TL;DR: Remote work pushed identity to the centre of enterprise security, while Axiad cites Gartner, The Economist, and its own survey data showing 71% phishing, 61% malware, and 52% of tech leaders seeing policy workarounds. The lesson is that user-friendly authentication and credential governance now determine whether remote productivity increases or security exceptions spread.
At a glance
What this is: This is an Axiad analysis of identity-first security for remote work, arguing that distributed work has made credential management and user-friendly authentication central to enterprise security.
Why it matters: It matters because IAM teams now have to govern a larger mix of employee credentials, machine identities, and authentication methods without creating friction that drives workarounds.
By the numbers:
- The Axiad Remote Work Survey found that phishing threats (71%) and malware (61%) emerged as the most significant new threat vectors in remote work environments.
- The Axiad Remote Work Survey found that more than half (52%) of tech leaders said their remote employees had found workarounds to company security policies.
👉 Read Axiad's analysis of identity-first security and remote work
Context
Identity-first security means making identity and authentication the primary control plane for access, rather than treating it as a supporting function. In a remote-work model, that shift is no longer theoretical because employees, devices, and applications are all operating outside the office boundary and must still be trusted, tracked, and governed.
Axiad's article frames this as a response to work changing permanently, not just temporarily. The governance challenge is that more credentials, more endpoints, and more authentication methods increase both operational overhead and the chance that users will route around controls when the experience becomes too difficult.
For IAM programmes, the point is not that remote work created a new category of identity risk. It exposed how much existing access design depended on office-centric assumptions about networks, devices, and user behaviour.
Key questions
Q: How should organisations govern remote access without creating unsafe workarounds?
A: They should simplify authentication to a small, supportable set of approved methods, then monitor where users still bypass policy. If employees keep creating shortcuts, the access design is too difficult to use consistently. Governance succeeds only when the secure path is also the practical path for normal work.
Q: Why does remote work increase identity risk even when MFA is in place?
A: Remote work increases identity risk because MFA does not remove the pressure created by more devices, more apps, and more credentials. If access is fragmented or hard to use, users look for shortcuts. The real risk is not only authentication weakness, but the operational sprawl that surrounds it.
Q: How do security teams know whether identity-first security is actually working?
A: Look for fewer approved credential types, lower support friction, and a drop in policy workarounds. If users still need exceptions to do normal work, identity-first security exists on paper but not in practice. The programme is working when governance and usability reinforce each other instead of competing.
Q: What is the difference between identity-first security and location-based trust?
A: Identity-first security makes access depend on verified identity and governed authentication methods, while location-based trust assumes safety because a user is inside the office network or on a managed perimeter. In hybrid work, location is too weak to carry trust on its own, so identity has to do the heavy lifting.
Technical breakdown
Why remote work expands the identity attack surface
Remote work expands the identity attack surface because access is no longer anchored to a managed office perimeter. Every employee device, collaboration app, mobile authenticator, smart card, and remote login path becomes part of the trust chain. That widens the number of credentials that need issuance, storage, monitoring, and revocation. It also increases the chance that one weak credential or poorly governed device becomes the easiest path into business systems. In identity terms, the problem is not only authentication failure. It is the multiplication of trust edges across people, apps, and endpoints.
Practical implication: map remote access paths by credential type and remove any authentication route that cannot be tracked end to end.
Credential sprawl and the cost of policy workarounds
Credential sprawl occurs when organisations add authentication methods faster than they can govern their lifecycle, usability, and enforcement. A remote workforce typically needs more than one factor, more than one device, and more than one platform-specific credential. When those controls are awkward, users seek shortcuts, such as bypassing approved methods or using unsanctioned tools. That is not just a user-experience problem. It is a governance failure because the policy is no longer the system users actually follow. The article's emphasis on workarounds shows how friction can turn into shadow practice.
Practical implication: treat workaround behaviour as a control failure signal and review the authentication flow that triggered it.
Identity-first security as a control model for hybrid work
Identity-first security shifts the security decision from location-based trust to identity-based verification. In practice, that means credentials, device posture, and authentication strength become the core of access decisions, regardless of whether the user is in an office or at home. For hybrid work, this aligns with zero trust thinking because access is continuously evaluated rather than assumed from network placement. The key limitation is that identity-first only works if the controls are simple enough that employees can use them consistently and administrators can govern them at scale.
Practical implication: consolidate authentication methods into a governed set of options that IT can support and users can reliably adopt.
NHI Mgmt Group analysis
Identity-first security is an access governance model, not a branding exercise. The article is really describing a shift in where trust is established. Once work is distributed, access control has to follow identity wherever it appears, not just where the office network used to end. That makes authentication design, lifecycle control, and credential usability part of the same governance problem.
Remote work exposed credential management as an operational bottleneck. When two-thirds of businesses report adopting new credential types after the shift, the issue is no longer simply whether MFA exists. The issue is whether the organisation can issue, track, support, and retire multiple credentials without creating admin drag or user resistance. Practitioners should see this as a lifecycle scaling problem.
Identity friction: When authentication is difficult, users create workarounds that silently invalidate policy. The article's 52% workaround figure shows that control design and user behaviour are coupled. If the approved path is slower or harder than the unsafe path, the unsafe path becomes the real operating model. The implication is that governance cannot be separated from usability in remote identity programmes.
Remote work made machine identities part of the same trust conversation as people. The article notes that corporate apps and devices multiplied as work moved out of the office, which means IAM teams are no longer only supporting employees. They are supporting an expanding population of non-human access paths that must be authenticated, inventoried, and constrained. Practitioners should align human and machine identity governance instead of treating them as separate programmes.
Identity-first security now sits at the intersection of IAM and Zero Trust. Gartner's framing in the article matches a broader market reality: perimeter assumptions have weakened, but identity assumptions have not yet been fully operationalised. That leaves many organisations with fragmented controls that still depend on old location-based habits. Practitioners need to treat identity as the policy anchor for hybrid work.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- For the operational side of this problem, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility, rotation, and offboarding issues that make identity-first controls hard to sustain.
What this signals
The next phase of hybrid work governance will be defined by whether identity teams can collapse authentication sprawl into a small number of supportable patterns. The more exceptions a programme tolerates, the faster policy drifts away from actual behaviour.
Identity friction debt: When the secure path is materially harder than the unsafe one, users accumulate informal workarounds that become part of the real control environment. That means IAM leaders should measure not only adoption, but where users are finding relief outside the policy design.
A recent NHI Mgmt Group finding shows that 91.6% of secrets remain valid five days after notification, which is a useful reminder that identity operations fail when remediation lags behind exposure. In a remote-work model, that same lag shows up as slow revocation, inconsistent enforcement, and a growing support burden.
For practitioners
- Inventory every remote authentication path Document which credentials, devices, and applications are used for remote access, then identify any route that is outside the normal lifecycle process for issuance, review, and revocation.
- Reduce authentication choice to a governable set Offer only the authentication methods IT can support consistently, and remove duplicate or informal paths that encourage users to bypass policy when access feels slow.
- Treat workaround behaviour as a security control signal Investigate where users are finding alternatives to approved authentication methods, because those patterns usually point to friction, poor usability, or broken policy design.
- Align remote access with identity-first policy Use identity and device trust as the basis for access decisions, then ensure those decisions are enforced the same way for office and home users.
Key takeaways
- Remote work turned identity into the main security boundary, which makes authentication design and credential governance central rather than auxiliary.
- The evidence in the article points to a practical problem, not just a risk statement: more credential types create more user friction and more workarounds.
- IAM teams should simplify the approved access path, monitor workaround behaviour, and align remote access policy with identity-first control design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Remote access control depends on verified identities and governed authentication methods. |
| NIST Zero Trust (SP 800-207) | Identity-based access decisions align with zero trust principles for hybrid work. | |
| NIST SP 800-63 | Authentication assurance matters when users rely on multiple remote access methods. |
Standardise remote authentication options and ensure each one is supportable across the full user lifecycle.
Key terms
- Identity-first security: An access model that treats verified identity as the primary control point for system access. It shifts security decisions away from network location and toward governed authentication, credential lifecycle management, and continuous trust evaluation across remote and hybrid environments.
- Credential sprawl: The uncontrolled growth of passwords, tokens, keys, authenticators, and device-bound credentials across an organisation. It increases administrative burden, makes revocation harder, and raises the chance that users will bypass policy when too many access methods have to be managed at once.
- Workaround behaviour: The informal actions users take when approved access processes are too slow, complex, or inconvenient. In identity governance, workaround behaviour is a control signal because it shows that the designed security path is not the path users actually follow.
- Remote identity governance: The discipline of issuing, supporting, monitoring, and revoking credentials and authentication methods for a distributed workforce. It combines lifecycle management, user experience, and security policy so that remote access remains usable without weakening control.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: What you need to know about ‘Identity-first Security’: The rise of remote. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
