TL;DR: Password managers now have to address friction, passkeys, AI-driven attacks, and the mix of human and agent identities as credential use keeps expanding, according to Bitwarden. The governance problem is no longer storage alone; identity teams have to plan for trust, usability, and lifecycle control together.
At a glance
What this is: A leadership perspective from Bitwarden argues that password management is becoming a broader identity problem spanning human credentials, passkeys, and agent identities.
Why it matters: It matters because IAM teams now have to align human access, NHI secrets, and emerging agent workflows around the same trust and lifecycle assumptions.
👉 Read Bitwarden's leadership note on password managers, passkeys, and agent identities
Context
Password management is no longer just about remembering and storing secrets. Once credentials, passkeys, and agent identities all sit inside the same operational surface, the governance problem shifts from convenience to control, because the programme has to account for who or what is holding the credential, how it is used, and when it should stop being valid.
Bitwarden’s note points to a familiar IAM pattern: security features fail when they become harder to use than the risk they are meant to reduce. That is especially relevant for non-human identities and emerging agent workflows, where friction, lifecycle gaps, and unclear accountability can quickly turn credential security into shadow operations rather than governance.
Key questions
Q: How should security teams govern passwords, passkeys, and agent-held secrets together?
A: Treat them as different identity assets with different failure modes. Human passwords need strong user recovery and phishing resistance, passkeys need device and fallback governance, and agent-held secrets need explicit ownership, expiry, and revocation. If all three are managed with one generic workflow, accountability becomes unclear and hidden access persists longer than intended.
Q: Why do password managers become an IAM issue instead of a user tool?
A: Because they mediate how secrets are stored, shared, recovered, and revoked. Once teams rely on them for enterprise credentials, they influence access control, audit evidence, and offboarding outcomes. If the platform cannot show who owns a secret and when it should expire, it is part of the identity control plane, not just convenience software.
Q: What do organisations get wrong when adopting passkeys at scale?
A: They often focus on login security and ignore recovery design. Passkeys can reduce phishing and replay, but weak enrollment, device loss handling, or backup paths can recreate account takeover risk elsewhere. A passkey programme is only as strong as its fallback controls and its ability to prove who is allowed to recover access.
Q: How do teams avoid credential sprawl as humans and agents share workflows?
A: Create explicit boundaries between human credentials, machine secrets, and workflow automation tokens. Each should have a named owner, a clear purpose, and a removal trigger. Without that separation, secrets accumulate in scripts, vaults, and shared systems, making review and offboarding far less reliable.
Technical breakdown
Why password managers now sit inside identity governance
A password manager is effectively a credential governance layer when it stores human passwords, shared secrets, API keys, or other sensitive access material. The design challenge is not simply encryption at rest, but how the tool participates in access control, policy enforcement, and recovery. Once businesses rely on it for both people and systems, the product becomes part of identity architecture rather than a user convenience feature. That means session boundaries, sharing rules, auditability, and offboarding all matter. If the platform cannot express ownership and expiry clearly, it creates hidden persistence of access that IAM teams later have to unwind.
Practical implication: Treat the password manager as part of the identity control plane and review who can create, share, export, and recover credentials.
Passkeys, phishing resistance, and residual credential risk
Passkeys reduce replay and phishing risk because the secret never leaves the device in the same way a password does. But passkeys do not remove credential governance, they change it. The harder problems move to device binding, recovery, enrollment control, and fallback paths when users lose access. In mixed environments, passwords and passkeys coexist for years, so teams have to manage both the old attack surface and the new one. If recovery or sync paths are weak, the organisation can still end up with account takeover through the back door, even while claiming stronger authentication.
Practical implication: Map passkey adoption to recovery and fallback controls, not just login hardening, before declaring authentication risk reduced.
Human and agent identities are starting to share the same access fabric
The article’s reference to humans and agent identities in the same environment reflects a larger shift in identity design. Agentic systems are beginning to request, hold, and use credentials in ways that resemble non-human identities, but with more dynamic behaviour than classic service accounts. That matters because policy built for static, pre-provisioned access does not fully fit runtime decision-making. Even when the actor is not autonomous in the strict sense, teams still have to separate human intent from machine execution, otherwise auditing, approval, and revocation become ambiguous.
Practical implication: Separate human-held credentials from machine-held secrets and define explicit ownership, approval, and revocation paths for each.
NHI Mgmt Group analysis
Security tools now fail when they optimise for storage but not for identity behaviour. The article’s real signal is that credential platforms are becoming governance platforms, whether vendors call them that or not. Once a product stores passwords, passkeys, API keys, and agent-related secrets, its failure modes move into ownership, sharing, and lifecycle control. Practitioners should judge these tools by whether they reduce hidden access persistence, not by whether they simply make login easier.
Friction is a control issue, not just a UX issue. Bitwarden’s observation that users abandon tools when they get in the way is an identity governance lesson. If security workflows are too cumbersome, users route around them, and that turns sanctioned controls into shadow practice. The implication for IAM leaders is to treat usability as part of enforcement, because controls that are not adopted consistently do not produce reliable identity evidence.
Identity blast radius: the real risk is no longer one password vault or one app, but the spread of credentials across humans, workloads, and emerging agent workflows. That spread makes review, rotation, and recovery harder because the same governance model does not fit every identity type. The practitioner conclusion is to design for segmentation by actor type instead of assuming one credential workflow can serve all use cases.
The next credential governance problem is hybrid, not purely human. The article is already pointing at a world where human users, machine identities, and agent identities coexist in the same trust fabric. That does not automatically make the environment autonomous, but it does mean lifecycle and accountability models must be explicit. Teams should prepare for mixed credential estates now, before they become operationally normal.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% having only partial visibility, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
- For lifecycle and offboarding guidance, see Ultimate Guide to NHIs - Standards for the control framework practitioners should map these issues against.
What this signals
Identity blast radius: as human credentials, passkeys, and agent-held secrets converge, the governance challenge shifts from protecting a vault to governing who can create, recover, and reuse access across actor types. Teams should expect more pressure on ownership models, because mixed credential estates produce mixed accountability unless policy separates them cleanly.
The strongest programmes will treat friction as a control variable. If users and developers route around a tool because it slows them down, the security team loses visibility even when the product is technically sound. That is why adoption, not just encryption, should be tracked as an identity health signal.
With 1 in 4 organisations already investing in dedicated NHI security capabilities, the market is moving toward explicit machine-identity governance rather than implied coverage inside human IAM. Practitioners should watch for credential platforms that can distinguish human, workload, and agent use cases without collapsing them into one policy layer.
For practitioners
- Separate human and machine credential lifecycles Define different ownership, recovery, and revocation paths for user passwords, passkeys, API keys, and agent-held secrets so one workflow does not blur multiple actor types.
- Review sharing and export permissions Audit who can share, export, or recover vault contents and remove broad access that lets credentials persist outside normal approval processes.
- Map fallback authentication paths Document how users regain access after device loss, factor reset, or passkey failure, then verify those paths do not become weaker than the primary login flow.
- Classify agent-adjacent secrets explicitly Tag secrets used by scripts, workflows, and AI-assisted systems so they are governed as non-human credentials with named owners and expiry rules.
Key takeaways
- Password management is becoming an identity governance problem because the same platform increasingly handles human credentials, passkeys, and machine secrets.
- Usability and fallback design now affect security outcomes directly, because controls that people abandon do not produce reliable identity evidence.
- IAM teams should separate ownership, recovery, and revocation paths by actor type before mixed credential estates become the operational norm.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Credential management and access enforcement are central to the article's governance theme. |
| NIST Zero Trust (SP 800-207) | The article's mixed identity surface fits continuous verification and least-privilege principles. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret rotation and lifecycle handling are directly relevant to the article's credential focus. |
Review secret ownership and rotation against NHI-03, then remove any persistent access that lacks a clear owner.
Key terms
- Password Manager: A password manager is software that stores, organizes, and supplies credentials for users and systems. In governance terms, it becomes part of the identity control plane when it determines how secrets are created, shared, recovered, audited, and retired.
- Passkey: A passkey is a phishing-resistant authentication credential tied to a device or platform rather than a shared password. It reduces replay risk, but it still needs policy around enrollment, recovery, device trust, and fallback access to avoid creating new recovery weaknesses.
- Agent Identity: An agent identity is the identity used by software that can act on behalf of a human or another system during runtime. It must be governed as a non-human identity when it holds secrets or tokens, even if its behaviour is dynamic or partially automated.
- Credential Sprawl: Credential sprawl is the uncontrolled spread of secrets across users, scripts, vaults, apps, and automation workflows. It weakens accountability because ownership becomes unclear, rotation becomes inconsistent, and offboarding leaves behind access that nobody can reliably trace.
What's in the full article
Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:
- The CEO's first-hand account of how customer and employee feedback shaped the product direction.
- The company’s stated priorities for passkeys, AI-driven attack resistance, and mixed human and agent identity environments.
- The open-source and community commitments that underpin the product’s trust model.
- The author’s view on how friction, adoption, and product experience affect real-world security use.
Deepen your knowledge
NHI governance, agentic AI identity, machine identity security, IAM, human identity, identity lifecycle, secrets management, and workload identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org