Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity management and IAM gaps: what practitioners need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity management still hinges on the split between claimed identity and actual identity, and weak authentication or over-broad authorization leaves organisations exposed to phishing, credential theft, and breach spread, according to 1Kosmos. The real problem is that many IAM programmes still treat identity proofing, access control, and zero trust as adjacent tasks instead of one lifecycle.

NHIMG editorial — based on content published by 1Kosmos: Identity management, IAM, and future-proof authentication

By the numbers:

Questions worth separating out

Q: How should organisations separate identity proofing from access control in IAM?

A: Organisations should treat identity proofing as the point where a subject is established and access control as the point where permissions are limited.

Q: Why do strong logins still fail to prevent access abuse?

A: Strong logins fail when the downstream authorization model is too broad.

Q: When should zero trust be applied in an IAM programme?

A: Zero trust should be applied at sensitive access boundaries, not only at the network edge.

Practitioner guidance

  • Separate authentication controls from authorization reviews Map where identity proofing ends and access policy begins, then test each boundary independently.
  • Reduce trust in claimed identity during recovery and enrolment Treat account recovery, device re-enrolment, and step-up access as high-risk events because attackers often target those paths when primary authentication is hardened.
  • Apply least privilege to human and machine identities together Do not let separate teams maintain different privilege standards for employees, service accounts, and API-connected workflows.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

  • The article breaks down identity proofing versus authorization in practical terms for IAM teams.
  • It explains the role of SAML, OAuth, LDAP, and OIDC in identity workflows and access decisions.
  • It outlines how cloud IAM changes MFA, biometrics, and compliance delivery across hybrid environments.
  • It expands on passwordless authentication and identity proofing as a response to stolen-credential risk.

👉 Read 1Kosmos' full analysis of identity management, IAM, and identity proofing →

Identity management and IAM gaps: what practitioners need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Authentication and authorization fail for different reasons, so IAM programmes must stop treating them as the same control. The article gets this right at a basic level: proving identity and deciding access are distinct functions, even if the market often bundles them under IAM. When organisations strengthen login without tightening downstream entitlements, they create a false sense of control. The practical conclusion is that identity security must be evaluated as a chain, not a single feature set.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that identity remediation often trails disclosure.

A question worth separating out:

Q: What is the difference between identity proofing and MFA?

A: Identity proofing establishes that a subject is who they claim to be before a trust relationship is created. MFA strengthens later authentication events by requiring more than one factor. Both matter, but they solve different problems, and neither should be treated as a substitute for tight authorization and lifecycle control.

👉 Read our full editorial: Identity management still breaks at the authentication boundary



   
ReplyQuote
Share: