RBAC, ABAC, conditional access policies, least privilege, and just-in-time access.
Risk-based policies, device compliance, location-based rules
Just-in-time access, just-enough-administration, time-boxed elevation
Role-based and attribute-based access control design
Session duration, reauthentication, continuous access evaluation