TL;DR: Many organisations still run authentication in silos, even though 70% already have three or more IAM systems in place, according to Axiad’s cited survey. The practical problem is not passwordless in isolation but how to integrate authentication, automation, and usability without creating new gaps.
At a glance
What this is: This is Axiad’s practitioner commentary on enterprise authentication, and its key finding is that siloed authentication and overlapping IAM systems create gaps, friction, and avoidable risk.
Why it matters: It matters because IAM teams must align authentication, lifecycle, and access controls across human, NHI, and autonomous use cases instead of treating passwordless as a standalone project.
By the numbers:
- In the 2022 Authentication Survey, 70% of organizations have three or more Identity and Access Management systems already in place.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Axiad's practitioner report on rethinking enterprise authentication
Context
Enterprise authentication is no longer just a password problem. The core issue is how organisations coordinate multiple authentication methods, identity systems, and user expectations without creating gaps that attackers or frustrated users can exploit. For IAM teams, this is a governance problem as much as a technology problem, especially when authentication touches humans, service accounts, and automated workflows.
Axiad’s report frames passwordless and enhanced authentication as part of a broader integration challenge. That framing is useful because most enterprises do not start from a clean slate. They inherit overlapping IAM stacks, inconsistent user journeys, and administrative burden that can weaken controls if security and usability are treated as separate goals.
Key questions
Q: How should security teams modernise authentication without breaking existing IAM systems?
A: Start by mapping every authentication path, then standardise policy before adding new controls. Modernisation fails when passwordless or MFA is layered onto inconsistent identity data, duplicate account stores, and exception-heavy processes. The goal is not a single tool, but consistent assurance across applications, user groups, and lifecycle events.
Q: Why do siloed authentication systems increase identity risk?
A: Silos create different assurance levels, inconsistent policy enforcement, and more opportunities for users to bypass controls. They also make incident response slower because teams cannot easily tell which identity state or authentication path was authoritative. In practice, the risk is governance drift, not just login friction.
Q: How can organisations balance authentication security and usability?
A: Use risk-based controls that raise friction only when the access request warrants it. If every login feels equally hard, users look for shortcuts; if every login is equally easy, assurance drops. Good programmes tune controls to application sensitivity, device context, and session risk.
Q: What should IAM teams connect to authentication governance first?
A: Connect authentication to provisioning, offboarding, and recovery workflows before expanding new methods. Authentication is only trustworthy when the identity behind it is current, owned, and revocable. That linkage is essential for both human accounts and non-human credentials.
Technical breakdown
Authentication silos and overlapping IAM systems
Enterprise authentication often fails when organisations layer new controls on top of old identity infrastructure without first reconciling policy, assurance, and account lifecycle. In practice, the same user may authenticate through different paths depending on application, device, or legacy system constraints. That creates inconsistent assurance levels, duplicate administration, and blind spots in governance. A passwordless programme does not remove those inconsistencies by itself. It can even amplify them if rollout is uneven across apps and user populations. The architecture problem is integration, not just credential replacement.
Practical implication: map authentication paths across all major applications before expanding passwordless or MFA coverage.
Automation for authentication operations
Authentication operations create repetitive work such as handling expired certificates, resetting access, and reconciling identity data across systems. Automation helps only when it is bound to clear identity state and consistent governance rules. If the organisation automates fragmented processes, it simply makes fragmented decisions faster. The better architectural pattern is to automate repeatable tasks where policy is already defined and where the system can reliably detect expiration, revocation, or step-up requirements. This is especially important in mixed environments where human access and machine credentials coexist.
Practical implication: automate only the authentication tasks that have explicit ownership, policy, and revocation triggers.
Balancing security with usability in authentication
Authentication succeeds when users can complete secure access without building workarounds that undermine policy. Too much friction pushes people toward unsafe behaviours such as credential reuse, shadow access paths, or informal exceptions. Too little friction weakens assurance. The technical challenge is to tune the assurance step to the risk and context of the access request. That is why modern identity programmes increasingly connect authentication decisions to device posture, application sensitivity, and session risk rather than using one fixed gate for every login.
Practical implication: use risk-based authentication logic so higher-friction checks are reserved for higher-risk access events.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authentication silos are the real control gap, not passwordlessness. The article is strongest when read as a warning that modern authentication often sits on top of fractured IAM estates. That fracture creates inconsistent assurance, duplicated administration, and uneven policy enforcement. The practitioner lesson is to treat authentication as an enterprise control plane problem, not a point solution decision.
