TL;DR: Large global enterprises face fragmented credentials, uneven access policies, lingering contractor access, and partial SSO coverage, according to Bitwarden, which frames credential sprawl as a scaling problem that compounds across subsidiaries, regions, and legacy systems. Centralised credential governance matters because complexity now drives both breach exposure and compliance difficulty.
NHIMG editorial — based on content published by Bitwarden: Global enterprise credential sprawl is widening identity risk
By the numbers:
- Based on insights from 700+ IT and business professionals, the Streamline Security and Protect Your Organization report explores enterprise password management trends and the risks of weak credentials.
- 99% of identity attacks stem from weak or, ak or stolen passwords, according to the report highlighted by Bitwarden.
- The report draws on feedback from 700+ professionals to examine how top organisations manage credentials at scale.
Questions worth separating out
Q: How should enterprises manage credential security across regions and subsidiaries?
A: Enterprises should manage credential security through a single policy model that covers ownership, storage, access review, and retirement across all regions and subsidiaries.
Q: Why does partial SSO coverage still leave organisations exposed?
A: Partial SSO coverage leaves exposed systems outside the governed identity plane, so authentication rules, logging, and lifecycle controls vary by application.
Q: What do security teams get wrong about passwordless adoption?
A: Teams often treat passwordless adoption as a complete fix for credential risk, when it only removes one weak authentication method.
Practitioner guidance
- Inventory every credential store and shadow repository Map spreadsheets, browser-stored passwords, shared vaults, legacy files, and local admin workarounds into a single credential inventory so ownership and rotation can be assigned.
- Measure SSO coverage by exception volume List applications, shared secrets, and admin paths that sit outside federation, then track the number of exceptions that remain after each remediation cycle.
- Replace shared-account handling with named ownership Eliminate manual tracking of shared credentials by assigning business and technical owners, lifecycle dates, and review cadence to every high-value account or secret.
What's in the full article
Bitwarden's full post covers the operational detail this post intentionally leaves for the source:
- A closer look at the credential management features the vendor groups together for large enterprise environments.
- The report referenced in the article, including the survey framing and the specific enterprise management themes it measures.
- The article's discussion of passkey support, central oversight, and deployment flexibility for teams at implementation stage.
- The vendor's own view of how organisations can move from local password practices to centralised credential control.
👉 Read Bitwarden's analysis of Global 2000 credential security and password management →
Global 2000 credential sprawl: what IAM teams need to fix?
Explore further
Credential sprawl is an identity governance failure, not a password hygiene issue. The article describes a state where credentials are dispersed across teams, tools, contractors, and legacy systems, which means no single control plane governs access end to end. That breaks the basic IAM assumption that access can be consistently observed, reviewed, and revoked. Practitioners should treat credential inventory as governance infrastructure, not an admin convenience.
A few things that frame the scale:
- Over 99% of identity attacks stem from weak or stolen passwords, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when shared credentials are still tracked manually?
A: Accountability belongs to the business owner of the access path and the security team responsible for governance, but manual tracking often blurs both roles. When no one can prove who owns a credential or when it should be retired, the control has already failed. Enterprises need explicit ownership, review cadence, and retirement authority for every shared secret.
👉 Read our full editorial: Global enterprise credential sprawl is widening identity risk