AWS IAM policies follow a four-element structure defining authorization: WHO (Principal) can perform WHAT (Action) on WHICH (Resource) under WHAT CONDITIONS (Condition). This maps to the plain language question: "Who can do what to which resources, when do we care?" **Cross-domain applications:** - **Physical security**: Keycard systems (who: employee ID, what: door unlock, which: specific doors, when: business hours) - **Document management**: SharePoint permissions (who: team member, what: edit, which: folder, when: project active) - **Healthcare**: HIPAA access logs (who: provider, what: view records, which: patient, when: treatment relationship exists) - **Finance**: Trading limits (who: trader, what: execute, which: instruments, when: within risk thresholds) Each element has a "Not" version (NotPrincipal, NotAction, NotResource, NotCondition) for explicit denial. Policies default to deny unless explicitly allowed, and explicit deny always overrides allow.