IAM is dead: why ICAM changes identity security

At a glance

What this is: Axiad argues that IAM has effectively given way to ICAM, with strong credential management becoming the centre of identity security.

Why it matters: This matters because practitioners have to govern far more identities, credentials, and revocation paths than legacy IAM assumptions were built to handle.

By the numbers:

• The U.S. IAM market was about $18 billion in 2023, forecast to become $63 billion by 2032.
• The number of identities exploded to include 30 identities for every knowledge worker.
• There is a 45:1 ratio of machine identities to every human.
• Change Healthcare’s breach affected 100 million Americans.

👉 Read Axiad's analysis of why IAM is giving way to ICAM

Context

Identity and access management is under pressure because modern enterprises no longer operate with a human-only identity model. Passwords, weak MFA, and manual access assumptions break down when the environment includes machine identities, certificates, API keys, and other strong credentials that must be issued, tracked, updated, and revoked at scale.

Axiad frames this as a move from IAM to ICAM, or Identity, Credential and Access Management. The practical implication for IAM, PAM, and NHI programmes is straightforward: identity governance now depends on credential lifecycle control, not just authentication policy, and that is a broader operational problem than legacy IAM was designed to solve.

Key questions

Q: How should security teams govern credentials across human and non-human identities?

A: Treat credentials as the control object, not just the login mechanism. Build ownership, issuance, rotation, tracking, and revocation into one lifecycle process so humans, service accounts, and workload identities are governed under the same evidence model. That reduces blind spots where access still works even after the underlying business need has ended.

Q: Why do machine identities change the way IAM programmes have to operate?

A: Machine identities multiply the number of credentials that must be managed and shorten the tolerance for manual oversight. IAM programmes built for human logins do not scale well when certificates, API keys, and service accounts become the dominant privilege carriers. The result is governance drift unless teams formalise lifecycle control and ownership.

Q: What do teams get wrong about strong credentials and access control?

A: They often assume that moving away from passwords automatically solves identity risk. Stronger credentials improve proof of possession, but they create new failure modes if they are not tracked, rotated, and revoked consistently. A credential that remains valid too long is still an access liability, even if the authentication method itself is sound.

Q: Who should own lifecycle governance for identity credentials?

A: Ownership should sit with the teams responsible for the business service and the identity control plane, not with a single authentication tool owner. Revocation, expiry, and exception handling need clear accountability because credentials outlive projects, personnel changes, and sometimes the systems they were created for.

Technical breakdown

Why credentials now sit at the centre of identity control

The article’s core technical point is that credentials have overtaken passwords as the durable trust mechanism in enterprise identity. Knowledge factors such as passwords are easy to reuse, leak, and brute force. Possession factors such as certificates, FIDO keys, TLS machine certificates, and API keys are harder to fake, but they shift the burden to lifecycle management. Once credentials become the primary proof of identity, security depends on issuance, tracking, rotation, and revocation discipline rather than on user memorability or password complexity.

Practical implication: teams need inventory, issuance, and revocation controls that work for both human and machine credentials.

Why identity sprawl changes the operating model for IAM

The article points to identity growth as the reason legacy IAM no longer fits the environment. When every knowledge worker has dozens of identities and machine identities outnumber humans, authentication becomes only one layer in a larger control system. The real challenge is policy coherence across many credential types and many ownership models. That means lifecycle ownership, credential provenance, and revocation timing become operationally important, because a secure login flow does not compensate for unmanaged or unrevoked access elsewhere in the estate.

Practical implication: map identity ownership and credential lifecycle across human, service, and workload identities.

What ICAM adds beyond traditional IAM

ICAM extends IAM by explicitly elevating credentials into the governance model. That is not just a naming change. It reflects a shift from treating credentials as supporting artefacts to treating them as the primary security object that must be issued, validated, stored, and retired with precision. In practice, this aligns closely with non-human identity governance, privileged access management, and zero trust ideas that assume access should be continuously verified and tightly bounded.

Practical implication: align IAM, PAM, and NHI controls around credential lifecycle evidence rather than login success alone.

NHI Mgmt Group analysis

ICAM is really a statement that credential lifecycle has become the security boundary. The article is right to move the centre of gravity away from passwords, because modern identity risk is increasingly about what can be issued, copied, left valid, and forgotten. That maps directly to NHI and workload identity governance, where the credential is the actor’s practical authority. Practitioners should treat issuance and revocation as first-class control points, not administrative afterthoughts.

The scale problem is now structural, not exceptional. When identity populations reach dozens of identities per employee and machine identities outnumber humans, manual governance assumptions stop scaling. This is where IAM programmes become brittle: the control plane may still authenticate, but it can no longer reliably explain who owns what, why it exists, or when it should die. That is a governance failure mode, not just an operations issue. Practitioners need to assume high-cardinality identity estates as the baseline.

Legacy IAM language underestimates how much of identity security now depends on non-human systems. The article’s emphasis on credentials aligns with the broader reality that service accounts, API keys, certificates, and workload identities are often the real privilege carriers. NHI governance is therefore not a niche subdiscipline sitting beside IAM. It is the enforcement layer that keeps modern identity systems accountable when access is machine-driven. Practitioners should stop treating machine identity as an edge case.

ICAM names a governance gap that many programmes still leave unresolved: who owns the full credential lifecycle. Issue, track, update, revoke, and prove expiry are not the same control, and mature identity programmes need evidence for each step. The article surfaces the right directional change, but the harder work is operational ownership across IAM, PAM, and NHI teams. Practitioners should make lifecycle accountability visible at the same level as authentication policy.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader lifecycle view, review Ultimate Guide to NHIs , Key Challenges and Risks alongside this analysis.

What this signals

Credential governance will keep moving from the auth layer into the programme layer. Identity teams need to expect more pressure to prove where credentials live, who owns them, and how quickly they can be revoked. The organisations that can already answer those questions will be better positioned to absorb the ICAM shift without creating new blind spots.

The operational signal is that NHI and PAM teams will be pulled closer together. Once credentials become the primary trust object, lifecycle control, exception handling, and revocation evidence become shared concerns rather than separate workflows.

Identity blast radius: as credential populations expand, a single unmanaged key can represent a larger portion of enterprise access than a traditional account ever did. That makes inventory quality and revocation speed the two programme indicators most worth watching.

For practitioners

• Inventory all credential types, not just user accounts Build one view that includes passwords, certificates, API keys, passkeys, TLS machine credentials, and service account tokens so governance starts from the actual trust objects in use.
• Assign explicit lifecycle owners for every credential class Require named ownership for issuance, tracking, rotation, and revocation across human and non-human identities so no credential exists outside a defined accountability path.
• Measure revocation, not only authentication success Track how quickly credentials are retired after role changes, service decommissioning, or compromise notification, because successful logins can hide stale access.
• Recast PAM and NHI controls around credential authority Use privileged access and non-human identity governance to constrain where credentials are stored, who can mint them, and how long they remain valid in production systems.

Key takeaways

• The article’s central point is that identity security now hinges on credential lifecycle governance, not IAM branding alone.
• Identity sprawl and machine-scale access make manual control models unreliable, especially where credentials outnumber human accounts.
• Practitioners should focus on ownership, revocation, and inventory evidence because those controls determine whether ICAM is real or merely renamed IAM.

Key terms

• Identity, Credential and Access Management: ICAM is the identity operating model that treats credentials as a primary governance object rather than a side effect of authentication. It expands IAM by emphasising issuance, tracking, updating, and revocation of credentials across human and non-human identities.
• Possession factor: A possession factor is something an identity proves it has, such as a certificate, hardware key, or token. In modern enterprise environments, possession factors matter because they are harder to guess than passwords but still require strict lifecycle control.
• Credential lifecycle: Credential lifecycle is the full path from creation to revocation for a secret, certificate, key, or token. Effective lifecycle governance requires clear ownership, timely rotation, accurate inventory, and reliable offboarding so credentials do not remain valid beyond their business need.
• Machine identity: Machine identity is the non-human identity used by software, services, workloads, or devices to authenticate and obtain access. These identities often carry real privilege, so they must be governed with the same discipline as human access, but at much larger scale.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: IAM is dead...Long live ICAM. Read the original.