By NHI Mgmt Group Editorial TeamPublished 2026-06-17Domain: AnnouncementsSource: Bitwarden

TL;DR: Password, secrets, and passkey governance are converging into one identity control plane that IAM and security teams can no longer treat separately, according to Bitwarden. Bitwarden says it has surpassed 15 million users and 80,000 businesses globally while expanding into secrets management, passkeys, and AI-driven workflows, and it is increasing R&D investment by 50% as it adds a new CTO.


At a glance

What this is: Bitwarden is expanding its leadership and product investment while positioning password, secrets, passkeys, and AI-driven workflows as one connected identity security problem.

Why it matters: That matters because IAM teams increasingly have to govern human authentication, NHI secrets, and emerging AI-assisted workflows with the same lifecycle and trust assumptions.

By the numbers:

👉 Read Bitwarden's leadership update on identity security and product expansion


Context

Bitwarden's leadership change is a signal about where identity security is heading, not just a staffing update. The article ties passwords, passkeys, secrets management, and AI-driven workflows into one operational problem: how trust, access, and governance hold up as the identity surface expands across people and machines.

For IAM and security leaders, the important shift is that credential management is no longer a single-product conversation. Passwords, passkeys, secrets, and workflow identities all sit on the same governance path, which means lifecycle controls, access review, and secure-by-default design have to work across human identity and non-human identity programmes.


Key questions

Q: How should organisations govern passwords, passkeys, and secrets together?

A: They should manage them as one identity trust chain, not as separate security projects. That means common ownership, shared lifecycle rules, and unified exception handling for enrolment, recovery, rotation, and revocation. The goal is to keep the same identity policy consistent whether the credential is a password, a passkey, or a runtime secret.

Q: When does passkey adoption create new governance risk?

A: Risk increases when organisations treat passkeys as a pure authentication upgrade and ignore recovery, device loss, and enrolment governance. If the fallback path is weaker than the primary path, attackers will target the exception process instead of the authenticator itself. Strong adoption depends on managing the full identity lifecycle, not just sign-in.

Q: Why do secrets management and IAM need to be aligned?

A: Because a secret is a form of delegated identity, not just a stored value. If IAM approves access but secrets governance does not track ownership, purpose, and expiry, the organisation can lose control of who can use the credential after the original access decision has changed. Alignment closes that gap.

Q: How can security teams govern AI-driven workflows without losing accountability?

A: They should define the workflow as a controlled access path with named identities, approved tools, and auditable completion conditions. That lets teams trace which identity initiated the action, which secret or token was used, and which policy allowed the path. Without that mapping, accountability blurs across the workflow.


Technical breakdown

How passwordless authentication and passkeys change identity assurance

Passkeys replace shared secrets with cryptographic authenticators bound to a device or platform, which changes the failure mode from password theft to device, recovery, and enrolment risk. In identity terms, assurance moves away from what a user remembers toward what a credential can prove in a specific authenticator context. That improves phishing resistance, but it also makes recovery flows and account lifecycle handling more important because the fallback path often becomes the weakest link. Passwordless is not a standalone control. It only holds if registration, recovery, and re-authentication are governed with the same rigor as primary sign-in.

Practical implication: review recovery, reset, and enrolment paths before widening passkey adoption.

Why secrets management and human IAM now share the same trust boundary

Secrets management and human IAM increasingly overlap because the same access pathways now support administrators, workloads, automation, and AI-assisted processes. A secret is not just a credential store item. It is a grant of runtime authority that can outlive the session, the user, or even the application that created it. That makes lifecycle discipline central. Rotation, offboarding, and scope control matter because credentials often persist outside the system that issued them. The governance question is no longer whether the secret is encrypted. It is whether the secret still represents the intended identity at the moment it is used.

Practical implication: map every secret to an owner, purpose, and expiry condition.

AI-driven workflows create new identity governance pressure points

AI-driven workflows matter because they can initiate actions, assemble context, and interact with tools at runtime, which pushes identity control beyond traditional human session management. Even when the workflow is not autonomous in the strict sense, it still introduces a stronger need to govern which identities can call which services, under what policy, and with what evidence trail. That changes the job of IAM from authenticating a user to constraining a workflow path. The key risk is delegated access that becomes difficult to attribute once an AI-assisted process is operating across multiple tools and secrets.

Practical implication: treat AI-assisted workflows as governed execution paths, not just user convenience features.


NHI Mgmt Group analysis

Bitwarden's expansion reflects the convergence of human identity and machine identity governance. Passwords, passkeys, and secrets management are no longer separate operational silos when the same platform must support people, services, and workflow automation. That convergence matters because lifecycle, revocation, and assurance requirements now apply across all three identity types. Practitioners should stop treating credential security as a point solution problem and start treating it as a shared governance plane.

Passkeys improve authentication resilience, but they do not remove lifecycle risk. The article rightly frames passwordless as part of the future of identity security, yet the hard part shifts to enrolment, recovery, and device-bound trust. Those are governance processes, not just technical features. The implication is that IAM teams must evaluate passkey programmes in the same way they evaluate any other high-assurance identity path: by how well they handle account recovery, revocation, and exception management.

Secrets management is becoming an identity discipline, not a vaulting discipline. Once secrets power automation, services, and AI-driven workflows, the real control question becomes who can use them, when, and for what purpose. That is a lifecycle and privilege problem, not merely a storage problem. The operational conclusion is that teams need ownership, rotation, and offboarding tied to identity events rather than storage events.

AI-driven workflows will expose weak delegation models long before they expose weak encryption. If an organisation cannot explain which identity is acting, which secret it is using, and which policy constrains the action path, the control failure is architectural. The market is moving toward identity platforms that unify human access, workload access, and workflow governance. Practitioners should expect more convergence, but they should also demand clearer accountability boundaries.

Named concept: identity control plane convergence. This is the point where password, passkey, secret, and workflow governance begin to operate as one system rather than separate tools. Bitwarden's direction shows why that matters: the enterprise attack surface is now defined by the relationship between identities, not by any single authentication method. The practical conclusion is to design governance around the full trust chain, not the credential type alone.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • That is why lifecycle control matters as much as authentication design, as explored in NHI Lifecycle Management Guide.

What this signals

Identity control plane convergence: the programme risk is no longer credential type, but governance fragmentation across passwords, passkeys, secrets, and workflow identities. Teams that keep those controls in separate operating models will struggle to prove ownership or revoke access cleanly when systems change.

With 97% of NHIs carrying excessive privileges, the same governance patterns that weaken machine identity also show up in workflow automation and delegated access paths. The practical response is to unify entitlement review, revocation triggers, and audit evidence across the full identity surface.

NIST SP 800-207 remains the right reference point for constraining trust, but the operational challenge is broader than zero trust architecture alone. IAM teams should pair policy enforcement with lifecycle discipline so human and non-human credentials lose access at the same pace the business changes.


For practitioners

  • Map shared governance across credential types Inventory where passwords, passkeys, and secrets are managed in separate processes, then align ownership, lifecycle, and exception handling so the same identity has one accountable control path across tools.
  • Harden recovery and enrolment paths Test account recovery, device replacement, and re-enrolment flows for the same assurance you expect from primary authentication, especially where passkeys or stronger authenticators are being introduced.
  • Tie secrets to explicit owners and expiry events Require every secret to carry an owner, a business purpose, and a revocation condition, then review those links during offboarding, application change, and workload retirement.
  • Treat AI-assisted workflows as governed access paths Define which identities can trigger workflow actions, which secrets they may touch, and what audit evidence must exist before those actions are allowed to complete.

Key takeaways

  • Bitwarden's strategy reflects a wider shift in identity security, where passwords, passkeys, secrets, and workflow access are converging into one governance problem.
  • Authentication improvements do not eliminate lifecycle risk, because recovery, enrolment, ownership, and revocation still determine whether access remains trustworthy.
  • IAM teams should evaluate identity programmes by how well they govern the full trust chain across people, workloads, and AI-assisted workflows.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Secrets rotation and lifecycle control are central to the article's governance theme.
NIST CSF 2.0PR.AC-1Identity proofing and access governance apply across passwords, passkeys, and workflow access.
NIST Zero Trust (SP 800-207)PR.AC-4The article's trust boundary discussion aligns with least-privilege access design.

Map credential flows to PR.AC-1 and verify each access path has defined approval and revocation logic.


Key terms

  • Passkey: A passkey is a phishing-resistant authenticator that replaces passwords with cryptographic keys bound to a device or platform. In practice, it improves sign-in assurance, but it also shifts governance to enrolment, recovery, and device lifecycle controls because the fallback path can become the easiest path to abuse.
  • Secrets Management: Secrets management is the discipline of storing, distributing, rotating, and revoking credentials such as API keys, tokens, and certificates. It is an identity control function because the secret represents runtime authority, and that authority must be traceable to an owner, a purpose, and an expiry condition.
  • Identity Control Plane: An identity control plane is the set of policies, processes, and systems that govern authentication, authorisation, and lifecycle across people, workloads, and automation. The term matters because security teams increasingly need one accountable model for every identity type that can act in production.

What's in the full article

Bitwarden's full article covers the product and organisational detail this post intentionally leaves at the strategy level:

  • How Bitwarden is structuring its expanded leadership team and engineering priorities.
  • The company’s own explanation of how it sees passwordless, secrets management, and AI-driven workflows fitting together.
  • Why the product portfolio is being broadened now, from the publisher's perspective.
  • The leadership transition details behind the CTO change and the new innovation role.

👉 Bitwarden's full post covers the leadership transition, product direction, and future security priorities in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org