IAM is giving way to ICAM as credentials become the real control point

At a glance

What this is: This is an editorial argument that IAM is being displaced by ICAM because credentials, not passwords, have become the decisive control point for identity security.

Why it matters: It matters because IAM, NHI, and human identity programmes now share the same governance problem: how to issue, track, update, and revoke credentials at scale without leaving standing risk behind.

By the numbers:

• The U.S. IAM market was about $18 billion in 2023, forecast to become $63 billion by 2032.
• The number of identities exploded to include 30 identities for every knowledge worker, and a 45:1 ratio of machine identities to every human.

👉 Read Axiad's analysis of why IAM is being replaced by ICAM

Context

IAM is the discipline that governs how identities prove who they are and what they can access. The article argues that IAM has become too dependent on weak or incomplete authentication patterns, while credentials have become the more durable control point for modern access.

That shift matters across human, machine, and service identity programmes because the operational burden is no longer only authentication at login. It is lifecycle governance for credentials, including issuance, tracking, updating, and revocation, at a scale that legacy IAM thinking often underestimates.

Key questions

Q: How should security teams govern credentials when IAM is no longer enough?

A: Security teams should treat credentials as governed identity assets with explicit lifecycle ownership. That means tracking issuance, usage, rotation, update, and revocation across human, machine, and service identities. The goal is not only stronger authentication, but reliable control over credential state so stale access does not survive beyond its intended use.

Q: Why do machine identities push organisations toward ICAM?

A: Machine identities scale faster than human governance processes can handle. When non-human identities outnumber people by large multiples, password-centric IAM and manual reviews become too slow and incomplete. ICAM responds by putting possession-based credentials and lifecycle management at the centre of identity security.

Q: What breaks when credential revocation is slow or incomplete?

A: Slow revocation leaves valid access in place long after it should have ended, which creates standing exposure for attackers and internal misuse. In practice, that means leaked keys, stale certificates, and forgotten service credentials remain usable even after the underlying business need has changed.

Q: How do organisations know whether credential governance is working?

A: They should measure how quickly credentials are issued, rotated, updated, and revoked, and how many high-risk identities still rely on weak or incomplete authentication. If credentials remain valid after their business purpose ends, governance is not keeping pace with the identity estate.

Technical breakdown

Why credentials now matter more than passwords

The article separates knowledge factors from possession factors and argues that passwords have become the weakest link in the chain. Passwords are easy to steal, reuse, and harvest at scale, especially once phishing and credential stuffing are amplified by leaked datasets and generative AI. Credentials such as certificates, hardware keys, and API keys are harder to copy in bulk and more suitable for stronger authentication models. But that only helps if the organisation treats credentials as managed identity assets rather than static artefacts.

Practical implication: inventory credentials as governed identity assets, not just authentication tools.

What ICAM changes in identity governance

ICAM shifts the centre of gravity from identity proofing alone to full credential lifecycle control. The article’s definition, drawn from CISA, makes that explicit: organisations must issue, track, update, and revoke credentials within a defined context. That lifecycle view is more demanding than classic IAM because it treats stale or unmanaged credentials as a primary risk surface. It also aligns more closely with the way machine identities operate, where possession factors often become the actual access primitive.

Practical implication: build lifecycle controls around credential state, not just user sign-in events.

Why identity scale breaks older IAM assumptions

The article’s scale figures show why credential governance has become urgent. When an enterprise has many more identities than knowledge workers, and machine identities outnumber humans by a wide margin, manual IAM processes stop being reliable. Recertification, MFA policy, and password hygiene still matter, but they do not solve the administrative problem of volume, heterogeneity, and short-lived access patterns. The architecture problem is not only security weakness, but governance throughput.

Practical implication: automate credential governance where scale makes manual review non-viable.

Threat narrative

Attacker objective: The attacker seeks durable access that survives basic password resets and enables broad identity abuse across the enterprise.

1. Entry occurs when attackers obtain weak knowledge factors through password reuse, phishing, or mass credential exposure.
2. Escalation follows when those stolen factors are exchanged for stronger access paths such as certificates, tokens, API keys, or other possession-based credentials.
3. Impact emerges when compromised identities are used to access enterprise resources at scale, bypass incomplete MFA, and sustain unauthorized access across human and machine environments.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IAM is reaching its structural limit because authentication alone cannot absorb credential sprawl. The article is right to treat credentials as the new governance centre of gravity. Once identities scale into the tens of millions and machine identities outnumber humans, a password-centric model becomes too brittle to govern safely. Practitioners should read this as a signal that identity programmes now need credential lifecycle control, not just login control.

Credential management is the real ICAM control plane. The CISA definition quoted in the article is operationally important because it names the work that matters: issue, track, update, revoke. That is the discipline that determines whether possession factors are trustworthy or merely additional clutter. The implication for practitioners is that identity governance must expand from authentication events to ongoing credential state management.

Machine identity scale makes human-era IAM processes unreliable. The article’s ratios show a governance environment where the old assumption of manageable identity volume no longer holds. Access review cadences, password policies, and manual remediation were built for a slower world. Practitioners need to treat machine identity growth as a governance throughput problem, not only a security hygiene problem.

Strong credentials reduce one class of failure but introduce a different governance burden. Moving away from passwords does not eliminate identity risk. It shifts the burden to issuance integrity, revocation discipline, and inventory accuracy. That is why ICAM should be understood as a governance model, not a product category. Practitioners should evaluate whether their current controls can actually keep pace with credential lifecycle state.

Named concept: credential lifecycle governance. This article sharpens the case for treating credentials as governed assets with a beginning, middle, and end. That concept matters because unmanaged credential persistence is where modern identity programmes fail in practice. Practitioners should use it to align IAM, PAM, and NHI oversight around one control question: who still has a valid credential, and why?

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still trying to govern identities they cannot fully see.
• For lifecycle governance and offboarding detail, Ultimate Guide to NHIs , Key Challenges and Risks is the next resource to review.

What this signals

Credential lifecycle governance: the market is moving toward a model where issue, rotation, update, and revocation become the real control plane for identity programmes. That shift changes how teams should think about PAM, NHI governance, and even human authentication, because stale possession factors are now the practical failure point rather than passwords alone.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the governance problem is no longer confined to IAM policy design. Teams need to watch for hidden credential inventories, orphaned possession factors, and delegated access that outlives the workflow that created it.

Practitioners should expect stronger convergence between IAM, NHI management, and Zero Trust programmes. The more identities scale and diversify, the more access assurance depends on continuous credential state control, not one-time login assurance, and that makes lifecycle telemetry a board-relevant signal.

For practitioners

• Inventory credential types across identity estates Map passwords, certificates, API keys, passkeys, TLS credentials, and tokens into one governance inventory so you can see which access paths depend on possession factors rather than knowledge factors.
• Define credential lifecycle ownership Assign explicit ownership for issue, track, update, and revoke workflows across human, machine, and service identities so revocation does not depend on informal ticket routing.
• Reduce reliance on weak MFA combinations Review where MFA is partially deployed or paired with weak factors, then prioritise stronger credential-backed authentication for high-risk access paths and administrative roles.
• Automate high-volume credential revocation Build automated revocation triggers for leavers, rotated secrets, expired certificates, and decommissioned workloads because manual handling cannot keep pace with modern identity volume.

Key takeaways

• IAM alone no longer matches the scale and variety of modern identities, especially where machine identities outnumber humans by large margins.
• Credential exposure and incomplete MFA remain persistent failure modes because possession factors now carry more operational weight than passwords.
• Practitioners should move toward ICAM-style lifecycle governance so issuance, tracking, update, and revocation are controlled as continuously managed identity states.

Key terms

• Identity, Credential and Access Management: ICAM is an identity governance model that puts credentials at the centre of access assurance. It extends IAM by focusing on the full lifecycle of issuance, tracking, update, and revocation, which is especially important when machine identities and service credentials outnumber human users.
• Possession factor: A possession factor is something an identity has, such as a certificate, hardware key, or API key. In ICAM, possession factors matter because they are harder to guess than passwords, but they still require tight lifecycle governance to remain trustworthy across human and non-human identities.
• Credential lifecycle management: Credential lifecycle management is the controlled process of issuing, tracking, updating, rotating, and revoking credentials. For modern IAM and NHI programmes, it is the operational discipline that prevents stale access from persisting after business need, role change, or compromise.

Deepen your knowledge

Credential lifecycle governance and identity scale are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from password-centric IAM toward ICAM-style control, it is worth exploring.

This post draws on content published by Axiad: IAM is Dead...Long Live ICAM. Read the original.