Notifications
Clear all
Topic starter
24/06/2026 7:15 pm
TL;DR: Password storage alone does not solve enterprise identity risk; lifecycle, revocation, and auditability do. Password Manager 2.0 extends workforce passwords into the same governance model used for secrets, keys, certificates, and privileged access, with SSO, RBAC, ABAC, audit, rotation, and zero-knowledge controls built in, according to Akeyless.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern workforce password managers alongside secrets management?
A: They should treat both as part of one identity control plane.
Q: Why do rotated credentials matter if passwords are already stored securely?
A: Secure storage protects the vault, but rotation limits the value of any credential if it is exposed later.
Q: What should enterprises look for in item-level audit controls?
A: They should look for logs that record who read, shared, updated, rotated, or deleted a specific secret, plus where those events can be exported for review.
Practitioner guidance
- Map workforce passwords into the same identity policy model as secrets Require the password manager to inherit IdP authentication, RBAC or ABAC rules, audit export, and revocation processes already used for privileged access and secrets.
- Separate static credentials from short-lived operational access Use rotated passwords for user-facing accounts and dynamic credentials for high-risk systems where standing access should not persist between sessions.
- Verify item-level audit before approving enterprise rollout Check that read, write, share, and rotate events are logged per item, not only at the vault level, and that logs can flow to the SIEM you already use.
What's in the full announcement
Akeyless's full article covers the operational detail this post intentionally leaves for the source:
- Browser extension rollout details across Chrome, Edge, Firefox, and Safari for enterprise deployment planning
- Native mobile parity for iOS and Android, including how the user experience is configured in practice
- Distributed Fragments Cryptography implementation specifics, including how customer-held fragments support zero-knowledge operation
- Migration workflow details for importing from incumbent password managers and synchronising during cutover
👉 Read Akeyless's announcement on Password Manager 2.0 and enterprise governance →
Workforce password managers and NHI governance: what changes now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 4:28 am
Workforce password management now sits inside the same governance problem as secrets and privileged access. Once an organisation can store passwords, rotated secrets, passkeys, and remote access in one platform, the control question is no longer vaulting alone. The real issue is whether authentication, sharing, audit, and lifecycle rules are consistent across human and non-human use cases. That is a NIST CSF and OWASP-NHI governance problem, not a UI preference. Practitioners should evaluate consolidation through control consistency, not convenience.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is why governance models that mix storage, sharing, and access need stronger control boundaries.
A question worth separating out:
Q: Who is accountable when a password manager is used to store privileged access credentials?
A: Accountability stays with the organisation that owns the access policy and approves the credential lifecycle. The vendor may host or orchestrate the system, but it does not own the business decision about access scope, revocation timing, or audit retention. That responsibility sits with IAM, security, and control owners.
👉 Read our full editorial: Enterprise password management needs the same governance as secrets
