Access to information, data, services, systems as well as access to physical locations is governed by security policies. These security policies are formalized and need to be enforced by the owner of the resource. In doing so, the owner will try to manage the risk involved in access, such as the risk of abuse of information, data leakage, theft, fraud and any other security threats. In order to be in control, the owner needs to have assurance of the level of security realize by the security controls that have been put in place.
Some of the controls are related to the access requester, the subject, or person who seeks access. Can the subject be trusted enough to be granted access to the resource?