Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential governance in 2025: what changed for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: A platform scaling through 50+ releases, SCIM beta, zero-knowledge metadata, secret history, and NIS2-aligned credential security work, alongside 50,000+ organisations using the product daily, according to PassBolt. The governance signal is clear: credential management is moving from storage to lifecycle control, auditability, and regulated operations.

NHIMG editorial — based on content published by Passbolt: 2025: A Year in Review

By the numbers:

Questions worth separating out

Q: How should teams govern shared credentials across the full identity lifecycle?

A: Treat shared credentials like governed identities, not static assets.

Q: Why do encrypted metadata and zero-knowledge designs matter for credential governance?

A: They reduce what the server and platform operators can read, which limits exposure from labels, notes, and context around secrets.

Q: What do security teams get wrong about secret history and audit trails?

A: They often treat history as a reporting feature instead of a control artifact.

Practitioner guidance

  • Map credential lifecycle ownership across systems Document where provisioning, role assignment, rotation, and offboarding occur for shared credentials and admin accounts.
  • Review metadata fields for hidden sensitive context Inventory resource descriptions, notes, and labels to find fields that reveal secrets, system names, or business context.
  • Use secret history as governance evidence Retain and review change history for credentials, metadata keys, and group membership updates during access reviews and post-incident analysis.

What's in the full article

Passbolt's full review covers the operational detail this post intentionally leaves for the source:

  • The full release timeline behind 50+ product updates and what each change altered in day-to-day administration.
  • Implementation detail on SCIM beta, dynamic roles, and group membership updates for larger environments.
  • How encrypted resource metadata, secret history, and zero-knowledge controls were handled across product releases.
  • The NIS2-focused credential security analysis and the compliance logic behind it.

👉 Read Passbolt’s 2025 year-in-review on credential governance and product evolution →

Credential governance in 2025: what changed for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Credential management is becoming a governance system, not just a vault. Passbolt’s year-end review shows the category moving toward provisioning, role assignment, audit history, and policy enforcement. That is a broader shift than storage hygiene, because access control only works when the credential lifecycle is visible end to end. The practitioner takeaway is that secret handling now sits inside identity governance, not beside it.

A few things that frame the scale:

A question worth separating out:

Q: What is the difference between secret rotation and lifecycle offboarding?

A: Rotation changes the credential value, while lifecycle offboarding removes or disables the identity and its access path. Both matter, but they solve different problems. A rotated secret can still belong to an account that should no longer exist, so offboarding is the stronger control when access should end entirely.

👉 Read our full editorial: Passbolt’s 2025 review shows credential governance maturing



   
ReplyQuote
Share: