Identity management and IAM gaps: what practitioners need to know

TL;DR: Identity management still hinges on the split between claimed identity and actual identity, and weak authentication or over-broad authorization leaves organisations exposed to phishing, credential theft, and breach spread, according to 1Kosmos. The real problem is that many IAM programmes still treat identity proofing, access control, and zero trust as adjacent tasks instead of one lifecycle.

NHIMG editorial — based on content published by 1Kosmos: Identity management, IAM, and future-proof authentication

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations separate identity proofing from access control in IAM?

A: Organisations should treat identity proofing as the point where a subject is established and access control as the point where permissions are limited.

Q: Why do strong logins still fail to prevent access abuse?

A: Strong logins fail when the downstream authorization model is too broad.

Q: When should zero trust be applied in an IAM programme?

A: Zero trust should be applied at sensitive access boundaries, not only at the network edge.

Practitioner guidance

• Separate authentication controls from authorization reviews Map where identity proofing ends and access policy begins, then test each boundary independently.
• Reduce trust in claimed identity during recovery and enrolment Treat account recovery, device re-enrolment, and step-up access as high-risk events because attackers often target those paths when primary authentication is hardened.
• Apply least privilege to human and machine identities together Do not let separate teams maintain different privilege standards for employees, service accounts, and API-connected workflows.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• The article breaks down identity proofing versus authorization in practical terms for IAM teams.
• It explains the role of SAML, OAuth, LDAP, and OIDC in identity workflows and access decisions.
• It outlines how cloud IAM changes MFA, biometrics, and compliance delivery across hybrid environments.
• It expands on passwordless authentication and identity proofing as a response to stolen-credential risk.

👉 Read 1Kosmos' full analysis of identity management, IAM, and identity proofing →

Identity management and IAM gaps: what practitioners need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →