Notifications
Clear all
Topic starter
12/06/2026 10:12 pm
TL;DR: Passwordless and other modern authentication methods still fail when organizations run authentication in silos, operate three or more IAM systems, and overburden users with friction, according to Axiad and the 2022 Authentication Survey. The practical shift is to treat authentication as an integrated identity control problem, not a point solution decision.
NHIMG editorial — based on content published by Axiad: Rethinking Enterprise Authentication - A Practitioner Point of View
By the numbers:
- 70% of organizations have three or more Identity and Access Management systems already in place.
Questions worth separating out
Q: What breaks when authentication is managed in silos across multiple IAM systems?
A: Authentication gaps appear when assurance rules, recovery steps, and policy enforcement differ across systems.
Q: Why do passwordless programmes fail in fragmented IAM environments?
A: Passwordless fails when the surrounding identity controls are not aligned.
Q: How do security teams know whether authentication automation is actually helping?
A: Automation is helping when it removes repeatable work without increasing exceptions or hiding control gaps.
Practitioner guidance
- Inventory authentication paths across every IAM system Document how users authenticate to each major application, which IAM platform governs it, and where recovery or step-up logic diverges.
- Standardize identity assurance rules before wider passwordless rollout Define the minimum assurance level, recovery process, and device trust requirement that must apply across all platforms before expanding passwordless.
- Use automation only for repeatable, governed authentication tasks Automate certificate renewal, access reset workflows, and routine policy enforcement only after deciding how exceptions are approved and recorded.
What's in the full article
Axiad's full post covers the operational detail this post intentionally leaves for the source:
- Practitioner interview context from PeerSpot participants on how teams evaluate authentication trade-offs in real environments
- More detail on the survey-backed reasoning behind integrating multiple IAM tools instead of replacing them outright
- Expanded discussion of how automation reduces administrative burden for certificate and access-reset workflows
- Additional commentary on balancing user friction against security outcomes in enterprise authentication design
👉 Read Axiad's practitioner report on enterprise authentication strategy →
Authentication in fragmented IAM estates: what teams need to do?
Explore further
13/06/2026 12:49 am
Authentication sprawl is now an identity governance problem, not just a user experience problem. When enterprises run three or more IAM systems, authentication decisions become inconsistent across apps, devices, and business units. That inconsistency creates a governance gap because assurance levels, recovery paths, and exception handling no longer mean the same thing everywhere. The practical conclusion is that authentication must be managed as a control plane, not a collection of local settings.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams still operate without complete machine-identity inventory.
A question worth separating out:
Q: How should organisations balance authentication security with usability?
A: They should design for usable controls that users do not feel compelled to bypass. If security friction pushes staff toward shadow processes, the programme loses both effectiveness and credibility. The right balance comes from simplifying the path to compliant access, not weakening assurance to avoid resistance.
👉 Read our full editorial: Rethinking enterprise authentication for fragmented IAM estates
