Digital identity sprawl: what IAM teams need to do now

TL;DR: As more processes are automated and more devices, systems, and applications need digital identities, Axiad argues that cloud delivery reduces implementation complexity but does not remove the need for constant lifecycle attention and enablement across users and machines. The underlying risk is that identity programmes still have to inventory, verify, and govern a growing set of non-human and human access paths before productivity and security drift apart.

NHIMG editorial — based on content published by Axiad: Are You Doing Everything You Can to Mitigate Your Cyber Security Risks?

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams govern digital identities in cloud environments?

A: Security teams should govern digital identities by classifying every identity object, assigning ownership, and tying credential issuance to retirement.

Q: Why do service accounts and other machine identities increase identity risk?

A: Service accounts increase identity risk because they often persist longer than the systems or workflows they support, and they are frequently under-inventoried.

Q: How do organisations know if cloud identity enablement is actually working?

A: They know it is working when every identity has a named owner, a documented purpose, and a clear retirement path, and when exceptions are rare enough to be managed.

Practitioner guidance

• Create a governed digital identity inventory Map every human, service account, device, application, and automated identity to an owner, purpose, and retirement condition.
• Link enablement to offboarding and rotation Treat enrolment, credential issuance, certificate renewal, and retirement as one workflow.
• Standardise assurance controls across environments Apply consistent identity assurance rules across cloud, on-premises, and automated workflows so exceptions do not become the default operating model.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• The service and delivery model behind Axiad ID Cloud, including why the team shifted from implementation work to enablement work.
• The practical examples of user and application enablement challenges that arise when MFA and PKI are rolled out across mixed environments.
• The project planning questions Axiad uses to frame business milestones, adoption friction, and system inventory.
• The specific organisational and service considerations behind its cloud-based identity approach.

👉 Read Axiad's analysis of identity risk in cloud-based MFA and PKI rollouts →

Digital identity sprawl: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →