Axiad Conductor puts ICAM credential control in focus

At a glance

What this is: Axiad’s finalist announcement argues that modern identity security now depends on ICAM-grade credential management, phishing-resistant authentication, and lifecycle control across humans and machines.

Why it matters: It matters because IAM teams that still treat credentials as a point solution will struggle to manage issuance, renewal, revocation, and interoperability across increasingly mixed identity estates.

By the numbers:

• The SC Awards evaluated entries across 33 specialty categories.
• Knowledge factors have failed spectacularly, with 10 billion records compromised in RockYou2024.

👉 Read Axiad’s analysis of ICAM credential management and phishing-resistant authentication

Context

ICAM, or Identity Credential and Access Management, is the discipline of issuing, updating, and revoking strong credentials across heterogeneous environments. The article argues that traditional IAM centred on passwords is no longer enough, because authentication now has to work for both people and machines, with phishing-resistant credentials becoming the baseline rather than the exception.

That matters for IAM, PAM, and identity governance teams because credential lifecycle is now an operational control plane, not a back-office task. When an organisation cannot manage passkeys, certificates, and device-bound authenticators consistently, it loses control over authentication assurance, revocation speed, and cross-platform interoperability.

Key questions

Q: How should security teams roll out phishing-resistant authentication without breaking operations?

A: Start with the highest-risk user groups and the clearest recovery paths, then expand only after enrollment, device loss, reset, and help desk flows are proven. Strong authentication fails when recovery is harder than compromise, so operational design must come before scale.

Q: Why do passwords create persistent identity risk even in mature IAM programmes?

A: Passwords remain exposed to reuse, phishing, guessing, and large-scale leak reuse. Even mature IAM programmes struggle when knowledge factors are still the fallback for privileged or high-value access, because the attack surface sits in the secret itself, not only in authentication policy.

Q: What do organisations get wrong about passkey and certificate adoption?

A: They often focus on enrollment success and ignore governance depth. If rotation, recovery, device replacement, and revocation are not handled cleanly, the programme can look modern while still leaving identity assurance and supportability gaps in place.

Q: How do IAM, IGA, and PAM teams coordinate around credential lifecycle?

A: IAM should own issuance and authentication policy, IGA should govern eligibility and review, and PAM should control elevated access and recovery paths. The key is shared lifecycle visibility, because strong credentials lose value when each team manages a different part of the flow in isolation.

Technical breakdown

Why ICAM changes the credential control model

ICAM moves identity security from managing login methods to managing credential lifecycles. In practice, that means the system must handle issuance, renewal, update, and revocation for credentials such as FIDO2 passkeys and X.509 certificates across many platforms and devices. The core shift is from user-chosen secrets to centrally governed possession factors, which are harder to phish but more complex to administer. That complexity is why orchestration matters: if control planes cannot keep pace with population scale, strong authentication becomes fragmented rather than trustworthy.

Practical implication: treat credential lifecycle as a governed service, not a collection of one-off authenticator rollouts.

Phishing-resistant authentication and possession factors

Phishing-resistant authentication relies on credentials that are bound to a device or cryptographic key rather than a memorised secret. FIDO2 passkeys and hardware-backed authenticators reduce the value of stolen passwords because there is no reusable secret to harvest. The article also points to certificate-based authentication as a strong option for enterprises that need more control and interoperability. The technical challenge is not whether these methods are stronger, but whether they can be deployed, reset, and recovered without breaking usability or supportability.

Practical implication: prioritise authentication methods that resist replay and phishing, then validate operational recovery paths before broad rollout.

Credential interoperability across IAM, IGA, and PAM systems

Credential management only works when it integrates with the wider identity stack. The article references interoperability with identity providers, hardware authenticators, IGA, and PAM tooling, which reflects a real architectural constraint: strong credentials are only useful if they can be provisioned and governed consistently across systems. Without that integration, organisations create pockets of strong authentication that still rely on manual exceptions, temporary passwords, or inconsistent enrollment flows. That leaves governance fragmented even when the underlying credential technology is modern.

Practical implication: map credential workflows across IAM, IGA, and PAM before expanding strong authentication into production.

