TL;DR: Strong authentication and authorization controls reduce identity risk, but fragmented directories, weak password hygiene, overbroad roles, and weak monitoring still leave organisations exposed, according to Hydden. The practical issue is not whether to modernise IAM, but which foundational controls must be tightened before maturity efforts can meaningfully lower risk.
NHIMG editorial — based on content published by Hydden: how strong is your identity and access security foundation?
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should IAM teams strengthen authentication without making access unusable?
A: Focus on layered authentication rather than one control alone.
Q: When does RBAC stop being an effective authorization model?
A: RBAC stops scaling when roles become repositories for exceptions, temporary access, and historical access patterns.
Q: How do organisations know whether identity governance is actually working?
A: Look for evidence, not assumptions.
Practitioner guidance
- Inventory every authentication fallback path Document password reset, account recovery, emergency access, and conditional exception paths.
- Rationalise roles before adding new access tiers Review whether each RBAC role still maps to a distinct business function.
- Tie OIDC scope reviews to entitlement governance Validate claims, scopes, and delegated permissions against directory roles on a recurring cycle.
What's in the full article
Hydden's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on strengthening authentication choices across users and applications
- Specific implementation considerations for OAuth 2.0 and OpenID Connect in web and API environments
- More detail on how to organise central identity management when multiple directories already exist
- Practical reminders on logging, security reviews, and secure development practices across the lifecycle
👉 Read Hydden's analysis of identity and access security foundations →
Identity and access security foundations: what IAM teams need to fix?
Explore further
Identity maturity fails when authentication is treated as a user-experience problem instead of a control architecture. Strong MFA and password policy help, but only if every fallback path, recovery flow, and exception workflow is governed with the same rigor as the primary login path. That is why teams that focus only on the main authentication journey still end up with exploitable gaps. The practitioner takeaway is to audit the entire identity entry surface, not just the front door.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Another 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What is the difference between secure authentication and secure authorization?
A: Authentication proves who or what is requesting access, while authorization determines what that identity can do after it is accepted. Strong authentication without disciplined authorization still leaves excessive permissions in place. Mature IAM programmes need both layers, because one controls entry and the other controls blast radius.
👉 Read our full editorial: Identity and access security foundations still lag behind risk