Digital identity management: where IAM teams still lose control

TL;DR: Digital identity management depends on authentication, authorization, administration, and auditing working together, but weak passwords, fragmented systems, insider risk, and regulatory pressure continue to expose people and machines, according to 1Kosmos. The real issue is not login friction alone, but whether identity governance can follow the full lifecycle without leaving orphaned access behind.

NHIMG editorial — based on content published by 1Kosmos: Key Lessons on Digital Identity Management

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern machine identities alongside human IAM?

A: Treat machine identities as governed subjects with ownership, lifecycle dates, access boundaries, and retirement rules.

Q: When does passwordless authentication fail to reduce identity risk?

A: Passwordless fails when teams assume stronger login methods automatically fix broader governance gaps.

Q: What breaks when identity systems are fragmented across tools and teams?

A: Fragmentation breaks visibility, accountability, and timely revocation.

Practitioner guidance

• Define identity ownership across all identity types Assign a named owner for human accounts, machine identities, service credentials, and cloud access paths so provisioning, review, and retirement do not fall between teams.
• Collapse credential sprawl into a managed lifecycle Inventory passwords, keys, tokens, certificates, and verified credentials, then tie each one to a creation date, expiry rule, review cadence, and revocation path.
• Separate authentication strength from governance completeness Adopt passwordless and phishing-resistant methods where appropriate, but keep access reviews, entitlement monitoring, and offboarding controls in the same programme.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• The vendor's step-by-step breakdown of digital identity components across authentication, authorisation, administration, and auditing
• The specific explanation of how passwordless and biometric verification are positioned in enterprise identity flows
• The article's own framing of blockchain-backed privacy and verified credentials in the context of user experience
• The vendor's discussion of how its platform is positioned for remote identity verification and enterprise login use cases

👉 Read 1Kosmos' article on digital identity management and passwordless verification →

Digital identity management: where IAM teams still lose control?

Explore further

View Full Forum →  |  NHI Foundation Course →