity (authentication).
- JWT = Header.Payload.Signature. Stateless, self-contained token. Signature proves it hasn't been tampered with.
- RBAC (Role-Based): Static roles with predefined permissions. Simple but inflexible.
- ABAC (Attribute-Based): Dynamic decisions based on multiple attributes (time, location, device status, etc.). More powerful but complex.
- Ephemeral Credentials: Short-lived tokens (15 min – 1 hour). Limits exposure if stolen. Better than static API keys.
- Zero Trust: No automatic trust. Every request must be verified, regardless of where it originates.
- Confused Deputy Problem: Privileged agent tricked into performing unauthorized actions. Prevent via identity auditing and scoped credentials.
Quick Review & Summary
Use this table to consolidate IAM for AI knowledge mappings before or after attempting the questions above.
| IAM Concept | Category | Key Fact / Best Practice |
|---|---|---|
| Authentication | Identity Verification | Proves WHO you are. Uses passwords, biometrics, certificates. |
| Authorization | Access Control | Proves WHAT you can access. Uses roles, policies, tokens. |
| Service Account | Non-Human Identity | Machine identity for AI agents. Use ephemeral credentials + least privilege. |
| OAuth 2.0 | Authorization Framework | Grants delegated access without sharing passwords. Uses access tokens. |
| OIDC (OpenID Connect) | Authentication Layer | Adds identity (ID tokens) on top of OAuth 2.0. Verifies WHO is logged in. |
| JWT | Token Format | Header.Payload.Signature. Stateless. Signature validates integrity. |
| RBAC | Access Model | Static role-based permissions. Simple, predictable, less flexible. |
| ABAC | Access Model | Dynamic attribute-based decisions. More granular, handles complex AI access patterns. |
| mTLS | Mutual Authentication | Both client and server present certs. Ideal for service-to-service AI calls. |
| Zero Trust | Security Architecture | No implicit trust. Verify every request regardless of network location. |
Frequently Asked Questions
Q. What is the difference between Authentication and Authorization?
Q. Why should AI service accounts use ephemeral credentials instead of static API keys?
Q. What is OAuth 2.0 versus OIDC?
Q. How do I prevent hardcoded credentials in my AI code?
Q. What is the "Confused Deputy" problem in Agentic AI?
Q. What is Zero Trust architecture?
Q. How do JWTs work?
Q. What is RBAC vs ABAC?
Struggling with some questions? Re-read the full Theory Guide: Identity & Access Management for AI