TL;DR: Japan’s ICAM discussion ties strict identity proofing, credential protection, and access management to zero trust and national security policy, using NIST SP 800-207, NIST SP 800-63, and the new Japanese security labelling framework as reference points. The governance shift is clear: identity assurance now sits inside broader supply-chain and infrastructure resilience decisions, not beside them.
NHIMG editorial — based on content published by Cybertrust Japan: zero trust architecture and ICAM
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should organisations apply ICAM in zero trust environments?
A: Organisations should use ICAM as the operational layer that ties identity proofing, credential integrity, and access decisions together.
Q: Why does PKI matter for identity assurance?
A: PKI matters because it lets systems verify that a credential was issued by a trusted authority and has not been altered or revoked.
Q: What should security teams govern beyond employee login controls?
A: Security teams should govern contractor access, supplier access, service credentials, and any other identities that can reach critical systems.
Practitioner guidance
- Map critical access paths to ICAM controls Identify which systems depend on strong identity proofing, credential protection, and access management, then classify them by business criticality and regulatory exposure.
- Separate password-grade and certificate-grade trust decisions Do not use one access model for every system.
- Extend governance to third-party access chains Review contractor, supplier, and integrator access as part of the same identity programme.
What's in the full article
Cybertrust Japan's full post covers the operational detail this post intentionally leaves for the source:
- PKI-based identity assurance examples for high-trust environments and why they matter in practice.
- The relationship between NIST SP 800-207, NIST SP 800-63, and Japan’s ICAM direction.
- Specific access management scenarios where zero trust controls depend on credential integrity.
- How national policy and security labelling are shaping procurement and compliance expectations.
👉 Read Cybertrust Japan’s analysis of ICAM and zero trust architecture →
ICAM and zero trust: what it means for IAM teams?
Explore further
ICAM is becoming the practical control plane for zero trust, not a side discussion about login hygiene. The article ties identity proofing, credential management, and access management together as the operational core of secure access in critical infrastructure. That is the right frame for both government and enterprise environments, because zero trust fails when identity assurance is fragmented across separate teams. Practitioners should treat ICAM as a design principle for trust decisions, not a narrow authentication project.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance starts from incomplete inventory.
A question worth separating out:
Q: Who is accountable when identity assurance fails in critical infrastructure?
A: Accountability sits with the organisation that issues access and sets trust policy, even when third parties participate in the workflow. For critical infrastructure, that means the operating entity must be able to show how identity was proven, how credentials were protected, and how access was controlled over time.
👉 Read our full editorial: ICAM and zero trust are converging around identity assurance