TL;DR: The article argues that modern IAM can support sustainability goals by reducing paper billing, commuting, device churn, MFA noise, and on-prem infrastructure emissions, citing PwC, Engie, and AWS data alongside Okta examples. The core issue for practitioners is that sustainability benefits only hold when identity controls are frictionless, secure, and measurable across human and non-human access patterns.
At a glance
What this is: This is an Okta-authored sustainability argument for IAM, claiming identity design can reduce emissions through paperless billing, remote work, fewer authentication events, and cloud infrastructure choices.
Why it matters: For IAM and NHI practitioners, the relevance is that identity controls now sit inside broader business metrics, so access design can affect both security outcomes and operational footprint.
By the numbers:
- 71% of investors agree that companies should incorporate sustainability directly into their corporate strategy.
- Teleworking can result in 60% less CO2 emissions compared to commuting.
- Auth0 customers reported a 15% percent increase in customer registrations or online purchases.
👉 Read Okta's analysis of how IAM can support sustainability goals
Context
Identity is usually discussed as an access control problem, but this article treats IAM as part of sustainability strategy. The claim is that registration flows, login design, remote access, and cloud hosting choices can reduce waste while also affecting security and user experience.
That framing is useful, but it also exposes a governance gap. Once identity controls are tied to environmental and business outcomes, practitioners need to measure whether the control is actually reducing friction and emissions without creating new access risk across both human and non-human identities.
Key questions
Q: How can IAM teams support sustainability goals without weakening security?
A: Start by reducing unnecessary identity events, such as repeated logins, redundant approvals, and paper-based onboarding. Then preserve assurance with adaptive MFA, risk-based access, and strong lifecycle controls. The goal is not fewer controls, but fewer wasteful control steps that add friction, overhead, and avoidable operational cost.
Q: Should organisations treat non-human identities as part of sustainability planning?
A: Yes. Service accounts, API keys, bots, and automated workloads create ongoing authentication, storage, and infrastructure demand. If they are overprovisioned or left uncleared, they increase both security risk and operational waste. Including NHIs in planning makes sustainability measurement more accurate and governance more complete.
Q: What is the difference between secure identity optimisation and simple cost cutting?
A: Secure identity optimisation removes unnecessary transactions while preserving assurance and auditability. Cost cutting often just reduces spend, which can push users toward weaker workarounds or shadow systems. In identity governance, the better outcome is fewer wasteful steps, not fewer controls.
Q: When do identity changes actually improve sustainability?
A: Identity changes improve sustainability when they measurably reduce paper use, commuting, device churn, prompt volume, or on-prem infrastructure, and do so without increasing abuse risk. If the project only shifts cost from one place to another, the sustainability claim is weak.
Technical breakdown
How IAM affects sustainability metrics
IAM influences sustainability through the number of transactions, the channels used, and the infrastructure behind them. Paper billing, MFA prompts, device provisioning, and on-prem authentication all consume physical and compute resources. The mechanism is indirect but real: better identity design can reduce unnecessary steps, device churn, and manual processing. For NHI governance, the important point is that service accounts, bots, and API tokens also create transaction volume and infrastructure load when they are overused, poorly scoped, or repeatedly reauthenticated. Identity architecture therefore affects both control overhead and operational footprint.
Practical implication: Measure identity flows as part of operational efficiency, not just security, and include NHI transaction volume in the analysis.
Why frictionless registration matters for paperless adoption
Paperless billing only scales when the identity journey is simple enough to complete. Progressive profiling, social login, and secure account creation reduce abandonment because they lower the number of steps before a customer can opt into digital delivery. The security challenge is to remove friction without weakening account assurance. For IAM teams, the lesson is that customer identity controls can shape sustainability outcomes only if they are designed as conversion paths, not as isolated authentication checkpoints. That same principle applies to NHI onboarding, where overly rigid provisioning can force shadow workarounds.
Practical implication: Review customer and machine onboarding flows together, because poor identity UX drives both abandonment and unsafe workarounds.
Cloud-hosted identity versus on-prem authentication overhead
A cloud-native identity platform can shift authentication workload away from local infrastructure, but the sustainability effect depends on how much on-prem equipment is eliminated and how efficiently the cloud service is operated. The article’s logic is that centralized, managed identity services can remove duplicate servers and reduce maintenance burden. From a governance perspective, this is not a blanket claim that cloud always wins. It means practitioners should compare actual workload, not vendor architecture labels, and account for the identity systems that support both people and non-human workloads.
Practical implication: Track the infrastructure eliminated by identity modernization before claiming environmental benefit.
