Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Hybrid identity security for government access: what changed here?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A US state agency modernised workforce and citizen access with RSA and Microsoft integration to support passwordless sign-in, hybrid identity management, BYOD protection, and secure proofing for onboarding and recovery, according to RSA Security. The underlying lesson is that convenience, fraud resistance, and hybrid interoperability now have to be governed together, not treated as separate IAM projects.

NHIMG editorial — based on content published by RSA Security: State government agency enhances security of workforce and citizen access with RSA and Microsoft integration

By the numbers:

Questions worth separating out

Q: How should government teams govern passwordless access across hybrid environments?

A: Government teams should govern passwordless access as a full identity assurance journey, not just a stronger login method.

Q: Why do onboarding and recovery flows matter so much in public-sector IAM?

A: Onboarding and recovery determine whether the person requesting access is truly entitled to it.

Q: What breaks when hybrid IAM is managed as separate cloud and legacy projects?

A: Policy consistency breaks first.

Practitioner guidance

  • Map recovery flows as high-risk trust events Review enrollment, password reset, and account recovery steps separately from everyday authentication.
  • Align passwordless to device trust and fallback governance Document which devices, contexts, and recovery methods are allowed to complete passwordless access.
  • Unify hybrid policy decisions across legacy and cloud systems Identify where Microsoft-centric identity policies diverge from controls enforced in on-premises or legacy applications.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

  • The specific RSA ID Plus, Risk AI, Mobile Lock, and ID Proofing implementation choices used in the agency environment.
  • The integration details for Microsoft Entra ID and how the hybrid identity stack was configured for different user populations.
  • The deployment and professional services elements that reduced implementation complexity and shortened time-to-value.
  • The customer outcome statements that describe how the agency balanced usability, compliance, and operational disruption.

👉 Read RSA Security's article on government hybrid identity modernization with Microsoft integration →

Hybrid identity security for government access: what changed here?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Hybrid identity governance is now a cross-domain control problem, not a sign-in problem. The article shows a public-sector environment where workforce, citizen, device, and legacy access all have to be governed together. That is the core issue in modern IAM programmes: policy consistency collapses when identity assurance, device state, and application compatibility are managed in separate silos. Practitioners should treat hybrid identity as a single governance plane spanning onboarding, access, and recovery.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Should identity teams treat proofing as part of access governance?

A: Yes. Proofing is part of access governance because it determines whether the identity being enrolled or recovered should be trusted at all. If security and IAM teams leave proofing to operational support alone, they lose visibility into one of the most abuse-prone steps in the lifecycle.

👉 Read our full editorial: State identity security modernisation hinges on hybrid IAM controls



   
ReplyQuote
Share: