By NHI Mgmt Group Editorial TeamPublished 2025-12-18Domain: Governance & RiskSource: Bitwarden

TL;DR: Hybrid work, cloud migration and basic security hygiene are the main planning pressures in 2022 IT security trends, with reduced visibility and credential sprawl making breach prevention harder, according to Bitwarden. The deeper issue is that identity controls built for stable perimeters and known devices do not map cleanly to distributed access patterns.


At a glance

What this is: This webcast frames 2022 security planning around hybrid work, cloud adoption and security hygiene, with credential visibility and control emerging as the central issue.

Why it matters: It matters because IAM, PAM and NHI programmes all inherit the same problem when access is distributed across remote devices, shared credentials and cloud services.

By the numbers:

👉 Read Bitwarden's webcast replay on 2022 IT security trends and credential control


Context

Hybrid work changed the identity problem before it changed the network problem. When users, devices and services move outside a stable perimeter, access control depends less on the boundary and more on the organisation’s ability to see credentials, enforce policy and confirm who or what is connecting.

This webcast focuses on planning for that shift through the lens of remote access, cloud adoption and basic security hygiene. The underlying issue is not just endpoint patching or user behaviour. It is that identity programmes now have to account for shared credentials, cloud sprawl and visibility gaps across both human and non-human access paths.


Key questions

Q: How should security teams handle credential governance for hybrid workforces?

A: Security teams should treat credentials as shared operational assets, not just login factors. That means centralising storage, restricting sharing, revoking access promptly and accounting for both human and service credentials across managed and unmanaged environments. The aim is to reduce reuse and expose who can reach what, even when work happens outside the office.

Q: Why do cloud and remote work increase identity risk?

A: They expand the number of devices, apps and networks that can touch corporate credentials, which makes visibility and consistent policy much harder. When the organisation cannot see every access path, weak passwords, reused secrets and shadow IT can persist long enough to create breach conditions. That is why identity governance has to extend beyond the login screen.

Q: What do teams get wrong about password managers and SSO?

A: Teams sometimes assume these tools solve governance by themselves. In reality, password managers and SSO improve control only when they are paired with inventory, revocation processes and clear policy on sharing and device use. Without that governance layer, they reduce friction but do not eliminate access sprawl.

Q: How can organisations reduce the blast radius of compromised credentials?

A: They should limit credential reuse, separate admin access from everyday access, and keep a current inventory of cloud accounts and shared secrets. The key is to make each credential reach as little as possible so a single compromise cannot spread across multiple services or teams.


Technical breakdown

Why hybrid work breaks perimeter-based access control

Perimeter-based security assumes that most trusted activity stays inside a controlled network boundary. Hybrid work disrupts that model because users connect from unmanaged or partially managed devices, home networks and multiple cloud services. That reduces the value of network location as an access signal and makes visibility into posture, authentication context and credential use more important than where a request originates. In practice, this shifts control from static boundary enforcement to continuous identity-aware verification across devices and sessions.

Practical implication: teams need policies that evaluate identity, device and session context instead of relying on network location alone.

Credential management as a control layer for distributed work

Credential management becomes a compensating control when users and teams work outside a single managed environment. Password managers, shared vaults and controlled sharing help reduce reuse, expose weak credentials and make approved access easier to administer across devices. For IAM and NHI teams, the key point is that credentials are not just authentication artefacts. They are operational assets that need governance, visibility and revocation discipline wherever they are used.

Practical implication: standardise credential storage and sharing so access can be reviewed and revoked centrally.

Cloud expansion increases the governance burden on IAM

As organisations move to more cloud-based services, the number of identities, credentials and admin paths expands quickly. That increases the likelihood of inconsistent policy, shadow IT and overexposed accounts, especially when multiple clouds are managed in parallel. IAM and SSO help, but they do not automatically solve access inside home networks, unmanaged apps or delegated third-party workflows. The governance task is to extend identity controls across the full service stack, not just the core login layer.

Practical implication: map cloud accounts, delegated access and shared credentials into one governance inventory.


Threat narrative

Attacker objective: The objective is to obtain broader access through weakly governed identities and use that access to reach data or services that should have remained restricted.

  1. Entry occurs when remote users, shadow IT services or cloud-connected accounts operate beyond the visibility of the central security team. That creates openings through weak passwords, reused credentials or unmanaged service access.
  2. Escalation happens when shared credentials, fragmented cloud controls or inconsistent device posture let an attacker move from one accessible account or service into broader operational access.
  3. Impact follows when exposed data, unauthorized network access or compromised accounts create breach conditions across remote and cloud environments.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Perimeter security fails once identity becomes the real boundary. Hybrid work and cloud adoption do not merely complicate enforcement, they change the control plane. Security teams can no longer assume that network location or managed endpoints are enough to establish trust. The practical conclusion is that identity governance must become session-aware and credential-aware across every access path.

Credential sprawl is the hidden control failure in remote work programmes. The article’s emphasis on password managers and cross-platform control reflects a broader truth: distributed work increases the number of places where credentials can be created, copied and reused. That is an NHI problem as much as a human IAM problem, because shared services, API keys and admin accounts tend to proliferate in the same environments. Practitioners should treat credential visibility as a foundational governance requirement.

Cloud migration amplifies the gap between authentication and governance. IAM and SSO can centralise sign-in, but they do not automatically govern the full life cycle of access across multiple clouds, home devices and delegated services. The result is a control gap where login is managed but ongoing access is not. Organisations need to distinguish between proving identity at the front door and governing the credentials that keep work moving after entry.

Identity blast radius is the right concept for hybrid security planning. A single reused credential or overexposed account can now touch more systems because work is distributed across more services and networks. That expands the blast radius of every identity mistake. The practical implication is that leaders should measure how far a compromised credential could reach, not just whether authentication succeeds.

From our research:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • That is why the NHI Lifecycle Management Guide matters when hybrid work makes access harder to see and revoke.

What this signals

Identity governance has become the practical control plane for hybrid work. When users, clouds and shared credentials all move beyond the office boundary, the organisation that cannot inventory access cannot govern access. The next maturity step is not simply stronger authentication, but tighter visibility into where credentials live, how they move and who can reuse them.

Credential visibility is now a board-level operational signal, not a tooling detail. With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files and CI/CD tools, the problem is no longer hypothetical. The programme question is whether identity teams can see enough of the credential estate to reduce accidental exposure before it becomes an incident.

Shadow access is the durable risk in cloud-heavy workplaces. The mix of remote work, cloud services and delegated access creates identity paths that rarely appear in a single control report. Practitioners should be preparing for governance models that bind human, machine and service access into one inventory, because the blast radius is shared even when the identities are not.


For practitioners

  • Map remote-work credential paths end to end Inventory where corporate credentials are stored, shared and reused across managed devices, home environments and cloud services. Include both human logins and service credentials so you can see which accounts cross environment boundaries.
  • Centralise sharing through controlled vaults Use a single approved approach for storing and sharing credentials so teams do not create ad hoc copies in chat, documents or local files. Tie sharing rights to role and revoke access when the business need ends.
  • Extend governance to cloud accounts and delegated access Track which cloud accounts, app connections and third-party integrations exist across your estate, then review them like any other identity with access. The goal is to close gaps between sign-in control and actual permission scope.
  • Use security awareness to reinforce control behaviour Pair policy with practical user guidance on strong passwords, multi-factor authentication and when to escalate suspicious access. Training only works when users also have tools that make the secure path the easy path.

Key takeaways

  • Hybrid work weakens perimeter assumptions and forces IAM to become session-aware.
  • Credential sprawl across remote devices and cloud services is the control gap this webcast exposes.
  • Identity visibility, revocation discipline and shared credential governance are now core security requirements, not support functions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Hybrid access control and remote trust decisions map to identity and access management.
NIST Zero Trust (SP 800-207)3.4Zero Trust is relevant because the webcast centres on shifting trust away from the perimeter.
NIST SP 800-53 Rev 5AC-6Least privilege is needed where cloud and remote access broaden permission scope.
OWASP Non-Human Identity Top 10NHI-03Credential rotation and visibility concerns overlap with non-human identity governance.

Apply NHI lifecycle controls to shared secrets and service credentials that support hybrid operations.


Key terms

  • Shadow It: Shadow IT is technology or services adopted outside formal approval or governance. In hybrid environments it often appears when teams create their own workflows, accounts or sharing methods to keep work moving, which increases identity sprawl and reduces the security team’s ability to see and revoke access.
  • Identity Blast Radius: Identity blast radius is the amount of systems, data or operations a compromised identity can reach. It is a useful governance concept because the risk is not only whether access exists, but how far a stolen password, shared secret or over-privileged account can move through the environment.
  • Credential Management: Credential management is the controlled storage, sharing, rotation and revocation of passwords, tokens and other secrets. For hybrid work, it is the operational layer that helps security teams keep track of who can use what, especially when access spans multiple devices, networks and cloud services.

What's in the full article

Bitwarden's full webcast covers the operational detail this post intentionally leaves for the source:

  • The speaker discussion on how password managers can support controlled credential sharing across hybrid teams.
  • The webcast examples showing how IT teams can use awareness training to reinforce password hygiene and MFA adoption.
  • The specific trade-offs discussed between zero-trust deployments and cross-platform credential management tools.
  • The Q&A segment on teaching different generations of end users to build better online security habits.

👉 Bitwarden's full webcast covers the speaker discussion, Q&A and practical guidance for hybrid security planning.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org