TL;DR: Centralised IAM creates a single point of failure for credentials and PII, and the MOVEit fallout is a reminder of how widely that exposure can cascade, according to 1Kosmos. The real issue is not just breach volume, but the structural trust assumption that identity data must live in one place to be governed.
At a glance
What this is: This is an analysis of how distributed ledger-based identity architectures are positioned as an alternative to centralised IAM storage, with the key claim that removing the central PII honeypot reduces credential and data exposure.
Why it matters: It matters because identity teams must decide whether their governance model depends on concentrated storage, and whether stronger assurance can be achieved without creating a larger breach target across NHI, autonomous, and human identity programmes.
By the numbers:
- One breach at MOVEit impacted 2,620 organizations and 77.2 million people worldwide.
👉 Read 1Kosmos's analysis of distributed ledger identity and IAM risk
Context
Centralised identity storage reduces complexity, but it also concentrates risk. When credentials, profile attributes, and proofing data sit in one administrative system, that repository becomes a high-value target for attackers and a single failure domain for the broader IAM programme.
The article argues for distributed ledger technology as an alternative identity data model because it avoids central storage of PII and credentials. For IAM teams, the question is not whether decentralisation is fashionable, but whether the current trust architecture is creating avoidable blast radius in human identity and machine identity flows alike.
That framing is typical for identity architecture debates: the operational promise is better control and auditability, while the governance challenge is whether the underlying identity proofing and verification model remains supportable at enterprise scale.
Key questions
Q: How should security teams reduce the breach impact of centralised identity repositories?
A: Security teams should identify which identity stores contain the most reusable trust material, then reduce how much sensitive data each store holds. The goal is to prevent one compromise from exposing credentials, recovery paths, and personal attributes at scale. Where possible, separate verification events from bulk storage and narrow who can access the highest-value identity records.
Q: Why do centralised identity systems create so much downstream risk?
A: Centralised identity systems create downstream risk because one repository often supports many applications, users, and authentication flows. If that store is compromised, attackers can reuse the exposed identity data to move into adjacent systems, reset access, or impersonate users. The concentration of trust matters as much as the data itself.
Q: What should IAM teams evaluate before moving to ledger-based identity models?
A: IAM teams should evaluate custody, revocation, auditability, and recovery before treating ledger-based identity as a security improvement. A ledger can reduce central storage exposure, but it does not remove the need for endpoint trust, key lifecycle control, and governance over who can approve identity changes. The architecture must still be operable under failure.
Q: Who is accountable for identity governance when credentials are stored on user devices?
A: Accountability shifts toward the organisation that defines the trust model, the endpoint controls, and the lifecycle rules for the credential. Device storage does not remove governance responsibility. It increases the need to prove that key protection, recovery, and audit review are still enforced across the full identity journey.
Technical breakdown
Why centralised identity repositories become breach amplifiers
Centralised IAM systems consolidate identity attributes, authentication state, and often recovery or verification data into a small number of authoritative stores. That design simplifies provisioning and policy enforcement, but it also creates a high-value target because compromise of the repository can expose many identities at once. The article's core technical point is that the risk is not only credential theft, but the ability to weaponise identity data downstream across applications, accounts, and services. In practice, the more identity functions are centralised, the more breach impact scales with that one control plane.
Practical implication: map which identity records and recovery paths create the largest downstream blast radius if they are exposed together.
How private permissioned ledgers change identity custody
A private, permissioned ledger changes identity custody by separating verification events and shared attributes from a centralised database model. Instead of one system holding all plaintext identity data, the ledger supports controlled exchange, end-to-end encryption, and an immutable record of who approved what. That matters because the security property shifts from protecting one master repository to limiting access to specific claims and preserving auditability across transactions. The article also ties this to device-held private keys, which keeps the cryptographic anchor on the user endpoint rather than on a server.
Practical implication: examine whether your architecture can keep sensitive identity material off server-side storage while still preserving audit and assurance.
Why device-bound keys and immutable audit trails matter for IAM
Device-bound key storage reduces replay and server-side credential theft because the private key never needs to leave the trusted device or enclave. Combined with an immutable audit trail, this creates stronger evidence of authentication and sharing events than a conventional central repository can provide. The technical trade-off is that governance must now trust endpoint integrity, key protection, and lifecycle handling of the credential on the device. For identity architects, this is a shift from central repository protection to distributed assurance across endpoints, ledgers, and verification policies.
Practical implication: strengthen endpoint trust, key protection, and audit review before assuming decentralised identity automatically improves security.
NHI Mgmt Group analysis
Centralised identity storage is a breach multiplier, not just an administrative convenience. The article correctly identifies the structural problem in IAM: when identity records and credentials are concentrated, one compromise can cascade across many systems and users. That is not a narrow vendor argument, it is a governance reality across human identity and NHI programmes. The practitioner conclusion is that repository design directly shapes breach blast radius.
Privacy-preserving identity architectures should be judged by custody, not by branding. A distributed ledger does not automatically solve identity governance, but it does change who can see sensitive data and when. The relevant question for IAM teams is whether the design reduces central exposure while preserving auditability, revocation, and proofing quality. The practitioner conclusion is to evaluate custody, not slogans.
Immutable audit does not remove governance responsibility, it moves it. If identity events are recorded in a ledger and keys live on endpoints, security teams inherit a more distributed trust model. That can improve traceability, but only if endpoint assurance, lifecycle processes, and access approval rules are still enforced with discipline. The practitioner conclusion is to test whether the control plane became smaller or merely harder to inspect.
Identity architectures that avoid a single PII honeypot reduce exposure, but they also force sharper lifecycle governance. DLT-based identity models reduce the likelihood that one server-side compromise exposes everything, which is the right instinct after repeated identity-driven breaches. But the harder problem becomes ensuring recovery, revocation, and verification remain governable across endpoints and shared ledgers. The practitioner conclusion is to treat decentralisation as a custody shift, not a governance shortcut.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, which shows how quickly identity governance fragments once control is distributed.
- For a broader control baseline, NIST Cybersecurity Framework 2.0 helps teams tie identity custody, auditability, and recovery back to governance outcomes.
What this signals
Identity custody is becoming a programme design issue, not just a platform choice. If sensitive identity data remains concentrated in one repository, the next breach will still behave like a multiplier event. Teams should use the article as a prompt to assess where personal data, recovery paths, and credential state can be separated without weakening assurance.
That shift is especially relevant for non-human identities, where governance maturity still trails human IAM in many organisations. The more an architecture depends on central storage, the harder it becomes to keep access review, recovery, and revocation aligned across machine and human identity flows.
For practitioners aligning to NIST Cybersecurity Framework 2.0, the practical test is whether identity controls reduce both likelihood and blast radius. If the architecture only improves convenience, it has not yet earned its security claim.
For practitioners
- Inventory identity data concentration points Map where your programme stores credentials, recovery factors, proofing data, and shared identity attributes. Prioritise the repositories whose compromise would expose multiple populations or multiple applications at once.
- Separate verification from bulk storage Review whether identity proofing and authentication workflows still depend on a central database holding more personal and credential data than the business actually needs. Reduce the amount of server-side identity material wherever the control objective can still be met.
- Reassess endpoint trust assumptions If your architecture relies on device-held keys or enclave-based credentials, verify how endpoint integrity, secure enclave access, and recovery procedures are governed. A decentralised model only improves security if the endpoint is part of the control boundary.
- Test auditability across identity events Confirm that login attempts, data sharing approvals, and identity updates remain traceable across the full lifecycle, including revocation and recovery. The audit trail must support operational decisions, not simply provide retrospective logging.
Key takeaways
- Centralised identity repositories magnify breach impact because they concentrate credentials, recovery data, and identity attributes in one target.
- Distributed identity models can reduce exposure, but only if endpoint trust, revocation, and auditability are governed as part of the control plane.
- IAM teams should judge identity architecture by custody and blast radius, not by decentralisation branding alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Central identity storage and credential exposure map to NHI repository risk. |
| NIST CSF 2.0 | PR.AC-4 | Identity access control and least privilege are central to the custody discussion. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Distributed identity models still require continuous access verification and explicit trust decisions. |
Reduce secret concentration and ensure identity credentials are not stored where one breach exposes many systems.
Key terms
- Centralised Identity Repository: A centralised identity repository is a system that stores identity attributes, credentials, or recovery data in one authoritative place. It simplifies administration, but it also concentrates trust and creates a high-value target whose compromise can affect many applications, users, and authentication flows at once.
- Distributed Ledger Identity: Distributed ledger identity is an approach that records identity-related events or claims across a permissioned ledger rather than a single database. In practice, it aims to reduce central exposure while preserving integrity, traceability, and controlled sharing of identity data across parties.
- Device-Bound Key: A device-bound key is a private cryptographic key stored on a user endpoint, secure enclave, or trusted hardware module rather than on a server. This design can reduce credential theft and replay risk, but it raises the importance of endpoint trust, recovery, and lifecycle governance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or maturing an IAM programme, it is worth exploring.
This post draws on content published by 1Kosmos: IAM Private & Permissioned and the role of DLT in modern identity architecture. Read the original.
Published by the NHIMG editorial team on 2023-12-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
