Notifications
Clear all
Topic starter
08/06/2026 4:44 pm
TL;DR: IAM is no longer sufficient on its own as identity volumes, weak MFA patterns, and password exposure push credentials to the centre of access control, according to Axiad’s analysis. The shift to ICAM makes credential issuance, tracking, update, and revocation the governance work that now determines identity resilience.
NHIMG editorial — based on content published by Axiad: IAM is Dead...Long Live ICAM
By the numbers:
- The number of identities exploded to include 30 identities for every knowledge worker, and a 45:1 ratio of machine identities to every human.
Questions worth separating out
Q: How should security teams govern credentials when IAM is no longer enough?
A: Security teams should treat credentials as governed identity assets with explicit lifecycle ownership.
Q: Why do machine identities push organisations toward ICAM?
A: Machine identities scale faster than human governance processes can handle.
Q: What breaks when credential revocation is slow or incomplete?
A: Slow revocation leaves valid access in place long after it should have ended, which creates standing exposure for attackers and internal misuse.
Practitioner guidance
- Inventory credential types across identity estates Map passwords, certificates, API keys, passkeys, TLS credentials, and tokens into one governance inventory so you can see which access paths depend on possession factors rather than knowledge factors.
- Define credential lifecycle ownership Assign explicit ownership for issue, track, update, and revoke workflows across human, machine, and service identities so revocation does not depend on informal ticket routing.
- Reduce reliance on weak MFA combinations Review where MFA is partially deployed or paired with weak factors, then prioritise stronger credential-backed authentication for high-risk access paths and administrative roles.
What's in the full article
Axiad's full blog post covers the background, historical framing, and authentication detail this post intentionally leaves for the source:
- The article’s historical argument for why IAM evolved into ICAM and why credentials displaced passwords as the primary focus.
- A plain-language breakdown of knowledge, possession, and inherence factors as the source frames them.
- The specific CISA reference the author uses to define credential management and justify the ICAM model.
- The article’s examples of breach pressure, including RockYou24 and Change Healthcare, in the original narrative context.
👉 Read Axiad's analysis of why IAM is being replaced by ICAM →
ICAM and credential management: what IAM teams need to change?
Explore further
08/06/2026 6:31 pm
IAM is reaching its structural limit because authentication alone cannot absorb credential sprawl. The article is right to treat credentials as the new governance centre of gravity. Once identities scale into the tens of millions and machine identities outnumber humans, a password-centric model becomes too brittle to govern safely. Practitioners should read this as a signal that identity programmes now need credential lifecycle control, not just login control.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still trying to govern identities they cannot fully see.
A question worth separating out:
Q: How do organisations know whether credential governance is working?
A: They should measure how quickly credentials are issued, rotated, updated, and revoked, and how many high-risk identities still rely on weak or incomplete authentication. If credentials remain valid after their business purpose ends, governance is not keeping pace with the identity estate.
👉 Read our full editorial: IAM is giving way to ICAM as credentials become the real control point