NHI Mgmt Group analysis

Credential management has become the real control plane of modern identity security. The article correctly shifts the centre of gravity away from passwords and toward lifecycle-governed possession factors. That matters because issuing a stronger credential is not enough if renewal, recovery, and revocation remain inconsistent across platforms. Practitioners should read this as a governance problem disguised as an authentication upgrade.

Password-centric IAM assumptions are now structurally weak. The article’s own framing around RockYou2024 shows why knowledge factors no longer provide durable assurance. Once password reuse and credential exposure become industrialised, identity programmes need controls that reduce the value of stolen secrets rather than merely hardening the login screen. The implication is that authentication strategy now has to be built around cryptographic possession, not shared knowledge.

Interoperability is the hidden failure mode in strong-authentication programmes. Many teams can pilot passkeys or certificates, but fewer can operationalise them across Microsoft Entra ID, Okta, PAM, IGA, and diverse device estates without breaking support workflows. That gap is where strong authentication becomes a local success and an enterprise failure. Practitioners should judge rollout readiness by integration depth, not by pilot completion.

ICAM maturity is now the benchmark for governing human and machine credentials together. The article’s emphasis on thousands of credentials across heterogeneous platforms reflects the broader reality that credential sprawl is no longer just a machine identity problem. Human authentication, device credentials, and workload access increasingly share the same control dependencies. Identity leaders need one lifecycle model that can govern all three without creating exceptions for the hardest cases.

From our research:

• strong>From our research: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• For a deeper view of how privilege, rotation, and offboarding interact across machine identities, see Ultimate Guide to NHIs.

What this signals

Strong authentication programmes now succeed or fail on lifecycle governance, not on the brand name of the credential technology. For teams extending passkeys and certificate-based authentication, the question is whether recovery, revocation, and support workflows are as mature as enrollment.

Credential lifecycle debt: this is the gap between deploying stronger authentication and operating it cleanly at scale. The organisations that close it will treat credential governance as shared infrastructure across IAM, PAM, and IGA rather than as a point deployment.

That shift also matters for machine identities, because the same programme discipline that governs user credentials will increasingly be expected to govern service accounts and workload access. Teams that align to NIST Cybersecurity Framework 2.0 will be better positioned to connect identity assurance to response and recovery.

For practitioners

• Inventory every credential class in use Map passwords, passkeys, certificates, temporary passwords, and device-bound authenticators to the systems and teams that own them. You cannot govern what you cannot classify, and mixed estates usually hide the weakest recovery and revocation paths.
• Design for renewal and revocation before broad deployment Build the update, reset, and revocation workflow first, then scale issuance. Strong authentication fails operationally when users can enroll quickly but cannot recover cleanly after device loss, role change, or credential compromise.
• Test interoperability across your identity stack Validate how credentials behave across the IdP, PAM, IGA, and endpoint layers, including service desk recovery and device enrollment. A pilot that works in isolation may still fail when it meets real governance and support processes.
• Use strong authentication to reduce password dependency Prioritise phishing-resistant credentials where the business can support them, then phase out long-term reliance on memorised secrets for high-risk access. The objective is not novelty, but lower exposure to replay, reuse, and social engineering.

Key takeaways

• The article’s central point is that modern identity security depends on governed credential lifecycles, not passwords alone.
• The scale problem is real: the post cites 10 billion compromised records in RockYou2024 and a 33-category awards field for strong-authentication tooling.
• Practitioners should evaluate strong authentication by recovery, revocation, and interoperability before they treat deployment as complete.

Key terms

• ICAM: Identity Credential and Access Management is the discipline of governing how credentials are issued, updated, used, and revoked. It focuses on the lifecycle of authenticators and the systems that manage them across users, devices, and platforms, rather than only on login policy or directory records.
• Phishing-resistant authentication: Phishing-resistant authentication uses cryptographic possession factors such as passkeys or hardware-backed certificates instead of reusable secrets that can be copied or replayed. It reduces credential theft risk, but only works well when recovery, revocation, and enrollment are operationally controlled.
• Credential lifecycle: Credential lifecycle is the full path from issuance through update, renewal, recovery, and revocation. In mature identity programmes, lifecycle is a governed process, not an afterthought, because weak handoff points are often where strong authentication fails in practice.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Axiad: Axiad Conductor named a finalist in the SC Awards. Read the original.