Identity and access security foundations: what IAM teams need to fix

TL;DR: Strong authentication and authorization controls reduce identity risk, but fragmented directories, weak password hygiene, overbroad roles, and weak monitoring still leave organisations exposed, according to Hydden. The practical issue is not whether to modernise IAM, but which foundational controls must be tightened before maturity efforts can meaningfully lower risk.

NHIMG editorial — based on content published by Hydden: how strong is your identity and access security foundation?

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should IAM teams strengthen authentication without making access unusable?

A: Focus on layered authentication rather than one control alone.

Q: When does RBAC stop being an effective authorization model?

A: RBAC stops scaling when roles become repositories for exceptions, temporary access, and historical access patterns.

Q: How do organisations know whether identity governance is actually working?

A: Look for evidence, not assumptions.

Practitioner guidance

• Inventory every authentication fallback path Document password reset, account recovery, emergency access, and conditional exception paths.
• Rationalise roles before adding new access tiers Review whether each RBAC role still maps to a distinct business function.
• Tie OIDC scope reviews to entitlement governance Validate claims, scopes, and delegated permissions against directory roles on a recurring cycle.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on strengthening authentication choices across users and applications
• Specific implementation considerations for OAuth 2.0 and OpenID Connect in web and API environments
• More detail on how to organise central identity management when multiple directories already exist
• Practical reminders on logging, security reviews, and secure development practices across the lifecycle

👉 Read Hydden's analysis of identity and access security foundations →

Identity and access security foundations: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →