TL;DR: A platform scaling through 50+ releases, SCIM beta, zero-knowledge metadata, secret history, and NIS2-aligned credential security work, alongside 50,000+ organisations using the product daily, according to PassBolt. The governance signal is clear: credential management is moving from storage to lifecycle control, auditability, and regulated operations.
At a glance
What this is: Passbolt’s 2025 review is a product-year recap showing how credential governance features, deployment stability, and compliance-oriented controls evolved across the year.
Why it matters: It matters because IAM, PAM, and NHI teams can see how credential management expectations are shifting toward lifecycle visibility, delegation control, and regulatory readiness.
By the numbers:
👉 Read Passbolt’s 2025 year-in-review on credential governance and product evolution
Context
Passbolt’s 2025 review is really about credential governance at scale. The article shows a year of product changes aimed at making password and secret management more usable, more auditable, and more suitable for teams that need tighter control across shared access patterns.
For identity teams, the relevance sits in the shift from static vaulting to lifecycle-aware credential handling. Features such as SCIM, secret history, dynamic role management, encrypted metadata, and NIS2-focused guidance point to the same pressure: governance now has to follow how access changes in real environments, not just where secrets are stored.
Key questions
Q: How should teams govern shared credentials across the full identity lifecycle?
A: Treat shared credentials like governed identities, not static assets. Assign clear ownership, connect provisioning and removal to authoritative identity events, and review rotation, access history, and group membership together. When credentials outlive the people or systems that use them, the control problem is lifecycle drift, not storage.
Q: Why do encrypted metadata and zero-knowledge designs matter for credential governance?
A: They reduce what the server and platform operators can read, which limits exposure from labels, notes, and context around secrets. That matters because sensitive information often leaks through metadata rather than the credential value itself. The tradeoff is less server-side visibility, so governance must shift to stronger policy and review processes.
Q: What do security teams get wrong about secret history and audit trails?
A: They often treat history as a reporting feature instead of a control artifact. In practice, secret history helps prove when access changed, who updated it, and whether governance processes actually ran. That evidence becomes critical in incident response, certification, and regulated environments where accountability matters.
Q: What is the difference between secret rotation and lifecycle offboarding?
A: Rotation changes the credential value, while lifecycle offboarding removes or disables the identity and its access path. Both matter, but they solve different problems. A rotated secret can still belong to an account that should no longer exist, so offboarding is the stronger control when access should end entirely.
Technical breakdown
SCIM and dynamic role management change how access is governed
SCIM automates user provisioning and deprovisioning between systems, which reduces manual drift but also makes identity source quality more important. Dynamic role management changes access assignment from static, one-off administration toward policy-driven group membership updates. In practice, that shifts governance from periodic cleanup to continuous entitlement accuracy. The architecture matters because credential tools increasingly sit inside broader identity workflows rather than operating as isolated vaults.
Practical implication: align provisioning sources, role logic, and offboarding paths so access changes remain consistent across the identity stack.
Zero-knowledge metadata and encrypted resource data narrow visibility
Zero-knowledge metadata means the server cannot see unencrypted item descriptions, while encrypted resource metadata extends protection beyond the credential itself to contextual fields attached to a secret. That matters because sensitive context often leaks through labels, notes, and shared descriptions even when the secret value is protected. The technical pattern is a wider encryption boundary, but it also raises operational demands around search, collaboration, and audit design.
Practical implication: review which resource fields still expose sensitive context and confirm they are covered by the same governance model as the secret value.
Secret history and rotation features support auditability, not just storage
Secret history adds a change trail for credential updates, while shared-metadata key rotation improves how encrypted context can be rekeyed over time. These are governance features as much as security features, because they create evidence of change and support post-incident review. The deeper issue is that credential platforms are now expected to prove lineage, not merely hold secrets. That expectation aligns with regulated environments where traceability is part of control design.
Practical implication: use audit trails and rotation records as governance evidence, not just operational logs.
NHI Mgmt Group analysis
Credential management is becoming a governance system, not just a vault. Passbolt’s year-end review shows the category moving toward provisioning, role assignment, audit history, and policy enforcement. That is a broader shift than storage hygiene, because access control only works when the credential lifecycle is visible end to end. The practitioner takeaway is that secret handling now sits inside identity governance, not beside it.
Zero-knowledge metadata is the right direction, but it changes the operational burden. Once contextual data is encrypted too, administrators lose convenience features that depended on server-side readability. That is a tradeoff, not a flaw. The implication is that teams must decide which metadata deserves the same protection as the secret itself and which workflows can tolerate reduced visibility.
Secret history: auditability is now a control expectation, not an admin convenience. When credential systems preserve change history, they create the evidentiary layer that many governance programmes have lacked. That matters for incident review, access certification, and accountability across shared accounts. The practitioner implication is to treat secret history as part of control evidence, not a feature to enable casually.
SCIM beta and dynamic roles show where identity governance is heading. Credential platforms increasingly have to absorb lifecycle events that once lived only in IAM tooling. That means the boundary between NHI management and broader identity governance is narrowing. Teams should expect credential controls to be judged on how well they integrate with source-of-truth identity processes, not on storage alone.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- For the operational response, see NHI Lifecycle Management Guide for how lifecycle controls change when credentials, roles, and offboarding must stay in sync.
What this signals
With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per The 2026 Infrastructure Identity Survey, identity programmes need to stop treating access scope as a static provisioning decision.
Lifecycle drift: the real governance risk is not whether a credential exists, but whether its provisioning, rotation, and removal remain aligned with the identity that uses it. Passbolt’s 2025 direction shows how quickly credential platforms are becoming lifecycle control points, especially when teams need auditability and role automation.
As credential platforms add secret history, encrypted metadata, and dynamic roles, practitioners should expect higher demand for evidence of control operation. The useful question is no longer whether a vault can store secrets, but whether it can support the governance trail required by NHI Lifecycle Management Guide and regulated access review processes.
For practitioners
- Map credential lifecycle ownership across systems Document where provisioning, role assignment, rotation, and offboarding occur for shared credentials and admin accounts. Make sure SCIM or other identity source feeds align with the systems that actually grant access.
- Review metadata fields for hidden sensitive context Inventory resource descriptions, notes, and labels to find fields that reveal secrets, system names, or business context. Apply encryption or minimisation to any field that would create exposure if read outside the intended trust boundary.
- Use secret history as governance evidence Retain and review change history for credentials, metadata keys, and group membership updates during access reviews and post-incident analysis. Treat that trail as proof of control operation rather than passive reporting.
- Tie role updates to offboarding workflows Validate that dynamic role changes and user-group updates are triggered by authoritative lifecycle events, especially leavers and contractors. This reduces orphaned access and keeps group membership aligned with current employment status.
Key takeaways
- Passbolt’s 2025 review shows credential management moving from storage to governance, with lifecycle, audit, and access controls taking priority.
- The year’s product themes point to the same operating reality: encrypted metadata, role automation, and secret history matter because governance now follows identity change.
- Teams should evaluate credential tools by how well they connect to provisioning, offboarding, and evidence generation, not by vaulting alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret rotation and shared credential control are central to this review. |
| NIST CSF 2.0 | PR.AC-1 | SCIM and role updates affect access assignment and ongoing entitlement accuracy. |
| NIST CSF 2.0 | PR.DS-1 | Encrypted metadata and secret protection align with data protection expectations. |
Map identity source changes to access control governance and verify entitlements after lifecycle events.
Key terms
- Zero-knowledge metadata: Metadata encrypted so the service cannot read descriptive context attached to a secret. In practice, this reduces exposure of system names, notes, and labels that often leak more than the credential itself, but it also limits server-side search and administration visibility.
- Secret history: A retained record of changes made to a credential or its associated metadata over time. It supports auditability, incident review, and accountability by showing when values changed, who changed them, and whether governance processes actually executed.
- SCIM provisioning: An identity automation standard used to create, update, and remove users and group memberships across connected systems. For credential governance, it matters because access should follow authoritative identity events, not manual administration or stale shared-account practices.
- Dynamic role management: A governance pattern where role membership changes automatically based on identity state, attributes, or policy logic. It reduces manual drift, but it only works when the upstream identity data is accurate and the access rules reflect real organisational lifecycle events.
What's in the full article
Passbolt's full review covers the operational detail this post intentionally leaves for the source:
- The full release timeline behind 50+ product updates and what each change altered in day-to-day administration.
- Implementation detail on SCIM beta, dynamic roles, and group membership updates for larger environments.
- How encrypted resource metadata, secret history, and zero-knowledge controls were handled across product releases.
- The NIS2-focused credential security analysis and the compliance logic behind it.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org