TL;DR: Tighter credential and password governance across team workflows is taking shape through dynamic role management, faster group membership updates, SCIM beta support, encrypted resource metadata, and NIS2 guidance, according to PassBolt’s 2025 review. The real test is whether these features reduce standing access, secret sprawl, and lifecycle gaps in practice, not just improve admin convenience.
NHIMG editorial — based on content published by Passbolt: 2025 year-in-review and related credential management updates
Questions worth separating out
Q: How should security teams reduce standing access to shared credentials?
A: Security teams should tie shared credential access to identity lifecycle events, not static group membership.
Q: Why do credential platforms still create governance risk even when secrets are encrypted?
A: Encryption protects the secret value, but not always the surrounding metadata, ownership, or access pathways.
Q: What breaks when group membership updates are slow in a credential system?
A: Slow group updates leave stale access in place after the business reason for access has changed.
Practitioner guidance
- Measure access revocation latency Track how long it takes for group membership changes to remove access to shared credentials and resource metadata.
- Map credential access to identity lifecycle events Align provisioning, mover, and offboarding workflows with secret access paths so deactivation removes inherited permissions as well as direct assignments.
- Classify metadata as sensitive governance data Treat notes, URIs, labels, and ownership fields as part of the protected secret object.
What's in the full article
Passbolt’s full post covers the product changes this analysis intentionally leaves at the governance level:
- Detailed feature notes on dynamic role management and drag-and-drop group assignment in Passbolt 5.8
- The NIS2 credential security checklist and compliance framing used in the December 2025 guidance
- Practical examples of SCIM-style provisioning and workflow changes for team access management
- Release-by-release product context showing how the platform’s administration experience changed across 2025
👉 Read Passbolt’s 2025 review and credential management updates →
Dynamic role management in credential tools: what changes for IAM teams?
Explore further
Dynamic role management is only useful if it shortens the access exposure window. Faster group membership updates matter because the security problem in shared credential systems is often persistence, not assignment. If a removed user or shifted team retains access long after the change, the platform has preserved standing privilege under a new label. Practitioners should evaluate whether role updates actually eliminate dormant access paths.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Who is accountable when credential access persists after offboarding?
A: Accountability sits with the identity and platform owners who defined the lifecycle, not just the person executing offboarding. If deprovisioning does not remove inherited secret access, the control design failed. Teams should document ownership across IAM, PAM, and application administrators so offboarding checks are testable and auditable.
👉 Read our full editorial: Dynamic role management raises the bar for credential governance