TL;DR: IAM is shifting toward ICAM, passwordless credentials, and end-to-end credential lifecycle control across human and machine identities, according to Axiad. Axiad says Conductor was named a finalist in SC Media’s 28th SC Awards in the Best Authentication Technology category, and uses the announcement to argue that the practical lesson is that authentication programmes now rise or fall on credential governance, not password hardening alone.
At a glance
What this is: Axiad’s finalist announcement argues that enterprise authentication is moving from password-centric IAM toward ICAM, where credential issuance, update, and revocation become the control plane.
Why it matters: That shift matters because IAM, PAM, and NHI teams now have to govern strong credentials consistently across humans and machines, not just improve login experience.
👉 Read Axiad's announcement on Axiad Conductor and the SC Awards finalist spot
Context
Identity and access management is no longer just about proving a user knows a secret. In environments that depend on phishing-resistant authentication, the governance problem moves to how credentials are issued, updated, distributed, and revoked across many systems.
The article positions credential management as the bridge between IAM and ICAM. That matters to NHI, autonomous, and human identity programmes because the same lifecycle failures show up in service accounts, device-bound credentials, passkeys, and other possession factors when control is fragmented.
Key questions
Q: How should security teams govern passwordless authentication at scale?
A: They should govern passwordless as a lifecycle problem, not only an authentication upgrade. That means controlling enrolment, recovery, device replacement, renewal, and revocation with the same discipline used for privileged access. If those flows are weak, attackers often target the recovery path instead of the primary login path.
Q: Why does ICAM matter more than traditional IAM for modern enterprises?
A: ICAM matters because identity risk now sits in the credential lifecycle, not just in the sign-in event. Traditional IAM can authenticate a user while still leaving poor control over issuance, updates, resets, and revocation. Strong credentials only reduce risk when the whole lifecycle is governed.
Q: How do organisations know if credential management is actually working?
A: They should look for complete ownership of issuance, recovery, and revocation, plus low exception volume across identity systems. If teams still rely on manual resets, inconsistent device replacement steps, or disconnected policy enforcement, the programme is not controlling credentials consistently.
Q: What is the difference between passwordless authentication and credential governance?
A: Passwordless authentication is the method of proving identity without passwords. Credential governance is the operational control over how those credentials are created, updated, recovered, and retired. Organisations need both, because a strong authentication method can still be undermined by weak lifecycle management.
Technical breakdown
ICAM credential lifecycle management
ICAM treats credentials as managed assets with a full lifecycle, not as static login artifacts. That includes issuance, binding, renewal, recovery, update, and revocation across multiple devices and platforms. In practice, this becomes a coordination layer for authenticators such as FIDO2 passkeys and X.509 certificates, where trust depends on reliable distribution and consistent policy enforcement. The architectural challenge is scale: credentials must remain usable while the organisation preserves central control and auditability. When lifecycle orchestration fails, authentication strength does not translate into governance strength.
Practical implication: Practitioners should map credential lifecycle ownership before expanding passwordless or certificate-based authentication.
Passwordless authentication and possession factors
Passwordless authentication shifts security away from knowledge factors and toward possession factors such as hardware-backed authenticators and device-bound credentials. The security gain is reduced phishing exposure, but the governance burden increases because teams must manage enrolment, replacement, reset, and recovery without falling back to weak temporary access patterns. This is especially relevant where users move between devices or where organisations support mixed environments across Windows, macOS, Linux, mobile, and cloud identity providers. Strong authentication only works when the recovery path is as controlled as the primary path.
Practical implication: Security teams should review recovery and reset flows before broad passwordless rollout.
Interoperability across identity and access stacks
Credential management becomes harder when it must work across IDPs, IGA, PAM, operating systems, and multiple authenticator vendors. Interoperability is not just an integration convenience. It determines whether policy can be enforced consistently when credentials are updated, rotated, or replaced at scale. Without that consistency, organisations end up with disconnected exceptions, manual resets, and weak control over who can reissue or recover credentials. For identity programmes, the key issue is whether the management layer can preserve policy intent across heterogeneous environments rather than creating new islands of control.
Practical implication: Teams should test whether credential policy survives across every identity system that can issue or recover access.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Credential management is becoming the real control plane for modern authentication. The article is less about an awards finalist and more about the architectural shift from password handling to credential lifecycle governance. That shift matters because issuance, renewal, recovery, and revocation now carry the same risk weight once reserved for authentication alone. Practitioners should treat credential management as core identity infrastructure, not an add-on.
ICAM exposes the limits of IAM programmes that stop at sign-in. When strong credentials span humans, devices, and machine access paths, the programme must govern enrolment and offboarding as tightly as it governs login. Lifecycle gaps become security gaps because unmanaged credentials can outlive the conditions they were issued for. The implication is that IAM maturity now depends on operational control over credentials, not just on stronger authentication factors.
Passwordless adoption does not remove identity risk, it relocates it. Phishing-resistant authentication reduces one class of compromise, but it raises the importance of reset, recovery, and device change workflows. If those flows are weak, the attack surface moves from password theft to recovery abuse and credential misbinding. Practitioners should evaluate passwordless by its recovery governance, not by its marketing story.
Interoperability is an identity governance problem, not just an integration task. Credential policy loses value when it cannot be enforced consistently across heterogeneous platforms and identity stacks. That is why ICAM programmes need governance for the systems that issue and recover credentials, not only for the users who hold them. The practical conclusion is simple: treat cross-platform credential orchestration as part of the control framework.
Named concept: credential lifecycle control plane. This article illustrates the idea that modern authentication succeeds or fails based on a unified layer for issuance, update, recovery, and revocation. Once credentials span multiple authenticator types and identity systems, fragmented lifecycle ownership becomes the main source of risk. Practitioners should think in terms of one governed control plane rather than isolated login technologies.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to NHI Mgmt Group research.
- The 52 NHI Breaches Analysis shows how privilege and lifecycle failures turn credential issues into repeatable breach patterns.
What this signals
Credential lifecycle control will become a board-level question as passwordless adoption grows. Identity teams will be judged less on whether they removed passwords and more on whether they can explain who owns recovery, revocation, and re-enrolment across every credential type. The programme signal to watch is whether those actions are measurable end to end, not just documented in policy.
Credential lifecycle control plane: organisations will need a single governance model for issuing, updating, recovering, and retiring credentials across human, machine, and device identities. That model should connect IGA, PAM, and authentication operations rather than leaving each team to manage a separate slice of the problem.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, per the Ultimate Guide to NHIs, the same lifecycle discipline that protects human authentication now has to extend to machine-held credentials and embedded secrets.
For practitioners
- Map credential lifecycle ownership Document who owns issuance, renewal, recovery, and revocation for each credential type across human and machine use cases. Assign explicit responsibility for every recovery path and every offboarding path so exceptions do not accumulate in shadow processes.
- Test passwordless recovery flows Review how users replace lost devices, reset credentials, and rebind authenticators without bypassing policy. Make sure temporary access does not become a standing workaround and that recovery requires the same level of assurance as initial enrolment.
- Validate interoperability before scaling Run policy enforcement checks across identity providers, PAM, IGA, OS platforms, and authenticators. Confirm that credential updates and revocations propagate consistently rather than leaving orphaned access in one of the connected systems.
- Treat machine credentials as governed identities Apply the same lifecycle discipline to certificates, tokens, and other machine-held credentials that you would use for human credentials. Review how these assets are issued and retired so they do not persist beyond their intended operational window.
Key takeaways
- The article shows that authentication maturity is shifting toward lifecycle governance, not just stronger login factors.
- Credential issuance, recovery, update, and revocation are now the controls that determine whether passwordless and certificate-based models stay secure.
- Teams that cannot govern credentials consistently across identity stacks will struggle to scale ICAM safely.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle control is central to preventing stale or unmanaged non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Access and credential governance map directly to identity and privilege management outcomes. |
| NIST Zero Trust (SP 800-207) | PR.AC | Phishing-resistant authentication supports Zero Trust when credentials are managed continuously. |
Track issuance, renewal, and revocation for every credential and remove exceptions that bypass lifecycle control.
Key terms
- ICAM: Identity Credential and Access Management extends traditional IAM by treating credentials as governed assets across their full lifecycle. It covers issuance, binding, renewal, recovery, and revocation, which becomes essential when organisations use passkeys, certificates, and other possession factors at scale.
- Credential lifecycle: Credential lifecycle is the end-to-end management of a credential from creation through replacement and retirement. In practice, it includes issuance, update, recovery, and revocation, plus the controls that ensure each step is owned, auditable, and consistent across identity systems.
- Passwordless authentication: Passwordless authentication proves identity without relying on a memorised secret. It usually depends on possession factors such as hardware-backed authenticators or device-bound credentials, which reduces phishing exposure but increases the importance of secure enrolment and recovery processes.
- Possession factor: A possession factor is something the user or system physically or cryptographically holds, such as a hardware key, passkey, or certificate. These factors can strengthen authentication, but they also create governance obligations for enrolment, replacement, and revocation when the item changes hands or devices.
Deepen your knowledge
Credential lifecycle governance and passwordless authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governed authentication model across humans and machines, it is worth exploring.
This post draws on content published by Axiad: Axiad Conductor named a finalist in the SC Awards. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
