Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DLT and identity data centralisation: what IAM teams should rethink


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Centralised IAM creates a single point of failure for credentials and PII, and the MOVEit fallout is a reminder of how widely that exposure can cascade, according to 1Kosmos. The real issue is not just breach volume, but the structural trust assumption that identity data must live in one place to be governed.

NHIMG editorial — based on content published by 1Kosmos: IAM Private & Permissioned and the role of DLT in modern identity architecture

By the numbers:

Questions worth separating out

Q: How should security teams reduce the breach impact of centralised identity repositories?

A: Security teams should identify which identity stores contain the most reusable trust material, then reduce how much sensitive data each store holds.

Q: Why do centralised identity systems create so much downstream risk?

A: Centralised identity systems create downstream risk because one repository often supports many applications, users, and authentication flows.

Q: What should IAM teams evaluate before moving to ledger-based identity models?

A: IAM teams should evaluate custody, revocation, auditability, and recovery before treating ledger-based identity as a security improvement.

Practitioner guidance

  • Inventory identity data concentration points Map where your programme stores credentials, recovery factors, proofing data, and shared identity attributes.
  • Separate verification from bulk storage Review whether identity proofing and authentication workflows still depend on a central database holding more personal and credential data than the business actually needs.
  • Reassess endpoint trust assumptions If your architecture relies on device-held keys or enclave-based credentials, verify how endpoint integrity, secure enclave access, and recovery procedures are governed.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • The architectural explanation of how decentralized digital identity and wallet-based credential handling are implemented.
  • The vendor's discussion of private, permissioned ledger design, including how it stores and shares identity-related data.
  • The certification references and assurance claims tied to NIST 800-63-3, DIATF, FIDO2, and biometrics.
  • The use-case discussion for reusable verified credentials across KYC and KYB workflows.

👉 Read 1Kosmos's analysis of distributed ledger identity and IAM risk →

DLT and identity data centralisation: what IAM teams should rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Centralised identity storage is a breach multiplier, not just an administrative convenience. The article correctly identifies the structural problem in IAM: when identity records and credentials are concentrated, one compromise can cascade across many systems and users. That is not a narrow vendor argument, it is a governance reality across human identity and NHI programmes. The practitioner conclusion is that repository design directly shapes breach blast radius.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, which shows how quickly identity governance fragments once control is distributed.

A question worth separating out:

Q: Who is accountable for identity governance when credentials are stored on user devices?

A: Accountability shifts toward the organisation that defines the trust model, the endpoint controls, and the lifecycle rules for the credential. Device storage does not remove governance responsibility. It increases the need to prove that key protection, recovery, and audit review are still enforced across the full identity journey.

👉 Read our full editorial: DLT identity architectures expose the IAM centralisation problem



   
ReplyQuote
Share: