Notifications
Clear all
Topic starter
25/06/2026 10:25 pm
TL;DR: Continued demand for tightly controlled access recovery workflows and clearer operational guidance for identity teams is signaled by ASPG’s July 21 ReACT webinar, as password reset processes sit at the junction of human IAM, privileged access, and account recovery risk.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should organisations govern password reset workflows for privileged accounts?
A: Organisations should use stricter verification, stronger approvals, and complete audit logging for privileged reset paths than for ordinary users.
Q: What breaks when password reset is treated as a support issue instead of an IAM control?
A: Reset governance becomes inconsistent, exceptions multiply, and account recovery can outpace ownership checks, offboarding, and assurance requirements.
Practitioner guidance
- Segment reset rules by identity class Use different recovery requirements for standard users, administrators, shared accounts, and service-linked identities.
- Remove undocumented recovery exceptions Inventory every manual override, back-channel reset, and support shortcut.
- Tie resets to current lifecycle data Check that ownership, active status, and offboarding state are current before any reset is approved.
What to expect at the briefing
ASPG's full event listing covers the scheduling and registration details this post intentionally leaves to the source:
- The webinar registration flow and event logistics for the July 21 session.
- The specific ReACT product context that frames the password reset discussion.
- The speaker and host details that are not visible in this event listing extract.
- The source page's surrounding ASPG navigation and product references for readers who need publisher context.
👉 Register for ASPG's ReACT webinar on password reset governance →
Password reset governance in ReACT: what is being covered?
Explore further
25/06/2026 10:55 pm
Password reset governance fails when recovery is treated as convenience instead of assurance. The operational goal is access restoration, but the security requirement is identity re-verification under controlled conditions. Where organisations optimise for speed without separating low-risk from high-risk recovery, they create a predictable abuse path for account takeover. Practitioners should treat reset governance as part of identity assurance, not support scripting.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when a reset workflow is abused?
A: Accountability usually spans IAM owners, help desk leadership, and the business owner for the affected identity. If the reset path lacked assurance, the issue belongs to governance, not only to the individual operator. Frameworks such as the NIST Cybersecurity Framework 2.0 expect clear control ownership and response responsibility.
👉 Read our full editorial: ReACT webinar on password reset governance, July 21, 2026
