PR.AA-01 focuses on the management of identities and credentials for all authorized entities—users, services, and hardware—within the organization’s control. This involves issuing, tracking, and revoking access credentials, such as cryptographic certificates or device identifiers, to ensure only legitimate entities can interact with systems and assets. Proper management reduces the risk of unauthorized access stemming from lost or compromised credentials.

This subcategory establishes a foundation for secure access by integrating identity management into daily operations, with processes for requesting and approving access aligned with system owner permissions. It enhances security by maintaining a clear inventory of authorized entities, supporting audits and rapid response to incidents. PR.AA-01 is a critical step in safeguarding logical and physical assets.