An IAM role is an identity an AWS resource (EC2 instance, Lambda function, ECS task) assumes to gain a defined set of permissions, instead of carrying long-lived access keys. Equivalent constructs exist on every cloud: GCP service accounts, Azure managed identities, OCI dynamic groups.
The discipline pattern: every workload runs under its own role, the role has the minimum permissions to do its job (least privilege), cross-account access is via role assumption with a trust policy, and access keys for human users are short-lived (via AWS SSO / Identity Center).
The common failure modes are (a) workloads sharing one role that has expanded permissions over time, (b) long-lived access keys checked into Git, and (c) roles with wildcard * on Action or Resource. Quarterly IAM access analyzer review + automatic key rotation are the operational baseline.