Password compliance gaps: what IAM teams need to fix now

TL;DR: Hidden password compliance gaps can quietly undermine enterprise security, from inconsistent policy enforcement and stale rotation rules to weak user awareness, according to Bravura Security. The core issue is not the existence of policy, but whether identity controls are enforced, measurable, and usable at scale.

NHIMG editorial — based on content published by Bravura Security: password compliance gaps in enterprise identity controls

By the numbers:

• After deploying Bravura Pass, BCBSNC achieved an 80 percent reduction in password-related support calls.
• 78 percent of users adopted self-service password management after the rollout.

Questions worth separating out

Q: How should security teams handle password policy enforcement across mixed environments?

A: They should validate enforcement at the system level, not just in policy documents.

Q: When does password expiry create more risk than it reduces?

A: It becomes counterproductive when rotation schedules are applied blindly, when users choose predictable patterns, or when privileged accounts are exempted in practice.

Q: What do organisations get wrong about password compliance audits?

A: They often audit the existence of a policy instead of the consistency of enforcement and the quality of exceptions.

Practitioner guidance

• Audit password policy enforcement by system and region Inventory where password requirements are applied differently across directories, legacy applications, and remote environments.
• Review rotation rules by account risk tier Separate routine user accounts, privileged accounts, and service-linked access paths, then assign different expiry and rotation logic to each.
• Measure support friction as a control health indicator Track password-related call volume, reset frequency, and exception requests alongside compliance outcomes.

What's in the full article

Bravura Security's full article covers the operational detail this post intentionally leaves for the source:

• How Bravura Pass was positioned to reduce password-related support calls in BCBSNC's environment.
• The article's discussion of consistent enforcement across legacy systems and remote locations.
• The practical examples it gives for tailoring expiry and rotation policies to different user groups.
• The FAQ and customer proof details that show how the vendor frames compliance gaps in enterprise settings.

👉 Read Bravura Security's analysis of enterprise password compliance gaps →

Password compliance gaps: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →