Notifications
Clear all
Topic starter
12/06/2026 10:23 pm
TL;DR: IAM is being reshaped by credential-led authentication, because password weakness, identity sprawl, and breach persistence have outgrown traditional access management, according to Axiad and CISA. The shift to ICAM makes possession-based credentials central to identity security, but it also raises the bar for lifecycle control and scale.
NHIMG editorial — based on content published by Axiad: IAM is dead...Long live ICAM
By the numbers:
- The number of identities exploded to include 30 identities for every knowledge worker.
- There is a 45:1 ratio of machine identities to every human.
- Change Healthcare’s breach affected 100 million Americans.
Questions worth separating out
Q: How should security teams govern credentials across human and non-human identities?
A: Treat credentials as the control object, not just the login mechanism.
Q: Why do machine identities change the way IAM programmes have to operate?
A: Machine identities multiply the number of credentials that must be managed and shorten the tolerance for manual oversight.
Q: What do teams get wrong about strong credentials and access control?
A: They often assume that moving away from passwords automatically solves identity risk.
Practitioner guidance
- Inventory all credential types, not just user accounts Build one view that includes passwords, certificates, API keys, passkeys, TLS machine credentials, and service account tokens so governance starts from the actual trust objects in use.
- Assign explicit lifecycle owners for every credential class Require named ownership for issuance, tracking, rotation, and revocation across human and non-human identities so no credential exists outside a defined accountability path.
- Measure revocation, not only authentication success Track how quickly credentials are retired after role changes, service decommissioning, or compromise notification, because successful logins can hide stale access.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- The article’s framing of the federal ICAM shift and how CISA influenced the change in terminology and practice.
- The credential-factor breakdown covering knowledge, possession, and inherence factors in more implementation detail.
- The article’s discussion of passwords, credentials, and why strong credentials are being positioned as the practical replacement.
- The source’s own examples and editorial framing around the post-quantum and identity-risk messaging.
👉 Read Axiad's analysis of why IAM is giving way to ICAM →
ICAM and credential management: what IAM teams need to rethink?
Explore further
13/06/2026 1:06 am
ICAM is really a statement that credential lifecycle has become the security boundary. The article is right to move the centre of gravity away from passwords, because modern identity risk is increasingly about what can be issued, copied, left valid, and forgotten. That maps directly to NHI and workload identity governance, where the credential is the actor’s practical authority. Practitioners should treat issuance and revocation as first-class control points, not administrative afterthoughts.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own lifecycle governance for identity credentials?
A: Ownership should sit with the teams responsible for the business service and the identity control plane, not with a single authentication tool owner. Revocation, expiry, and exception handling need clear accountability because credentials outlive projects, personnel changes, and sometimes the systems they were created for.
👉 Read our full editorial: IAM is dead: why ICAM changes identity security
