TL;DR: A platform scaling through 50+ releases, SCIM beta, zero-knowledge metadata, secret history, and NIS2-aligned credential security work, alongside 50,000+ organisations using the product daily, according to PassBolt. The governance signal is clear: credential management is moving from storage to lifecycle control, auditability, and regulated operations.
NHIMG editorial — based on content published by Passbolt: 2025: A Year in Review
By the numbers:
Questions worth separating out
Q: How should teams govern shared credentials across the full identity lifecycle?
A: Treat shared credentials like governed identities, not static assets.
Q: Why do encrypted metadata and zero-knowledge designs matter for credential governance?
A: They reduce what the server and platform operators can read, which limits exposure from labels, notes, and context around secrets.
Q: What do security teams get wrong about secret history and audit trails?
A: They often treat history as a reporting feature instead of a control artifact.
Practitioner guidance
- Map credential lifecycle ownership across systems Document where provisioning, role assignment, rotation, and offboarding occur for shared credentials and admin accounts.
- Review metadata fields for hidden sensitive context Inventory resource descriptions, notes, and labels to find fields that reveal secrets, system names, or business context.
- Use secret history as governance evidence Retain and review change history for credentials, metadata keys, and group membership updates during access reviews and post-incident analysis.
What's in the full article
Passbolt's full review covers the operational detail this post intentionally leaves for the source:
- The full release timeline behind 50+ product updates and what each change altered in day-to-day administration.
- Implementation detail on SCIM beta, dynamic roles, and group membership updates for larger environments.
- How encrypted resource metadata, secret history, and zero-knowledge controls were handled across product releases.
- The NIS2-focused credential security analysis and the compliance logic behind it.
👉 Read Passbolt’s 2025 year-in-review on credential governance and product evolution →
Credential governance in 2025: what changed for IAM teams?
Explore further
Credential management is becoming a governance system, not just a vault. Passbolt’s year-end review shows the category moving toward provisioning, role assignment, audit history, and policy enforcement. That is a broader shift than storage hygiene, because access control only works when the credential lifecycle is visible end to end. The practitioner takeaway is that secret handling now sits inside identity governance, not beside it.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: What is the difference between secret rotation and lifecycle offboarding?
A: Rotation changes the credential value, while lifecycle offboarding removes or disables the identity and its access path. Both matter, but they solve different problems. A rotated secret can still belong to an account that should no longer exist, so offboarding is the stronger control when access should end entirely.
👉 Read our full editorial: Passbolt’s 2025 review shows credential governance maturing