diff --git a/iam/index.mdx b/iam/index.mdx
index 10000708a5..d5aeb150b3 100644
--- a/iam/index.mdx
+++ b/iam/index.mdx
@@ -1,14 +1,12 @@
 ---
-title: Identity and Access Management
-sidebarTitle: IAM
+title: Identity and Access Management Overview
+sidebarTitle: Overview
+description: Learn about ngrok's identity and access management system for managing credentials, enforcing access controls, and federating identity.
 ---
 
-## Overview
+ngrok includes a robust identity and access management (IAM) system that enables you to:
 
-ngrok includes a robust identity and access management (IAM) system. ngrok's
-IAM functionality enables you to:
-
-- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process).
+- Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process)
 - Enforce least-privilege access for each principal acting within your ngrok account
 - Attribute all mutations to distinct principals in your ngrok account recorded in audit logs
 - Configure single sign-on (SSO) to federate identity and SCIM to enable provisioning from your own IdP
@@ -16,29 +14,57 @@ IAM functionality enables you to:
 
 ## Concepts
 
-Before diving into ngrok's IAM system, it's helpful to be acquainted with the
-terminology and concepts ngrok uses to describe its IAM primitives.
-
-- **Accounts**: ngrok Accounts are the containers in which you create and consume ngrok services.
-- [**Users**](/iam/users/): An Account contains one or more **Users**. Users are members of
-  the Account who can take actions within it, like creating objects, start agents
-  or making API requests. Users may be members of multiple accounts and are not owned by any single account.
-- [**Service Users**](/iam/service-users): Accounts also contain **Service Users** which are like Users but
-  meant to be used for automated processes. Other systems may call these 'Service
-  Accounts'.
-- [**Principals**](/obs/events/#principal-object): A principal is either a User or Service User. Principals are
-  members of an Account that may take actions inside of it.
-- [**Credentials**](/iam/users/#credentials): These are the keys and tokens that Principals use to
-  authenticate with the ngrok service. Types of Credential include Authtokens,
-  API Keys, and SSH Public Keys.
-- [**Authtokens**](/agent/#authtokens): Principals begin Agent sessions and create Endpoints by
-  authenticating with Authtoken.
-- [**API Keys**](/api/#authentication): Principals make API Requests by authenticating with an API Key.
-- [**SSH Public Keys**](/agent/ssh-reverse-tunnel-agent/#authentication): Principals create Endpoints via the SSH Reverse Tunnel
-  Agent with an SSH Public Key.
-- [**Invitations**](/iam/users/#invitations): Invitations are a mechanism to add a new User with a given
-  email address to an Account.
-- [**RBAC**](/iam/rbac/): Role Base Access Control is used to limit the permissions of what
-  actions a User may take within your account.
-- [**Account Domain Controls**](/iam/domain-controls/): Account Domain Controls are used to create
-  policy on Users who log in or sign up with a given email domain.
+Here are the core elements you should familiarize yourself with to make the most of ngrok's IAM system:
+
+<Columns cols={1}>
+	<Card title="Users" href="/iam/users/" horizontal>
+		Manage human users who can log into the dashboard, start agents, create endpoints, and access the API.
+	</Card>
+	<Card title="Service Users" href="/iam/service-users/" horizontal>
+		Create dedicated credentials for automated processes that interact with your ngrok account programmatically.
+	</Card>
+	<Card title="Role-based Access Control" href="/iam/rbac/" horizontal>
+		Enforce least-privilege access by restricting what actions each user can take within your account.
+	</Card>
+	<Card title="Single Sign-On" href="/iam/sso/" horizontal>
+		Federate identity with your IdP and enable SSO authentication for dashboard access.
+	</Card>
+	<Card title="Account Domain Controls" href="/iam/domain-controls/" horizontal>
+		Enforce organization-wide account usage by requiring users with your email domain to use your account.
+	</Card>
+</Columns>
+
+## Use cases
+
+Here are some of the most common use cases for ngrok's IAM system:
+
+<Columns cols={2}>
+	<Card
+		title="Use Service Users for automated processes"
+		icon="robot"
+		href="/guides/site-to-site-connectivity/"
+	>
+		Create Service Users for isolated agent management with authtokens and ACL restrictions.
+	</Card>
+	<Card
+		title="Enforce least-privilege access with RBAC"
+		icon="shield"
+		href="/guides/security-dev-productivity/"
+	>
+		Restrict developer permissions with RBAC and create user-specific authtokens with ACL rules.
+	</Card>
+	<Card
+		title="Secure SSH and RDP access"
+		icon="key"
+		href="/guides/ssh-rdp/"
+	>
+		Create Service Users and authtokens with ACL restrictions for secure remote access to edge gateways and servers.
+	</Card>
+	<Card
+		title="Secure remote device access"
+		icon="building"
+		href="/guides/device-gateway/agent/"
+	>
+		Create Service Users and authtokens with ACL restrictions for secure remote access to IoT devices and services.
+	</Card>
+</Columns>