Identity crisis in the hybrid workforce needs holistic identity controls

At a glance

What this is: Axiad argues that hybrid work has turned identity management into a multi-identity governance problem spanning users, machines, credentials, and verification.

Why it matters: That matters because IAM teams can no longer treat authentication, machine identity, and proofing as separate projects if they want consistent trust across human and non-human access.

By the numbers:

• 90% of IT leaders reported an increase in cyberattacks since the pandemic.

👉 Read Axiad's blog on holistic identity controls for the hybrid workforce

Context

Hybrid work pushed identity controls beyond the office perimeter and exposed gaps in how organisations manage trust across people, devices, and services. The article frames identity as a shared security layer rather than a user-login problem, which is the right starting point for modern IAM programmes.

The practical challenge is that verification, credential issuance, machine identity, and signing controls often live in separate teams and tools. That fragmentation creates inconsistent assurance levels, slower onboarding, and more opportunities for bypasses, especially when access is remote and the help desk is no longer local.

Key questions

Q: How should security teams govern identity in a hybrid workforce?

A: They should govern identity as a lifecycle that spans people, devices, machines, and documents rather than treating login as the only control point. That means combining proofing, credential issuance, certificate management, and signing into one assurance model, with clear ownership for each identity type. The goal is consistent trust across remote work and dispersed access paths.

Q: Why do machine identities matter in IAM programmes?

A: Machine identities matter because servers, applications, mobile devices, and IoT endpoints authenticate, exchange data, and often hold privileged access. If they are not inventoried and governed, security teams lose visibility into what is actually trusted in the environment. That creates blind spots in certificate lifecycle management and weakens the entire identity fabric.

Q: What breaks when identity proofing is weak?

A: Weak proofing lets the organisation issue credentials to the wrong person or entity, which means later access controls are protecting an assumption that was never verified. In practice, that leads to fraud risk, onboarding mistakes, and downstream trust problems that access reviews cannot fully repair. Proofing is the foundation, not an optional pre-step.

Q: Should organisations use signing to reduce phishing risk?

A: Yes, where the business depends on trusted remote communication and document exchange. Signing helps recipients verify the sender and integrity of the content, which reduces the chance that a convincing phishing message or altered document will be accepted as legitimate. It works best when paired with certificate governance and user training.

Technical breakdown

Machine identity management for hybrid environments

Machines now behave as first-class identities because servers, mobile devices, applications, and IoT devices all authenticate and exchange data. In practice, that means certificates, issuance, tracking, and encryption need to be governed as part of the identity stack, not left to infrastructure teams alone. PKI remains central because it binds device identity to cryptographic trust and reduces the chance of falsified entities joining the environment.

Practical implication: map machine identities to certificate lifecycle ownership and inventory them alongside other non-human identities.

Email and document signing as identity assurance

Email and document signing shift trust from content inspection to sender verification. A signed message or contract lets the recipient validate origin and integrity even when phishing or tampering slips past filters. This is especially relevant in hybrid work because collaboration now depends on remote approval flows, scanned documents, and asynchronous decisions that attackers can exploit if identity is weak.

Practical implication: require certificate-based signing for high-trust communications and approval workflows.

Credential orchestration and identity proofing

Credential management becomes fragile when users hold multiple authenticators, devices, and recovery paths. The article’s point is that issuance and troubleshooting should be simplified, while identity proofing should verify people before credentials are issued. That combination reduces help desk load and lowers fraud risk because the organisation is controlling both initial trust and ongoing access enablement.

Practical implication: unify credential operations and tighten proofing before issuing any new access factor.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance has to cover the full trust chain, not just the login event. The article is effectively describing a programme design failure where organisations optimise for authentication while leaving machine identity, signing, issuance, and proofing in separate lanes. That approach breaks down once work becomes distributed and remote because trust is now created across multiple identity moments. Practitioners should treat identity as a lifecycle and assurance model, not a point control.

