Notifications
Clear all
Topic starter
24/06/2026 5:45 pm
TL;DR: Identity and credentials are different control objects, and confusing them weakens authentication, access review, auditing, and offboarding, according to Unosecur’s assessment of 169 organisations. Keeping the two lifecycles separate is what lets teams revoke a stolen secret without disrupting the underlying identity record.
NHIMG editorial — based on content published by Unosecur: Identity vs credentials: A manager’s guide to protecting every identity
By the numbers:
- In the six month period from January 1, 2025, Unosecur did security posture assessments for 169 organizations across different sectors and geographies.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams separate identity management from credential management?
A: Treat identity as the durable account or directory record and credentials as the revocable proof used to authenticate it.
Q: Why do stolen credentials create so much more risk when identity is poorly governed?
A: A stolen credential becomes dangerous when the organisation accepts it as sufficient proof without checking identity state, access scope, or session context.
Q: What breaks when organisations treat credentials as the same thing as identity?
A: Incident response becomes less accurate, access reviews become less trustworthy, and offboarding can leave orphaned access behind.
Practitioner guidance
- Separate identity lifecycle from credential lifecycle Map joiner-mover-leaver events to identity records and rotation, reset, and revocation events to credentials.
- Inventory every proof material in use Track passwords, tokens, certificates, API keys, passkeys, and service-account secrets by owner, purpose, and expiry condition.
- Build surgical revocation playbooks Create runbooks that disable or rotate the specific credential that is exposed while preserving the underlying identity record for audit and continuity.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor maps identity records to credentials across human and non-human accounts in its discovery workflow
- Which posture checks it applies to passwords, tokens, access keys, certificates, and MFA registrations
- How its live monitoring correlates sign-in and API events to specific credentials for anomaly detection
- What its IAMOps workflow does when a credential needs to be rotated or retired
👉 Read Unosecur's guide on identity vs credentials and security posture →
Identity vs credentials: are your controls treating them separately?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:41 am
Identity and credential conflation is a control design error, not a terminology problem. The article is right to separate the durable identity record from the temporary proof used at login. Programmes fail when they treat a password, token, or certificate as if it were the account itself, because the response becomes either too blunt or too weak. The practitioner implication is simple: model identity, credential, and session as distinct objects in governance.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do you know whether credential controls are actually working?
A: Look for evidence that compromised or stale secrets can be revoked without disrupting the underlying account record, that rotation happens on schedule, and that access logs still show who or what used each proof material. If the organisation cannot trace actions back to the specific credential and identity state, the control is incomplete.
👉 Read our full editorial: Identity vs credentials: why conflation creates breach risk
