Notifications
Clear all
Topic starter
12/06/2026 10:09 pm
TL;DR: Hybrid work has expanded the identity problem beyond users to machines, emails, documents, and credential workflows, while 90% of IT leaders reported more cyberattacks since the pandemic, according to Axiad. The real issue is not just more tools, but a fragmented trust model that leaves identity assurance uneven across the programme.
NHIMG editorial — based on content published by Axiad: Identity crisis? It’s time to take the holistic approach
By the numbers:
- 90% of IT leaders reported an increase in cyberattacks since the pandemic.
Questions worth separating out
Q: How should security teams govern machine identities in hybrid environments?
A: Security teams should treat machine identities as governed assets, not technical by-products.
Q: Why does identity proofing matter before credentials are issued?
A: Identity proofing matters because every credential inherits the trust quality of the verification step that created it.
Q: What breaks when credential management is fragmented across multiple tools?
A: Fragmented credential management creates inconsistent policy enforcement, hidden exceptions, and poor visibility into what is active, stale, or out of policy.
Practitioner guidance
- Expand identity scope beyond users Map every machine, application, and certificate that participates in trust decisions, then assign clear ownership for each identity class.
- Separate proofing from issuance Require documented identity proofing standards before credentials are issued, especially for remote onboarding, partners, and customers.
- Unify credential lifecycle controls Consolidate issuance, troubleshooting, updates, and revocation into a single operational model so teams can see whether credentials are active, stale, or out of policy.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific product workflow examples for issuing and managing machine certificates across hybrid environments
- Detailed credential-management scenarios for hardware tokens, smartcards, TPM, and mobile authenticators
- The article's full identity assurance guidance for remote helpdesk, proofing, and user activation workflows
- Examples of how Axiad's Airlock feature enforces required identity actions before broader access is restored
👉 Read Axiad's blog post on holistic identity management for hybrid work →
Hybrid identity management: what enterprises are missing now?
Explore further
13/06/2026 12:44 am
Holistic identity is no longer optional when the enterprise boundary includes machines. The article correctly widens the lens beyond users because hybrid environments now depend on device, application, and certificate trust as much as human authentication. That aligns with OWASP-NHI and ZT-NIST-207 thinking: if non-human identities are not governed as first-class identities, the programme will always miss part of the attack surface. The practitioner conclusion is straightforward, identity scope must match operational reality, not organisational habit.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves most machine identity programmes partially blind.
A question worth separating out:
Q: Who is accountable when identity assurance fails in a hybrid programme?
A: Accountability sits with the identity and security owners who define proofing, issuance, lifecycle, and enforcement standards. In hybrid environments, failures often appear shared across IAM, helpdesk, and operations, but the programme still needs named ownership for each control point. Without that, assurance gaps become everyone's problem and nobody's responsibility.
👉 Read our full editorial: Identity crisis in the hybrid workplace: holistic IAM matters