Breaches seen in the wild
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Sustainability becomes an identity governance issue when access design changes physical and digital waste at the same time. The article shows that authentication flows are not neutral. They can reduce paper use, device churn, and unnecessary login traffic, but only if IAM teams treat efficiency as a measurable control objective. Practitioners should include identity operations in sustainability reporting, while keeping security and assurance intact.
Identity sustainability claims break down when organisations ignore non-human identity volume. Customer login journeys are only one part of the picture. Service accounts, API keys, bots, and automated workflows also generate ongoing authentication and infrastructure demand, which means NHI sprawl can quietly undermine efficiency gains. The practical conclusion is that governance must cover both user and machine identities if sustainability metrics are to be credible.
Friction reduction is only useful when it is paired with assurance. The article argues for simpler registration and fewer MFA prompts, but simplified access can also widen abuse paths if assurance is not preserved. That is why adaptive controls, progressive profiling, and bot detection matter together. Practitioners should optimise for fewer unnecessary identity events without creating weak entry points.
Cloud identity economics are not the same as cloud identity governance. Moving authentication to a managed platform may reduce local infrastructure, but the governance question is whether the new model actually consolidates risk, cost, and operational overhead. Identity teams should measure the full lifecycle impact, including offboarding, account review, and machine credential management. The right question is not whether cloud identity is greener in theory, but whether it reduces control sprawl in practice.
Named concept: identity sustainability debt. This article points to the hidden operational cost created when identity systems force extra paper, extra device production, extra prompts, or extra servers. That debt accumulates when teams optimise for convenience or branding instead of control efficiency. Practitioners should treat every avoidable identity transaction as a candidate for removal, consolidation, or automation.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For the adjacent control problem: 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
What this signals
Sustainability-linked identity programmes should be evaluated as control programmes, not branding exercises. If a modern IAM initiative does not reduce operational steps, retire infrastructure, or limit non-human sprawl, it is unlikely to produce durable environmental value.
identity sustainability debt: the hidden overhead created when identity flows generate avoidable prompts, duplicated approvals, or extra servers. The next planning cycle should account for that debt alongside security, cost, and user experience.
With 71% of organisations not rotating NHIs within recommended time frames, per the Ultimate Guide to NHIs, control efficiency and lifecycle hygiene are already linked. A sustainability lens only works if the identity estate is governed well enough to measure what is actually being consumed.
For practitioners
- Map identity flows to sustainability metrics Track paper billing conversion, login volume, MFA prompt counts, device issuance, and authentication infrastructure use together so sustainability claims are tied to measurable identity operations.
- Reduce avoidable identity transactions Use SSO, adaptive MFA, and session reuse where assurance allows, then remove duplicate prompts and manual approvals that create unnecessary operational overhead.
- Include non-human identities in efficiency reviews Review service accounts, API keys, bots, and automation jobs for excessive reauthentication, redundant polling, and unused lifecycle paths that add load without business value.
- Compare cloud and on-prem identity footprints honestly Count servers retired, support burden removed, and remaining workloads before claiming environmental benefit from an IAM modernisation project.
Key takeaways
- Identity programmes can influence sustainability outcomes, but only when the control changes are measurable and operational, not just rhetorical.
- Non-human identities expand the problem because they add hidden transaction volume, infrastructure load, and lifecycle waste.
- The practical move is to reduce unnecessary identity events while preserving assurance, auditability, and lifecycle control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management matter when identity design changes operating footprint. |
| NIST AI RMF | GOVERN | Identity automation needs governance when machine and human access patterns affect business outcomes. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports continuous verification while reducing reliance on static trust and duplicated prompts. |
Review identity entitlements under PR.AC-4 and remove redundant access that creates needless operational overhead.
Key terms
- Identity sustainability debt: The accumulated operational cost created when identity systems generate avoidable paper use, prompt volume, device churn, or infrastructure overhead. It is not a formal accounting term, but it is a useful governance concept for understanding how identity design affects both security and efficiency.
- Adaptive MFA: A multi-factor authentication pattern that changes the challenge based on user context, risk, and policy. It reduces unnecessary friction by avoiding one-size-fits-all prompts, while still increasing assurance when a session, device, or location looks unusual.
- Non-Human Identity: A non-human identity is any digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, bots, and AI agents. These identities often outnumber human users and require lifecycle, privilege, and rotation controls of their own.
- Progressive profiling: A registration approach that collects only the minimum information needed at first, then gathers more data over time as trust and engagement grow. In identity programmes, it can improve conversion and reduce abandonment without eliminating security checks that matter later in the journey.
Deepen your knowledge
IAM lifecycle governance and operational efficiency are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect identity control design with broader business outcomes, it is worth exploring.
This post draws on content published by Okta: Identity as a sustainability strategy. Read the original.
Published by the NHIMG editorial team on 2025-12-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
