RSA’s next chapter centers on passwordless and identity posture

At a glance

What this is: RSA’s blog outlines a strategy centred on enterprise passwordless, ISPM, and AI-assisted identity security for regulated and high-assurance environments.

Why it matters: It matters because IAM teams are being pushed to improve authentication assurance and identity risk visibility across human, machine, and lifecycle controls at the same time.

By the numbers:

• With roughly 83 cybersecurity workers for every 100 jobs, AI-powered cybersecurity tools can help organisations keep identities secured.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read RSA Security’s update on passwordless, ISPM, and identity AI

Context

Passwordless authentication is often presented as a user-experience improvement, but the real governance question is whether an organisation can raise assurance without losing control over device, environment, and lifecycle conditions. In large enterprises, that problem sits at the intersection of human IAM, machine identities, and identity governance.

RSA’s update argues that identity risk is becoming harder to manage because remote work, cloud adoption, and growing numbers of human and machine users have expanded the control surface. That is a familiar pattern across IAM programmes: the more identity types and access paths multiply, the more organisations need posture visibility, entitlement governance, and stronger authentication assurance rather than isolated point fixes.

Key questions

Q: How should organisations govern passwordless authentication in regulated environments?

A: Treat passwordless as an access assurance programme, not a convenience feature. Set explicit rules for device coverage, fallback authentication, recovery, and exception handling. In regulated environments, the key is proving that every supported path preserves the required level of assurance and that any unsupported path has compensating controls and clear ownership.

Q: Why do IAM programmes need identity security posture management?

A: Because access risk now accumulates across too many identities, entitlements, and environments for periodic review alone. ISPM gives teams a control plane for spotting excess privilege, weak coverage, and drift before those conditions become audit findings or operational incidents. It is most valuable when connected directly to remediation ownership.

Q: How can security teams use AI in identity governance without over-automating decisions?

A: Use AI for correlation, prioritisation, and analyst support, but keep policy decisions, exceptions, and approvals human-owned. AI can improve speed only if the underlying identity data is accurate and current. If entitlement records are stale or incomplete, automation will amplify the wrong conclusions.

Q: What is the difference between passwordless and stronger identity governance?

A: Passwordless changes how users authenticate, but it does not by itself govern who should have access, when access should be removed, or how exceptions are managed. Strong identity governance covers entitlement lifecycle, policy enforcement, and continuous visibility. In practice, passwordless is one control inside a broader governance model.

Technical breakdown

Enterprise passwordless authentication and assurance boundaries

Passwordless is not the removal of identity assurance. It replaces one set of credentials with another assurance mechanism, usually tied to device trust, cryptographic proof, or platform-based authentication. In regulated environments, the real design question is whether passwordless works consistently across every device, form factor, and deployment model without creating exceptions that weaken the assurance boundary. If the programme cannot cover legacy, on-premises, and cloud access paths together, passwordless becomes partial friction reduction rather than a governance control.

Practical implication: define where passwordless is authoritative, where fallback methods exist, and which exceptions require compensating controls.

Identity security posture management as a governance control plane

ISPM is the visibility and prioritisation layer for identity risk. It looks across entitlements, risky accounts, stale access, and policy drift so teams can focus on the identity conditions most likely to create exposure. For IAM and IGA teams, the value is not just reporting. It is the ability to connect identity findings to remediation workflows, compliance evidence, and owner accountability across human and non-human identities. Without that control plane, posture data stays fragmented and action lags behind exposure.

Practical implication: map ISPM findings to remediation owners and governance workflows, not just dashboards.

AI-enhanced identity operations and decision support

AI in identity security is most useful when it helps analysts prioritise risk, reduce manual triage, and correlate signals across IAM and IGA data. The limit is that machine assistance does not replace policy design or ownership. If the underlying identity data is incomplete, biased, or stale, AI will accelerate the wrong decisions faster. In practice, AI should be treated as a decision-support layer that improves speed and consistency, while human governance still defines acceptable access and response thresholds.

Practical implication: use AI to accelerate triage and correlation, but keep policy, approval, and exception handling human-owned.

NHI Mgmt Group analysis

Passwordless programmes fail when they are treated as authentication projects instead of governance programmes. RSA’s framing shows that passwordless only works at enterprise scale when it is tied to device coverage, fallback policy, and lifecycle control across regulated environments. If teams focus only on removing passwords, they miss the harder question of who can authenticate, from where, and under what conditions. The practical conclusion is that passwordless maturity is a policy and governance problem before it is a user-experience upgrade.

Identity security posture management is becoming the missing control plane for identity sprawl. Remote work, cloud adoption, and growing human and machine populations have made identity risk too distributed for periodic reviews alone. ISPM matters because it surfaces risk conditions that traditional access governance can miss, including excess privilege, weak control coverage, and compliance drift. The practitioner lesson is to treat identity posture as an operational control domain, not a reporting exercise.

AI-assisted identity security will raise the value of clean governance data, not reduce the need for governance. When the vendor describes AI-enhanced identity operations, the field-level implication is clear: machine-assisted triage only works if entitlement, owner, and policy data are current. AI does not solve broken identity records, inconsistent provisioning, or weak exception handling. Practitioners should expect AI to amplify the quality of their governance model, for better or worse.

Regulated industries will keep demanding higher-assurance identity because failure is operational, not just technical. RSA’s emphasis on critical infrastructure, government, healthcare, and financial services reflects a broader reality: identity controls in those sectors must survive outages, legacy constraints, and audit scrutiny. That environment rewards programmes that can prove assurance across all access paths, not just the modern ones. The practical conclusion is that resilience and identity governance now have to be designed together.

Identity governance is shifting toward continuous visibility across human and non-human access. The article’s focus on growing numbers of users, devices, entitlements, and environments points to a broader governance shift: access risk now accumulates faster than manual review cycles can absorb. A useful named concept here is identity posture drift, the condition where entitlements, assurance, and policy coverage move out of sync as the environment changes. Practitioners need to manage that drift continuously, not at the next quarterly review.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• Another finding from our Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts.
• For teams building a broader control model, the 52 NHI breaches Report shows how identity exposure turns into operational impact.

What this signals

Passwordless and posture management are converging into a single governance conversation: how to prove identity assurance while access paths, devices, and exceptions keep changing. A useful way to think about that shift is identity posture drift, where control coverage falls behind the pace of environment change and the organisation only notices after a review cycle.

With only 5.7% of organisations reporting full visibility into service accounts, any IAM programme that still treats non-human access as a side issue will struggle to sustain meaningful assurance over time. The stronger model is to connect lifecycle, posture, and access policy into one operating rhythm, supported by the Ultimate Guide to NHIs , Key Challenges and Risks.

For programmes that are adding AI into identity operations, the key question is not whether automation exists, but whether governance data is reliable enough to support it. The operational lesson aligns with the OWASP NHI Top 10: better tooling does not offset weak identity boundaries.

For practitioners

• Define passwordless coverage boundaries Map which applications, device types, and user populations are in scope for passwordless and where fallback methods remain allowed. Tie each exception to a named compensating control so assurance does not silently degrade.
• Use ISPM to drive remediation ownership Route posture findings into named remediation workflows for access owners, application owners, and governance teams. Do not leave identity risk metrics trapped in dashboards without deadlines or accountability.
• Review identity controls across human and machine access Assess whether the same governance model can handle employee identities, service accounts, and other machine users without manual exceptions. If not, separate the policy paths and document why.
• Validate AI decision support against clean identity data Check whether your identity records, entitlements, and ownership metadata are accurate enough for AI-assisted triage. If the data is incomplete, improve the source records before relying on automated prioritisation.

Key takeaways

• RSA’s update frames passwordless as part of a larger identity governance shift, not a standalone authentication upgrade.
• Identity security posture management matters because distributed identity risk cannot be managed effectively through periodic reviews alone.
• AI can help prioritise identity risk, but only clean governance data and clear ownership make the output dependable.

Key terms

• Passwordless Authentication: A login method that removes passwords and replaces them with stronger proof such as cryptographic credentials, device-bound authentication, or phishing-resistant factors. In identity governance, passwordless is only effective when fallback paths, recovery flows, and exception handling are also controlled and auditable.
• Identity Security Posture Management: A control layer that continuously discovers and prioritises identity risk across accounts, entitlements, and policy drift. It helps teams see where access is excessive, stale, or poorly governed so remediation can be assigned and tracked before the problem becomes an audit issue or incident.
• Identity Posture Drift: The condition where identity controls, entitlement data, and governance coverage fall out of sync as environments change. It is a practical risk signal, not a product category, and it often appears when access grows faster than review and remediation processes can keep up.
• Fallback Authentication: A secondary authentication path used when the primary method is unavailable or cannot be completed. It matters because any passwordless programme still needs a recovery and exception model, and those paths can become the weakest part of the assurance chain if they are not governed tightly.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: The Next Chapter for RSA. Read the original.