TL;DR: The October 2025 AWS outage showed how dependency failures can halt services when core infrastructure goes offline, and the same risk exists inside identity platforms when tenant recovery is treated as optional, according to Acsense. Recovery assumptions break when IAM availability, configuration integrity, and backup discipline are not governed as business continuity controls.
At a glance
What this is: This is an analysis of why IAM resilience belongs in cloud shared responsibility planning, with the key finding that customer-owned identity tenants need their own recovery model.
Why it matters: It matters because IAM, IGA, PAM, and platform teams cannot rely on vendor restoration alone when misconfiguration, deletion, ransomware, or lockout hits the customer tenant.
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Acsense's analysis of IAM resilience after the AWS outage
Context
Cloud outages expose a simple truth about identity security: availability is part of control. If an identity tenant or its recovery path fails, authentication and authorisation can stop even when the underlying cloud provider is healthy.
The article frames IAM resilience as the customer side of shared responsibility for Okta, Entra ID, Ping, and similar tenants. That is a governance problem as much as a technical one, because backup scope, restore testing, and break-glass access determine whether identity becomes a single point of failure.
For IAM teams, the practical question is not whether a vendor can recover its platform, but whether the organisation can restore its own tenant state quickly enough to keep operations moving. That is a typical blind spot in mature cloud programmes.
Key questions
Q: What breaks when IAM tenant recovery is not in place?
A: When IAM tenant recovery is missing, the organisation can lose access to the configuration that controls login, authorisation, and administrative recovery. Users may be locked out, app access may fail, and security teams may be unable to repair the tenant. The failure is operational paralysis, not just an availability incident.
Q: Why do identity systems need their own resilience plan?
A: Identity systems need their own resilience plan because vendor restoration only brings the platform back, not your tenant state. Your groups, policies, app assignments, trust settings, and break-glass paths are customer-owned. If those are lost or corrupted, business continuity depends on your ability to restore them quickly.
Q: How do you know if IAM backup is actually working?
A: IAM backup is working only if you can restore critical objects and complete a realistic recovery exercise. Measure object-level restore success, time-to-restore for tier-0 flows, and whether recovered policies behave as expected. If tests fail or take too long, the backup is storage, not resilience.
Q: Who is accountable when tenant-side IAM disruption causes downtime?
A: The customer is accountable when tenant-side IAM disruption causes downtime because the tenant configuration, recovery design, and restore testing are under customer control. NIST CSF 2.0, DORA, and NIS2 all point in the same direction: continuity evidence must cover the identity layer, not only infrastructure uptime.
Technical breakdown
Shared responsibility in identity tenants
Shared responsibility in IAM is often misunderstood because service availability and tenant recoverability are treated as the same problem. They are not. A hyperscaler restores infrastructure it owns, while the customer remains responsible for tenant configuration, access policy, app bindings, and recovery of the identity control plane. That means an outage, deletion, or ransomware event inside the tenant can still take down login, authorisation, and admin access even if the cloud platform itself is intact. The operational boundary is the tenant, not the vendor brand.
Practical implication: Map which identity objects are customer-owned and ensure their recovery path is independently testable.
Why identity backup must include configuration state
Backing up user records alone does not recover an identity system. The operational state that matters includes policies, conditional access rules, groups, roles, MFA settings, app assignments, trust relationships, and administrative boundaries. Those objects define how access works, so if they are corrupted or deleted, authentication may still succeed while authorisation fails silently or broadly. In practice, identity backup needs immutable versioning, object-level restore, and rollback for changes that affect the tenant’s security posture.
Practical implication: Back up configuration state, not just identities, and verify that single-object restore is possible.
Recovery engineering for IAM continuity
Recovery engineering is the discipline of proving that identity services can be restored within a defined recovery objective. For IAM, that means documenting restore order for tier-0 access paths, keeping break-glass credentials separate, and testing rollback for MFA, SAML, OIDC, and app assignment changes. The key failure mode is assuming backup equals resilience. It does not. Resilience only exists when restore is fast, repeatable, and validated under realistic failure conditions.
Practical implication: Run live recovery tests for critical identity flows and measure actual time-to-restore against your business tolerance.
NHI Mgmt Group analysis
IAM resilience is a governance control, not a platform feature: The article is right to separate hyperscaler recovery from tenant recovery, because the customer controls the identity layer they configure and depend on. That makes restore readiness an identity governance issue, not just an infrastructure backup issue. The implication is that IAM continuity must be treated as part of operational control ownership, not vendor assurance.
Identity control-plane outage is the real single point of failure: When access policy, admin roles, or trust configuration are lost, the outage is broader than an authentication problem. Identity becomes the dependency every other service waits on, which means resilience planning has to start with the control plane itself. Practitioners should recognise that the business risk is service paralysis, not only system downtime.
Configuration recoverability matters more than account data: The failure mode here is not missing usernames, it is missing the policy state that makes those usernames usable. Groups, role bindings, app assignments, and conditional access rules are what allow the tenant to function after disruption. If those objects are not recoverable, the programme has backup artefacts but no operational continuity.
Break-glass access without tested recovery is false assurance: A dormant emergency account is not a resilience strategy if the organisation has never restored the environment that account is meant to reach. This is where many IAM programmes overestimate their readiness. Practitioners should view emergency access, restore sequencing, and tenant rollback as one connected control set.
NIST CSF and continuity regulation are converging on identity recoverability: The article’s reference to tested recovery aligns with the direction of NIST CSF 2.0 and sector resilience expectations under DORA and NIS2. Identity cannot sit outside continuity evidence anymore. The practical conclusion is that IAM teams need restore testing, not just configuration management.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still lack complete recoverability and ownership mapping.
- The 52 NHI breaches analysis shows how exposed credentials and unmanaged access persist across incidents, reinforcing why identity recovery must be treated as an operational control, not a backup afterthought.
What this signals
Configuration recoverability is now a core identity control. As resilience pressure increases, IAM programmes will be judged on whether they can restore policy state, federation settings, and emergency access paths, not only whether the platform itself is up. That shifts recovery testing into the mainstream of identity governance.
Tenant-level failure planning will become part of board reporting. Once identity downtime is understood as business downtime, restore objectives, evidence of live recovery, and dependency mapping move out of the operations team and into executive risk management. The organisations that cannot demonstrate recovery will struggle to defend their continuity posture.
IAM backup and NHI lifecycle discipline are converging. The same governance maturity that tracks secrets, service accounts, and access scope also needs to cover tenant configuration drift and rollback. If 79% of organisations have experienced secrets leaks, the wider lesson is that identity state must be treated as recoverable infrastructure, not static configuration.
For practitioners
- Inventory identity control-plane dependencies List every tenant, admin boundary, federation link, and tier-0 application dependency so you know which identity objects would stop business operations if lost.
- Back up configuration state with immutable versions Capture policies, groups, roles, app assignments, conditional access rules, and trust settings in immutable, versioned backups stored outside the primary tenant boundary.
- Define restore objectives for critical identity flows Set separate recovery targets for user login, admin login, break-glass access, and federation rollback, then test each path against actual restore times.
- Run tenant recovery exercises regularly Validate object-level restore and full-tenant rollback for broken MFA policy, deleted admin groups, and damaged SAML or OIDC configuration before a real outage forces the test.
- Protect backup access with least privilege Restrict who can alter or restore backup data, segment emergency credentials from day-to-day admin access, and review break-glass use as part of quarterly governance.
Key takeaways
- IAM resilience is about restoring customer-owned identity state, not relying on vendor uptime alone.
- The real failure mode is losing configuration, policy, and trust data that make the identity tenant operational.
- Practitioners need tested recovery paths for tier-0 identity flows, not just stored backups and emergency accounts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | RC.RP-1 | Recovery planning is central to this IAM continuity article. |
| NIST SP 800-53 Rev 5 | CP-9 | Backup of IAM configuration and restore capability map directly to contingency controls. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on resilient identity services and trusted control-plane recovery. |
Apply CP-9 to identity tenants with immutable backups and verified restore procedures.
Key terms
- Identity Control Plane: The identity control plane is the set of policies, roles, trust links, and administrative objects that determine how access is granted and recovered. If it is lost or corrupted, authentication may still exist, but the organisation loses the ability to govern access safely and consistently.
- IAM Resilience: IAM resilience is the ability to restore identity services, tenant configuration, and recovery paths after disruption without losing business continuity. It is broader than backup because it includes restore testing, recovery objectives, and the operational evidence that access can be rebuilt under pressure.
- Break-glass Access: Break-glass access is emergency privileged access reserved for restoring critical services when normal controls fail. In IAM programmes, it only counts as resilience if the emergency account, the recovery path, and the tenant state it depends on are all tested and available when needed.
- Tenant Recoverability: Tenant recoverability is the capability to restore a customer-managed identity tenant to a known good state after deletion, ransomware, misconfiguration, or corruption. It depends on backing up policy state, federation settings, and application bindings, not only on retaining user records.
What's in the full article
Acsense's full blog covers the operational detail this post intentionally leaves for the source:
- A practical IAM disaster recovery blueprint for Okta, Entra ID, or Ping tenants
- Step-by-step guidance for backing up groups, policies, app assignments, and trust settings
- Restore playbooks for broken MFA policy, deleted admin groups, and federation rollback
- Board-ready metrics for time-to-restore, configuration drift, and recovery evidence
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org