DLT and identity data centralisation: what IAM teams should rethink

TL;DR: Centralised IAM creates a single point of failure for credentials and PII, and the MOVEit fallout is a reminder of how widely that exposure can cascade, according to 1Kosmos. The real issue is not just breach volume, but the structural trust assumption that identity data must live in one place to be governed.

NHIMG editorial — based on content published by 1Kosmos: IAM Private & Permissioned and the role of DLT in modern identity architecture

By the numbers:

• One breach at MOVEit impacted 2,620 organizations and 77.2 million people worldwide.

Questions worth separating out

Q: How should security teams reduce the breach impact of centralised identity repositories?

A: Security teams should identify which identity stores contain the most reusable trust material, then reduce how much sensitive data each store holds.

Q: Why do centralised identity systems create so much downstream risk?

A: Centralised identity systems create downstream risk because one repository often supports many applications, users, and authentication flows.

Q: What should IAM teams evaluate before moving to ledger-based identity models?

A: IAM teams should evaluate custody, revocation, auditability, and recovery before treating ledger-based identity as a security improvement.

Practitioner guidance

• Inventory identity data concentration points Map where your programme stores credentials, recovery factors, proofing data, and shared identity attributes.
• Separate verification from bulk storage Review whether identity proofing and authentication workflows still depend on a central database holding more personal and credential data than the business actually needs.
• Reassess endpoint trust assumptions If your architecture relies on device-held keys or enclave-based credentials, verify how endpoint integrity, secure enclave access, and recovery procedures are governed.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The architectural explanation of how decentralized digital identity and wallet-based credential handling are implemented.
• The vendor's discussion of private, permissioned ledger design, including how it stores and shares identity-related data.
• The certification references and assurance claims tied to NIST 800-63-3, DIATF, FIDO2, and biometrics.
• The use-case discussion for reusable verified credentials across KYC and KYB workflows.

👉 Read 1Kosmos's analysis of distributed ledger identity and IAM risk →

DLT and identity data centralisation: what IAM teams should rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →