TL;DR: Japan’s ICAM discussion ties strict identity proofing, credential protection, and access management to zero trust and national security policy, using NIST SP 800-207, NIST SP 800-63, and the new Japanese security labelling framework as reference points. The governance shift is clear: identity assurance now sits inside broader supply-chain and infrastructure resilience decisions, not beside them.
At a glance
What this is: This is an analysis of how ICAM, PKI, and zero trust are being positioned together as a governance model for critical infrastructure and supply-chain security.
Why it matters: It matters because IAM teams now have to align human identity assurance, credential protection, and access policy with wider resilience and regulatory expectations across national infrastructure programmes.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
👉 Read Cybertrust Japan’s analysis of ICAM and zero trust architecture
Context
ICAM, or Identity, Credential and Access Management, is the combination of identity proofing, credential protection, and access control used to decide who or what can access systems and data. The article frames ICAM as a zero trust building block for critical infrastructure, especially where national resilience and supply-chain risk intersect.
The core governance point is that identity assurance can no longer be treated as an isolated IAM concern. As the article links NIST SP 800-207, NIST SP 800-63, PKI, and Japanese security labelling efforts, it shows a broader shift toward continuous verification and policy-backed trust across human, device, and service access.
That is a familiar direction for security teams working across infrastructure, government, and regulated industries. The starting position is increasingly typical, not exceptional, because identity controls are becoming part of national security and procurement expectations.
Key questions
Q: How should organisations apply ICAM in zero trust environments?
A: Organisations should use ICAM as the operational layer that ties identity proofing, credential integrity, and access decisions together. In a zero trust model, access should be re-evaluated using current identity and context rather than assumed from a previous login. That approach is strongest where systems hold sensitive operational or infrastructure data.
Q: Why does PKI matter for identity assurance?
A: PKI matters because it lets systems verify that a credential was issued by a trusted authority and has not been altered or revoked. That gives identity assurance a cryptographic basis, which is especially important when access crosses organisational boundaries or protects critical services. It reduces reliance on secrets that can be guessed, shared, or stolen.
Q: What should security teams govern beyond employee login controls?
A: Security teams should govern contractor access, supplier access, service credentials, and any other identities that can reach critical systems. The article shows that identity trust now extends into supply chains, so lifecycle review, credential quality, and access scope must include external participants as well as employees.
Q: Who is accountable when identity assurance fails in critical infrastructure?
A: Accountability sits with the organisation that issues access and sets trust policy, even when third parties participate in the workflow. For critical infrastructure, that means the operating entity must be able to show how identity was proven, how credentials were protected, and how access was controlled over time.
Technical breakdown
How PKI supports identity assurance in ICAM
PKI gives ICAM a way to bind credentials to a trusted issuer and verify them at runtime. In practical terms, certificates, signing chains, and revocation status let systems confirm that an identity is genuine before granting access. That matters when passwords, shared tokens, or unmanaged credentials are too weak for high-assurance environments. The article’s emphasis on strong proofing reflects a wider move away from static trust assumptions toward verifiable identity state. Practical implication: treat PKI-backed identity as a control layer, not just a transport-security mechanism.
Practical implication: use PKI where identity proofing and credential integrity need to survive high-risk or cross-domain access.
Zero trust architecture and access management
Zero trust architecture requires continuous verification rather than trust based on network location or initial login. ICAM fits that model by making identity, credential status, and access rights part of every decision point. The article’s focus on access management is important because zero trust fails when identity is authenticated once and then implicitly trusted for the rest of the session. For regulated environments, this means policy has to follow the identity, not the perimeter. Practical implication: align access decisions with identity state, device trust, and session context instead of treating authentication as a one-time event.
Practical implication: design access policies that re-evaluate trust as conditions change, not only at login.
Why identity proofing becomes a control boundary
Identity proofing is the step where the organisation establishes that a subject is real and that the presented identity belongs to that subject. The article shows why this matters for both human users and machine-linked credentials, because weak proofing creates downstream confidence problems in access issuance and lifecycle control. When identity is the basis for access to critical infrastructure, proofing quality affects incident response, revocation accuracy, and auditability. Practical implication: raise proofing standards for any identity that can reach sensitive infrastructure or supply-chain systems.
Practical implication: tighten identity proofing before access is issued, especially for privileged or externally facing roles.
NHI Mgmt Group analysis
ICAM is becoming the practical control plane for zero trust, not a side discussion about login hygiene. The article ties identity proofing, credential management, and access management together as the operational core of secure access in critical infrastructure. That is the right frame for both government and enterprise environments, because zero trust fails when identity assurance is fragmented across separate teams. Practitioners should treat ICAM as a design principle for trust decisions, not a narrow authentication project.
PKI remains the strongest model for high-assurance identity because it binds identity to verifiable credentials. The article’s emphasis on certificates and hardware-backed trust reflects the fact that high-risk access still depends on proof that can be validated independently. This is especially relevant where phishing, token theft, or shared secrets are operationally unacceptable. Practitioners should map which access paths actually require certificate-backed assurance rather than assuming password-based flows can be hardened enough.
Identity assurance is now a supply-chain concern as much as an internal IAM concern. The article repeatedly links national infrastructure, third-party participation, and cross-organisational standards alignment. That means access trust is no longer contained within a single enterprise boundary, and credential quality affects ecosystem resilience. Practitioners should extend governance to third parties, contractors, and connected services that participate in critical workflows.
The security baseline is shifting from static credentials to continuously governed trust states. NIST SP 800-207 reinforces the idea that access should be evaluated in context, not granted once and forgotten. That shift accelerates the convergence between IAM, PKI, and zero trust architecture. Practitioners should expect assurance, revocation, and policy enforcement to become part of the same control loop.
Japan’s ICAM direction shows how national policy can formalise identity security expectations for critical sectors. The article highlights how domestic guidance, labelling, and infrastructure policy are moving toward common security criteria. This matters because procurement and compliance will increasingly embed identity requirements rather than leaving them as internal best practice. Practitioners should prepare for identity controls to become auditable baseline requirements across regulated supply chains.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts from incomplete inventory.
- For a broader breach lens, the 52 NHI Breaches Report shows how identity exposure turns into real-world compromise when governance fails.
What this signals
Identity assurance is becoming a programme-level control, not an architecture preference. As zero trust and ICAM converge, teams will be judged on whether they can prove who or what is accessing critical systems at each decision point. For many programmes, the real gap is not authentication technology but lifecycle visibility across credentials, certificates, and third-party access.
Access governance will increasingly need to span human, machine, and external identities in one operating model. That creates pressure to unify review, revocation, and assurance workflows across IAM, PAM, and NHI governance. Organisations that keep these disciplines separate will struggle to demonstrate consistent control over sensitive infrastructure access.
The emerging benchmark is not whether identity is protected, but whether it is continuously defensible under audit. That is where zero trust, PKI, and policy-backed access control become operational requirements rather than strategy language. Teams should expect procurement, resilience planning, and compliance reviews to ask for evidence, not assumptions.
For practitioners
- Map critical access paths to ICAM controls Identify which systems depend on strong identity proofing, credential protection, and access management, then classify them by business criticality and regulatory exposure. Use that map to decide where PKI and continuous verification are mandatory versus optional.
- Separate password-grade and certificate-grade trust decisions Do not use one access model for every system. Reserve certificate-backed or hardware-backed identity for high-impact infrastructure, privileged operations, and third-party access into sensitive environments.
- Extend governance to third-party access chains Review contractor, supplier, and integrator access as part of the same identity programme. The article’s supply-chain framing means external identities, not just employees, must be covered by issuance, review, and revocation processes.
- Align zero trust policy with identity state Make access decisions depend on verified identity, credential status, and session context. That keeps zero trust from collapsing into one-time authentication followed by implicit trust.
Key takeaways
- ICAM is being positioned as the practical bridge between identity assurance and zero trust, especially for critical infrastructure.
- PKI, identity proofing, and access management only work together when they are treated as one control chain rather than isolated functions.
- The governance standard is shifting toward continuous, evidence-based trust across human, machine, and third-party access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | The article centers on zero trust architecture as the access model for ICAM. | |
| NIST SP 800-63 | SP 800-63C | The article links ICAM to federation and identity assurance guidance. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control are central to the article’s governance model. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is directly relevant to the article’s governance focus. |
Map critical access paths to identity governance controls and verify access is granted only to authenticated subjects.
Key terms
- ICAM: Identity, Credential and Access Management is the discipline that connects identity proofing, credential issuance, and access decisions into one operating model. In high-assurance environments, it is not just about login, but about proving identity, protecting credentials, and controlling how access changes over time.
- PKI: Public key infrastructure is the trust system that issues, binds, and validates digital certificates for identities, devices, and services. It underpins stronger authentication because verification depends on cryptographic trust chains, not shared secrets or informal proof.
- Zero Trust Architecture: Zero Trust Architecture is a security model that assumes access cannot be trusted simply because it comes from inside the network or from a prior login. It requires ongoing verification of identity, context, and policy before access is allowed or continued.
- Identity Proofing: Identity proofing is the process of establishing that a claimed identity belongs to a real subject and that the subject is entitled to the credential being issued. In regulated or critical environments, weak proofing weakens every later access decision built on that identity.
What's in the full article
Cybertrust Japan's full post covers the operational detail this post intentionally leaves for the source:
- PKI-based identity assurance examples for high-trust environments and why they matter in practice.
- The relationship between NIST SP 800-207, NIST SP 800-63, and Japan’s ICAM direction.
- Specific access management scenarios where zero trust controls depend on credential integrity.
- How national policy and security labelling are shaping procurement and compliance expectations.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a stronger identity programme across human and non-human access, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org