Notifications
Clear all
Topic starter
24/06/2026 6:56 pm
TL;DR: Credential checks alone no longer contain impersonation-driven access abuse, and 1Kosmos Workforce on Google Cloud Marketplace ties identity proofing and phishing-resistant authentication to procurement and deployment inside the cloud environment, aiming to stop hiring fraud, synthetic identities, and service-desk account takeover before access is granted.
NHIMG editorial — what this means for IAM teams
Questions worth separating out
Q: How should security teams stop onboarding fraud in workforce identity flows?
A: Security teams should require identity proofing before access is issued, not after the account already exists.
Q: Why do phishing-resistant logins not solve all workforce identity risk?
A: Phishing-resistant login reduces credential replay and theft, but it does not prove the real-world identity of the person enrolling, resetting, or recovering access.
Q: What breaks when service-desk recovery is treated as a routine support task?
A: Recovery becomes a hidden privilege escalation path.
Practitioner guidance
- Bind onboarding to verified identity signals Require government-issued document checks or equivalent proofing before issuing workforce access, especially for remote hires, contractors, and privileged users.
- Raise service-desk recovery to privileged workflow status Apply stronger approval, verification, and audit requirements to password resets and account recovery because those steps can bypass normal authentication paths.
- Separate authentication strength from identity assurance Review whether phishing-resistant login controls are being mistaken for proof of the person behind the account, and document where additional verification is required.
What's in the full announcement
1Kosmos's full product post covers the operational detail this post intentionally leaves for the source:
- Deployment and billing flow through Google Cloud Marketplace, which matters for teams evaluating procurement and rollout paths.
- The article details how verified identity is embedded into onboarding, service desk recovery, and authentication workflows.
- It outlines support across employees, contractors, shared workstations, and remote users, which helps teams map coverage gaps.
- The source also explains how the workflow integrates into existing IAM, HR, and ITSM processes.
👉 Read 1Kosmos's post on verified workforce identity in Google Cloud Marketplace →
Workforce identity in Google Cloud: what changes for IAM teams?
Explore further
25/06/2026 3:59 am
Verified identity is becoming a frontline control because authentication alone no longer answers the right question. Passwordless and phishing-resistant methods reduce credential theft, but they do not prove that the person enrolling or requesting access is genuine. When attackers use synthetic identity tactics or AI-assisted impersonation, the programme failure is not login weakness alone. The implication is that workforce identity must be governed as an assurance problem, not a password replacement exercise.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when identity proofing and access provisioning fail together?
A: Accountability sits across HR, IAM, and the service desk because each team owns a different part of the assurance chain. If one function accepts unverified identity and another provisions access without challenge, the failure is systemic and should be governed as a shared control gap.
👉 Read our full editorial: Verified workforce identity in Google Cloud changes access risk