Identity integration debt is the hidden cost of incremental authentication upgrades. When 70% of organisations already run three or more IAM systems, each new control has to fit a messy baseline rather than a clean architecture. That makes local optimisation misleading, because a better login experience in one system can still leave the wider identity estate inconsistent. The implication is to assess authentication changes against the whole identity stack, not the launch project.
Balance matters because user behaviour becomes part of the attack surface. If secure access is too burdensome, users route around it, and that behavioural workaround becomes a governance failure. That is true for human authentication and for shared access patterns around service accounts and automated tasks. The implication is that IAM design must measure workarounds, not just enrollment rates.
Lifecycle and authentication cannot stay separated for long. Authentication quality depends on what happens before and after sign-in, including provisioning, offboarding, and credential recovery. Once organisations extend authentication across multiple systems, the governance question becomes who owns the identity state behind each access path. The practitioner conclusion is that authentication strategy has to be designed with lifecycle controls already in view.
Risk-based authentication is where human IAM and machine identity governance start to converge. The same governance logic that conditions stronger checks for suspicious human access can also inform how organisations treat machine-driven access paths with elevated blast radius. That does not make humans and NHIs identical, but it does mean assurance should reflect context, sensitivity, and revocation discipline. The implication is to align authentication policy with actor type and risk, not with platform convenience.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- In the same research, only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- That pattern makes 52 NHI Breaches Analysis a useful forward look at how unmanaged identity state turns into incident exposure.
What this signals
Identity integration debt is now the limiting factor in many authentication programmes. Enterprises can add passwordless, MFA, or certificate automation, but those controls still inherit the quality of the underlying identity estate and the consistency of its lifecycle governance.
For IAM leaders, the next decision is not whether to modernise authentication. It is whether the programme can absorb human, NHI, and automated access paths without creating parallel assurance standards. A risk-based design tied to lifecycle state and application sensitivity is the cleaner model.
With only 5.7% of organisations reporting full visibility into their service accounts, per the Ultimate Guide to NHIs, authentication strategy cannot stop at people. The same governance discipline has to reach machine credentials and recovery paths as enterprises move toward broader zero trust adoption.
For practitioners
- Inventory authentication paths across the estate Document how users reach major applications today, including legacy SSO, MFA, passwordless, and exception flows. Use that map to find duplicate controls, bypasses, and systems that still force siloed authentication.
- Tie automation to explicit identity state Automate certificate expiry handling, access resets, and other repeatable tasks only where ownership, policy, and revocation conditions are already defined. Avoid automating undefined processes that would scale inconsistency.
- Measure user workarounds as a security signal Track fallback behaviours such as shared accounts, informal exceptions, or repeated help desk resets. Those signals often show where authentication is too rigid, too fragmented, or poorly aligned to the real workflow.
- Align authentication with lifecycle governance Connect sign-in policy to provisioning, deprovisioning, and access recovery so authentication decisions reflect the current identity state. This matters most in mixed estates where human access and non-human credentials coexist.
Key takeaways
- Siloed authentication is the underlying problem, because inconsistent identity states create gaps that new login methods do not automatically fix.
- The scale of the NHI control problem is already clear, with 97% of NHIs carrying excessive privileges and many organisations lacking offboarding discipline.
- IAM teams should modernise authentication by linking it to lifecycle governance, risk-based policy, and estate-wide integration rather than isolated tool replacement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication governance depends on controlling who gets access and how it is verified. |
| NIST Zero Trust (SP 800-207) | PR.AC-7 | Risk-based authentication supports continuous verification in zero trust designs. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Machine credentials and service accounts need lifecycle and rotation discipline. |
Tie authentication policy to identity proofing and access verification across the estate.
Key terms
- Identity integration debt: The accumulated operational and governance cost of running authentication across multiple disconnected IAM systems. It shows up as inconsistent assurance, duplicate administration, and exceptions that are hard to audit. In mature programmes, this debt often determines whether new authentication methods actually improve security.
- Risk-based authentication: An authentication approach that changes assurance requirements based on context such as device, application sensitivity, session history, or anomaly signals. It avoids treating every login the same. For modern IAM, it is the practical bridge between usability and stronger control outcomes.
- Lifecycle governance: The set of processes that keeps identity state accurate from creation through offboarding, including access recovery and revocation. It applies to humans, service accounts, and automated identities. Authentication is only trustworthy when lifecycle governance ensures the subject behind the access is current and accountable.
Deepen your knowledge
Authentication integration and identity lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to align human and machine access under one governance model, it is worth exploring.
This post draws on content published by Axiad: Rethinking Enterprise Authentication – A Practitioner Point of View. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
