State identity security modernisation hinges on hybrid IAM controls

At a glance

What this is: RSA Security describes a state government agency using RSA and Microsoft integration to improve hybrid identity security for employees, partners, and citizens.

Why it matters: This matters because government IAM teams must secure workforce, third-party, and citizen access across hybrid estates without weakening onboarding, recovery, or device trust.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read RSA Security's article on government hybrid identity modernization with Microsoft integration

Context

Government identity security now has to cover employees, contractors, citizens, mobile devices, and legacy systems at the same time. In a hybrid environment, the control gap is rarely authentication alone. It is the mismatch between how identity is verified, how access is granted, and how recovery is handled across different user populations.

RSA Security describes a state agency trying to modernise that stack without sacrificing usability or operational continuity. The article is less about one product combination than about the governance problem behind it: how public-sector IAM programmes can support passwordless access, fraud-resistant onboarding, and device trust while still interoperating with Microsoft-centric infrastructure and older on-premises systems.

The starting point is typical for large public-sector identity programmes. The pressure to simplify user experience arrives at the same time as the need to strengthen proofing, recovery, and hybrid access controls.

Key questions

Q: How should government teams govern passwordless access across hybrid environments?

A: Government teams should govern passwordless access as a full identity assurance journey, not just a stronger login method. That means aligning device trust, authentication context, recovery flows, and legacy application access under one policy model. If fallback paths are weaker than primary sign-in, passwordless simply shifts the attack target instead of reducing risk.

Q: Why do onboarding and recovery flows matter so much in public-sector IAM?

A: Onboarding and recovery determine whether the person requesting access is truly entitled to it. In public-sector environments, those steps are frequent targets for impersonation and fraud because they often bypass the friction of normal sign-in. Strong identity proofing at those moments reduces the chance that an attacker can turn administration into unauthorised access.

Q: What breaks when hybrid IAM is managed as separate cloud and legacy projects?

A: Policy consistency breaks first. Users receive different assurance levels, recovery rules, and device requirements depending on which system they touch. That fragmentation creates exceptions, manual workarounds, and inconsistent access outcomes, which are exactly the conditions attackers exploit when identity control is spread across disconnected teams.

Q: Should identity teams treat proofing as part of access governance?

A: Yes. Proofing is part of access governance because it determines whether the identity being enrolled or recovered should be trusted at all. If security and IAM teams leave proofing to operational support alone, they lose visibility into one of the most abuse-prone steps in the lifecycle.

Technical breakdown

Hybrid identity management across cloud and legacy environments

Hybrid identity management means the same governance model has to work across cloud services, on-premises directories, and older applications that were never designed for modern federation. In practice, the challenge is not just authentication protocol choice. It is maintaining consistent policy, assurance, and access decisions when user populations, device types, and application estates do not share a common control plane. That is where IAM programmes often drift into fragmented exceptions and local workarounds. Practical implication: map where identity decisions are still split between modern and legacy systems, then remove the duplicate control paths.

Practical implication: Map where identity decisions are still split between modern and legacy systems, then remove the duplicate control paths.

Passwordless authentication and assurance boundaries

Passwordless access reduces dependence on reusable secrets such as passwords, but it does not eliminate the need for strong assurance. The control question shifts from memorised credential possession to device trust, authentication context, and recovery integrity. For government environments, that matters because one weak recovery path can undermine an otherwise strong sign-in method. Passwordless is therefore an assurance design problem as much as a user-experience improvement. Practical implication: review every recovery and fallback path with the same scrutiny applied to primary authentication.

Practical implication: Review every recovery and fallback path with the same scrutiny applied to primary authentication.

Identity proofing for onboarding and credential recovery

Identity proofing is the process of verifying that a person is who they claim to be before issuing or restoring access. It becomes critical when onboarding large citizen or workforce populations and when recovery flows can be abused for impersonation or fraud. The article points to proofing as a control around enrollment and recovery, which is where many programmes lose assurance after a strong initial authentication layer is already in place. Practical implication: treat enrollment and reset flows as high-risk identity events, not administrative support tasks.

Practical implication: Treat enrollment and reset flows as high-risk identity events, not administrative support tasks.

NHI Mgmt Group analysis

Hybrid identity governance is now a cross-domain control problem, not a sign-in problem. The article shows a public-sector environment where workforce, citizen, device, and legacy access all have to be governed together. That is the core issue in modern IAM programmes: policy consistency collapses when identity assurance, device state, and application compatibility are managed in separate silos. Practitioners should treat hybrid identity as a single governance plane spanning onboarding, access, and recovery.

Identity proofing is the control that determines whether access is legitimate before authentication even starts. In government environments, recovery and enrollment are not administrative back-office steps. They are trust decisions that can either stop impersonation or create a path around strong authentication. The article reinforces that proofing has to be built into lifecycle events, not bolted on after the fact. Practitioners should reclassify proofing as a front-line fraud control.

Passwordless only works when fallback and recovery paths are equally governed. Removing passwords does not remove the need for strong assurance, it shifts risk into device trust, recovery, and exception handling. If the backup path is weaker than the primary path, attackers will target the exception instead of the login. The implication for identity teams is that passwordless design must be evaluated end to end, not by adoption rate alone.

Public-sector IAM programmes increasingly depend on interoperability rather than replacement. The article’s Microsoft-centric context shows why many large organisations cannot rip and replace their identity stack. They need controls that bridge legacy infrastructure, cloud identity, and citizen-facing access without creating duplicate governance logic. Practitioners should expect hybrid interoperability to remain the dominant operating model, not a transitional phase.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The broader lifecycle lesson is captured in Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs, where offboarding and recovery governance are treated as control points, not admin chores.

What this signals

Identity proofing will keep moving from administrative support into security governance. Public-sector programmes that separate enrollment, recovery, and sign-in will continue to leak assurance at the handoff points. Teams should expect stronger demand for auditability around proofing decisions, fallback approvals, and recovery exceptions, especially where citizen and workforce access share the same environment.

Hybrid interoperability is becoming the default operating model for large identity estates. Organisations rarely get to replace legacy systems in one move, so the practical task is to align cloud identity, older applications, and device trust into one control story. The teams that do this well will reduce duplicate exceptions and make lifecycle governance easier to defend in audits.

Passwordless adoption should be measured by the strength of the recovery path, not the sign-in path alone. If a programme cannot explain how a lost device, BYOD endpoint, or impersonation attempt is handled, the authentication model is incomplete. The next maturity step is to review recovery as the real boundary of trust.

For practitioners

• Map recovery flows as high-risk trust events Review enrollment, password reset, and account recovery steps separately from everyday authentication. Require the same assurance standards for recovery that you expect at initial sign-in, and look for weak alternate paths that bypass primary controls.
• Align passwordless to device trust and fallback governance Document which devices, contexts, and recovery methods are allowed to complete passwordless access. Make sure fallback paths for mobile, BYOD, and lost-device scenarios are not weaker than the primary authentication method.
• Unify hybrid policy decisions across legacy and cloud systems Identify where Microsoft-centric identity policies diverge from controls enforced in on-premises or legacy applications. Remove exceptions where possible, or you will end up with fragmented assurance and inconsistent access outcomes.
• Treat proofing as a fraud control, not a service desk task Assign ownership of identity proofing to security and IAM governance teams, especially for onboarding and credential recovery. Track fraud attempts and impersonation indicators as control failures, not support volume.

Key takeaways

• The article shows that modern government IAM must govern access, recovery, and proofing as one continuous trust model.
• Hybrid identity programmes succeed when device trust, legacy interoperability, and citizen assurance are designed together, not separately.
• Teams should evaluate passwordless and proofing by the strength of fallback controls, because weak recovery nullifies strong authentication.

Key terms

• Hybrid Identity Management: A governance model that applies one access policy across cloud, on-premises, and legacy systems. The practical challenge is maintaining consistent assurance when different platforms authenticate users differently and expose different fallback paths.
• Identity Proofing: The process of verifying that a person is who they claim to be before enrolling them or restoring access. In high-risk environments, proofing is a security control because weak recovery and enrollment paths can become direct entry points for fraud or impersonation.
• Passwordless Authentication: An authentication approach that removes reusable passwords and relies on stronger methods such as device-based sign-in or cryptographic authenticators. Its security value depends on the trustworthiness of recovery, fallback, and device assurance controls.
• Fallback Path: Any alternate route a user can take when the primary access method fails, such as recovery codes, help desk verification, or secondary device approval. Fallback paths are often where assurance weakens, so they must be governed as carefully as the main sign-in flow.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: State government agency enhances security of workforce and citizen access with RSA and Microsoft integration. Read the original.