The final 20% of passwords: what IAM teams still need to govern

TL;DR: Most enterprises reach about 80% passwordless coverage, but the final 20% still depends on passwords in legacy systems, shadow IT, and non-standards apps, according to Bravura Security. That last mile keeps credential abuse, help desk risk, and governance gaps alive until passwords are governed everywhere.

NHIMG editorial — based on content published by Bravura Security: Why the Final 20% Still Matters

By the numbers:

• 80% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams handle the final 20% of password-dependent applications?

A: Treat them as a separate governance population rather than a leftover detail.

Q: Why do passwordless programmes still leave identity risk behind?

A: Because passwordless adoption usually covers the easiest systems first, while legacy apps, shadow IT, and recovery workflows still rely on human-created credentials.

Q: What do organisations get wrong about enterprise password managers?

A: They often treat them as storage tools instead of governance controls.

Practitioner guidance

• Map the password-bearing tail separately Build a register of applications that still require passwords, then classify them by business criticality, owner, and whether they are legacy, shadow IT, or a recovery dependency.
• Require enterprise controls for every shared vault Approve only password management solutions that provide centralized policy enforcement, audit logging, offboarding support, and recovery workflows.
• Test breach-day reset and redistribution workflows Exercise the process for identity validation, mass reset, and secure credential redistribution before an incident.

What's in the full article

Bravura Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Practical rollout guidance for moving from partial passwordless coverage to managed legacy credential control.
• The comparison between personal vaults and enterprise password managers from a governance and lifecycle perspective.
• Operational discussion of breach recovery, including secure reset and distribution workflows during incident response.
• Coverage metrics and change-management considerations for teams planning staged adoption.

👉 Read Bravura Security's analysis of why enterprise password management still matters →

The final 20% of passwords: what IAM teams still need to govern?

Explore further

View Full Forum →  |  NHI Foundation Course →