Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password, passkey, and agent identity: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Password managers now have to address friction, passkeys, AI-driven attacks, and the mix of human and agent identities as credential use keeps expanding, according to Bitwarden. The governance problem is no longer storage alone; identity teams have to plan for trust, usability, and lifecycle control together.

NHIMG editorial — based on content published by Bitwarden: a leadership note on where password managers, passkeys, and agent identities are headed

Questions worth separating out

Q: How should security teams govern passwords, passkeys, and agent-held secrets together?

A: Treat them as different identity assets with different failure modes.

Q: Why do password managers become an IAM issue instead of a user tool?

A: Because they mediate how secrets are stored, shared, recovered, and revoked.

Q: What do organisations get wrong when adopting passkeys at scale?

A: They often focus on login security and ignore recovery design.

Practitioner guidance

  • Separate human and machine credential lifecycles Define different ownership, recovery, and revocation paths for user passwords, passkeys, API keys, and agent-held secrets so one workflow does not blur multiple actor types.
  • Review sharing and export permissions Audit who can share, export, or recover vault contents and remove broad access that lets credentials persist outside normal approval processes.
  • Map fallback authentication paths Document how users regain access after device loss, factor reset, or passkey failure, then verify those paths do not become weaker than the primary login flow.

What's in the full article

Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:

  • The CEO's first-hand account of how customer and employee feedback shaped the product direction.
  • The company’s stated priorities for passkeys, AI-driven attack resistance, and mixed human and agent identity environments.
  • The open-source and community commitments that underpin the product’s trust model.
  • The author’s view on how friction, adoption, and product experience affect real-world security use.

👉 Read Bitwarden's leadership note on password managers, passkeys, and agent identities →

Password, passkey, and agent identity: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Security tools now fail when they optimise for storage but not for identity behaviour. The article’s real signal is that credential platforms are becoming governance platforms, whether vendors call them that or not. Once a product stores passwords, passkeys, API keys, and agent-related secrets, its failure modes move into ownership, sharing, and lifecycle control. Practitioners should judge these tools by whether they reduce hidden access persistence, not by whether they simply make login easier.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% having only partial visibility, according to The State of Non-Human Identity Security.
  • Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.

A question worth separating out:

Q: How do teams avoid credential sprawl as humans and agents share workflows?

A: Create explicit boundaries between human credentials, machine secrets, and workflow automation tokens. Each should have a named owner, a clear purpose, and a removal trigger. Without that separation, secrets accumulate in scripts, vaults, and shared systems, making review and offboarding far less reliable.

👉 Read our full editorial: Bitwarden's shift toward password, passkey, and agent identity



   
ReplyQuote
Share: