Notifications
Clear all
Topic starter
08/06/2026 4:10 pm
TL;DR: Gartner’s 2021 security trends analysis, as discussed by Axiad, argues that remote work made identity-first security the practical baseline while fragmented credential providers, lifecycle friction, and user workarounds continue to weaken enforcement. The real issue is not authentication variety, but governance that cannot keep pace with how credentials are issued, used, and retired.
NHIMG editorial — based on content published by Axiad: What you need to know about identity-first security and vendor consolidation
By the numbers:
- These credential issues lead to over 40% of users’ help desk calls.
Questions worth separating out
Q: How should security teams reduce credential sprawl in identity-first environments?
A: They should consolidate governance before they consolidate tools.
Q: Why does fragmented credential management increase identity risk?
A: Fragmentation creates separate sources of truth for access, so lifecycle events, exception handling, and audit evidence no longer line up.
Q: What do security teams get wrong about identity-first security?
A: They often treat it as a technology choice instead of an operating model.
Practitioner guidance
- Inventory every credential type and owner Create a complete map of human and NHI credentials, including where each is issued, stored, renewed, and revoked.
- Unify lifecycle events across credential systems Align onboarding, offboarding, and exception handling so no identity can retain access after the primary lifecycle event closes.
- Treat workaround behaviour as telemetry Track help desk patterns, policy bypasses, and repeat user exceptions as evidence of control friction.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- The article's vendor-specific framing of how credential consolidation fits Axiad's SMARTidentity approach
- The full discussion of user-experience tradeoffs across password managers, MFA, and mobile device management
- The blog's reasoning on why centralized credential platforms still create future credential-support challenges
- The product context around simplifying authentication across a dispersed workforce
👉 Read Axiad's analysis of identity-first security and vendor consolidation →
Credential sprawl and identity-first security: what IAM teams miss?
Explore further
08/06/2026 5:38 pm
Credential sprawl is an identity governance problem before it is a usability problem. Separate credential providers create separate control planes, and that breaks enterprise visibility across humans and NHIs alike. Once issuance, authentication, and revocation live in different places, policy consistency becomes impossible to prove. Practitioners should treat credential sprawl as a governance defect, not just an efficiency issue.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How can organisations tell whether identity controls are working?
A: Look for low workaround rates, clean offboarding, and consistent revocation across all credential types. If users regularly bypass controls or if lifecycle events leave residual access behind, the programme is not controlling identity. It is merely processing login events.
👉 Read our full editorial: Identity-first security exposes the hidden cost of credential sprawl
