Explore the intricacies of Identity and Access Management (IAM) security through a penetration tester's perspective in this conference talk from Converge 2018. Delve into the still-relevant attack surface of IAM systems, learning a comprehensive eight-step pen testing process. Examine the user lifecycle, traditional roles in IAM, and essential OSINT gathering techniques. Uncover strategies for extracting valuable information from document metadata, executing password spraying attacks, and exploiting password self-service features. Gain insights on analyzing and reducing external attack surfaces, tightening administrative privileges, and implementing robust detection mechanisms. Emphasize the importance of logging and monitoring in Windows environments, and reinforce fundamental security principles to enhance overall IAM defenses.