Machine identities are no longer supporting actors in the identity model. When servers, devices, applications, and IoT endpoints all participate in business workflows, they become part of the attack surface and the trust fabric at the same time. This is squarely within the NHI governance problem space, where inventory, certificate control, and cryptographic trust determine whether the environment is knowable at all. The implication is that machine identity visibility must sit alongside human IAM, not beneath it.

Identity proofing is the upstream control that determines whether downstream access means anything. If organisations issue credentials before they know who or what is being enrolled, every later control inherits that uncertainty. The article points to identity fraud, onboarding speed, and remote verification as one connected problem. Practitioners should understand this as assurance leakage at issuance, not just weak login security.

Credential sprawl is a governance issue, not a convenience issue. The more authenticators, tokens, and recovery paths an organisation distributes, the more it depends on clean lifecycle control and user adherence. That creates a recurring operational burden that cannot be solved by adding another login factor. The better lens is standardised credential orchestration with clear lifecycle ownership across identities.

Holistic identity programmes are becoming the default requirement for resilient access governance. Hybrid work, remote support, and cross-channel trust decisions have collapsed the old separation between user authentication and system trust. The organisations that will cope best are those that connect PKI, proofing, signing, and credential operations into one identity governance model. That is the direction IAM programmes now need to move in.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The broader lifecycle problem is covered in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which helps teams move from visibility to operational control.

What this signals

Identity teams should expect hybrid work to keep collapsing the boundary between human access and non-human trust. The operational consequence is that credential issuance, proofing, and device trust can no longer be designed as separate workstreams. Teams that still treat machine identity as an infrastructure concern will keep missing the governance layer where risk actually accumulates.

Holistic identity control becomes more valuable as identity types proliferate. When remote work expands the number of credentials, authenticators, and trust decisions in circulation, programme maturity depends on lifecycle discipline as much as on authentication strength. Teams should watch for sprawl in certificates, proofing exceptions, and unmanaged signing paths, then tie those gaps back to ownership and review cadence.

Identity sprawl is the real programme signal here: when organisations cannot connect issuance, signing, and recovery into one model, assurance degrades silently. That is where the next round of policy work should focus, especially if the environment already struggles with secrets visibility and offboarding discipline.

For practitioners

• Define a full identity inventory Catalogue human users, service identities, device identities, and application identities in one register so owners, credential types, and assurance requirements are visible together.
• Extend PKI governance to machines Treat certificate issuance, renewal, revocation, and discovery as lifecycle controls for servers, mobile devices, applications, and IoT endpoints, not as infrastructure afterthoughts.
• Standardise identity proofing before issuance Require proofing checks before credentials are created or reissued, especially for customers, partners, and remote employees who will never meet the help desk in person.

Key takeaways

• Hybrid work turns identity into a multi-entity governance problem that spans users, machines, certificates, and proofing flows.
• The article’s risk signal is fragmentation: separate controls for separate identity types create weak assurance and operational overload.
• IAM teams should respond by unifying lifecycle ownership, certificate governance, and identity proofing across the environment.

Key terms

• Machine Identity: A machine identity is the digital identity used by a non-human system such as a server, application, IoT device, or workload to authenticate and exchange data. It is governed through certificates, keys, and lifecycle controls that determine whether the system is trusted at runtime.
• Identity Proofing: Identity proofing is the process of verifying that a person or entity is who it claims to be before credentials are issued. In hybrid environments, it is a front-end assurance control that reduces fraud and prevents weak identity assumptions from flowing into downstream access decisions.
• Certificate Lifecycle: Certificate lifecycle is the end-to-end management of digital certificates from issuance to renewal, revocation, and replacement. In NHI governance, it is the control plane that keeps machine trust current and prevents stale credentials from becoming hidden access paths.
• Identity Assurance: Identity assurance is the degree of confidence an organisation has that an identity is genuine and remains trustworthy over time. It combines proofing, credential quality, and governance discipline, and for non-human identities it must also cover certificate health and lifecycle ownership.

Deepen your knowledge

Hybrid workforce identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme needs to connect people, machines, and credentials into one control model, it is worth exploring.

This post draws on content published by Axiad: Identity crisis? It’s time to take the holistic approach. Read the original.