Axiad’s CFO interview points to identity lifecycle and risk focus

At a glance

What this is: Axiad’s CFO interview centers on identity lifecycle management, infrastructure simplification, and the company’s view that credential management still has an unresolved market gap.

Why it matters: It matters because IAM teams are being pushed to prove they can govern users, machines, assets, and interactions with less complexity and better lifecycle control.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Axiad's interview with new CFO Brian Szeto on identity lifecycle strategy

Context

Identity lifecycle management is the discipline of provisioning, reviewing, rotating, and offboarding access across human users, service accounts, workloads, and other non-human identities. In this interview, Axiad frames that discipline as a market gap because credential sprawl and infrastructure complexity still leave enterprises with poor control over who or what can authenticate and act.

The practical issue for IAM leaders is not whether identities are multiplying, but whether governance keeps pace with that growth. When a vendor positions simplification as a strategy, it is usually a sign that organisations are struggling to connect lifecycle processes, risk management, and operational ownership across mixed identity estates.

Key questions

Q: How should teams govern identity lifecycle across humans and machines?

A: Treat lifecycle governance as a shared discipline, but apply it differently by actor type. Humans need joiner-mover-leaver controls and access reviews, while machines need ownership, credential rotation, and offboarding tied to business services. The critical step is to maintain one inventory of identities and one revocation model so access does not survive the role or system it was created for.

Q: Why does credential sprawl make identity risk harder to control?

A: Credential sprawl makes risk harder to control because ownership, expiry, and usage context become distributed across too many systems. When secrets and tokens exist in multiple places, security teams lose confidence that revocation happened everywhere it should have. That turns routine lifecycle work into a blind spot that attackers and internal failures can both exploit.

Q: What is the difference between identity lifecycle management and secrets rotation?

A: Secrets rotation is one control inside lifecycle management, but lifecycle management is broader. It includes who owns the identity, when access should end, how revocation is verified, and whether the credential is still tied to a live business need. Rotation without ownership and offboarding still leaves stale access risk behind.

Q: How can IAM teams tell if their identity programme is actually simplifying risk?

A: Look for fewer duplicate identity stores, fewer manual exceptions, and faster revocation when roles, vendors, or projects change. If teams still need to search across multiple systems to answer who can act, the programme is adding administration without reducing exposure. Simplification should shorten the path from business change to access removal.

Technical breakdown

Identity lifecycle management for users, machines, and assets

Identity lifecycle management covers the full path from provisioning to revocation, but the mechanics differ by actor type. Humans are joined through onboarding and access review, while machines and assets rely on service account creation, credential issuance, rotation, and offboarding. In practice, the hard part is not creating identities but keeping inventory, ownership, and expiry aligned as systems change. When lifecycle tooling is fragmented, identities outlive their business purpose and privilege becomes harder to explain or remove.

Practical implication: map every identity class to a lifecycle owner and a revocation event, not just to an authentication method.

Why credential management becomes a governance problem

Credential management is often treated as a technical hygiene task, but it becomes a governance issue when secrets, certificates, and keys are issued faster than they are reviewed. The failure mode is simple: access is created in one system, consumed in another, and forgotten by the time the business context changes. That is why comprehensive credential management matters across users, machines, assets, and interactions. Without an authoritative lifecycle view, security teams cannot confidently answer who can still act, where, or for how long.

Practical implication: tie secret and certificate ownership to the same review and offboarding process used for other privileged access.

Infrastructure simplification as an identity control objective

Infrastructure simplification is not just a finance or architecture goal. In identity programmes, complexity increases blind spots, duplicates policy logic, and makes it harder to enforce consistent controls across cloud, SaaS, and internal platforms. The more systems that hold identity state, the more likely it is that entitlement drift and stale credentials persist. Simplification therefore improves both governance and assurance because fewer exceptions need to be tracked and fewer handoffs can fail.

Practical implication: remove duplicate identity control paths before adding new governance layers on top of them.

Threat narrative

Attacker objective: The objective is to turn unmanaged or stale identity state into durable access that can be reused without detection.

1. Entry begins when a new or dormant credential is created without a clear lifecycle owner, allowing access to persist beyond the original business need.
2. Escalation occurs when that credential is reused across systems, giving the actor broader reach than the original provisioning intent implied.
3. Impact follows when stale or over-privileged access is used to move laterally, access sensitive data, or make unauthorised system changes.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity lifecycle has become the control plane for modern IAM. Axiad’s comments reinforce a broader market reality: identity programmes are no longer judged only on authentication strength, but on whether lifecycle state is accurate across users, machines, and assets. That matters because an identity that cannot be confidently retired, rotated, or reassigned is already a governance failure. Practitioners should treat lifecycle integrity as the real measure of programme maturity.

Comprehensive credential management is now a governance requirement, not a feature category. When credentials span human users, workloads, service accounts, and interacting systems, the security question shifts from how to issue access to how to prove it no longer exists when business context changes. This is where identity, PAM, and secrets management converge. The implication is that teams need one ownership model for creation, review, and revocation across all identity classes.

Infrastructure simplification is a security control because complexity creates identity drift. The more tools, repositories, and exception paths a programme accumulates, the more likely it is that stale credentials, duplicate privileges, and orphaned identities survive. Axiad’s emphasis on simplifying existing infrastructure reflects a truth many teams miss: adding controls on top of sprawl does not fix sprawl. Practitioners should reduce control fragmentation before expecting better governance outcomes.

Lifecycle visibility is the named concept this market keeps circling. The common failure is not the absence of a policy, but the absence of a durable record tying each identity to an owner, an expiry, and a revocation path. That failure affects human accounts, service accounts, and emerging machine identities in the same way. Practitioners need to ask whether their programme can prove who owns access after the original requester has moved on.

Measured growth in the identity market usually signals pressure to prove operational value. Finance leaders are asking whether identity investments reduce risk, simplify operations, and support sustainable execution. That changes procurement conversations because buyers must now justify tools that add another control layer unless those tools remove actual lifecycle friction. The practical conclusion is to buy for governance outcomes, not for feature accumulation.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows why revocation and ownership need to be treated as one control, not two separate tasks.

What this signals

Lifecycle visibility will become a harder procurement test. As buyers ask whether identity tools reduce operational drag rather than add another layer, programmes will need evidence that they can map ownership, expiry, and revocation across every identity class. The teams that can do that will be able to justify consolidation instead of accumulating more exceptions.

Credential governance is moving closer to board-level risk language. When secrets, certificates, and service accounts are unmanaged, the issue is no longer technical hygiene but durability of access after business change. That is where frameworks like the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs become operational, not theoretical.

Identity simplification should now be treated as a security outcome. If a programme cannot reduce duplicate stores or shorten the revocation path, it is unlikely to control sprawl at scale. The practical signal is whether lifecycle change can be translated into access change without manual hunting across systems.

For practitioners

• Inventory identity classes by lifecycle owner Create a single inventory that separates human users, service accounts, workloads, and other machine identities, then assign an owner for provisioning, review, rotation, and offboarding for each class.
• Unify credential revocation workflows Make secret, token, and certificate revocation part of the same offboarding process used for access removal so that no credential type can outlive the business relationship that justified it.
• Reduce duplicate identity control paths Identify overlapping identity stores, manual exception flows, and parallel approval paths, then remove the ones that prevent a single answer to who owns access and where it is still valid.
• Measure stale access as a governance signal Track how many credentials remain valid after role change, project end, or vendor offboarding, and use that lag as a board-level indicator of lifecycle control health.

Key takeaways

• The article signals that identity lifecycle management is now central to how security teams prove control over users, machines, and assets.
• The underlying risk is not abstract complexity but durable credentials and excessive privilege that survive normal business change.
• Practitioners should measure whether revocation, ownership, and simplification are real outcomes, because those are the controls that reduce identity drift.

Key terms

• Identity lifecycle management: The process of creating, maintaining, reviewing, and removing identities as business needs change. In security practice, it covers provisioning, access review, rotation, and offboarding across humans and non-human identities so access does not outlive the reason it was granted.
• Credential management: The discipline of controlling secrets, tokens, certificates, and keys across their full life. It is not just storage or rotation. It includes ownership, expiry, revocation, and proof that a credential is no longer valid when the related identity or workload changes.
• Standing privilege: Persistent access that remains available without a fresh, task-scoped justification. For non-human identities, standing privilege increases blast radius because credentials can be reused long after the original business context has ended or the system owner has changed.
• Lifecycle visibility: The ability to see which identity exists, who owns it, what it can access, and when it should be removed. Without lifecycle visibility, teams cannot reliably detect orphaned accounts, stale credentials, or privileges that have outlived their business purpose.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Q&A With Axiad’s New CFO, Brian Szeto. Read the original.