Password resets in hybrid IT: where identity controls break down

TL;DR: Enterprise password management remains fragmented, with Gartner putting password resets at roughly 40% of all IT help desk calls and Verizon finding human error in 68% of breaches, according to the source article and Verizon’s latest breach data. The governance problem is no longer convenience alone: weak reset flows, poor audit trails, and inconsistent verification create an identity control gap attackers can exploit.

NHIMG editorial — based on content published by Bravura Security: enterprise password management and hybrid reset governance

By the numbers:

• According to Gartner, roughly 40% of all IT help desk calls are password resets.
• According to Verizon, human error is involved in 68% of breaches.

Questions worth separating out

Q: What breaks when password reset processes stay fragmented across systems?

A: Fragmented reset processes break visibility, consistency, and accountability.

Q: Why do password resets become a security issue in hybrid environments?

A: Password resets become a security issue in hybrid environments because users often need recovery when they are off-network, yet legacy tools still depend on on-site or VPN-connected state.

Q: How do security teams know whether password reset governance is working?

A: A working reset programme produces a complete audit trail, consistent user experience, and low exception rates across all major systems.

Practitioner guidance

• Centralise reset evidence across every identity store Build one audit trail for all password reset events, including proofing method, system touched, and propagation status.
• Replace help desk caller checks with governed self-service Remove ad hoc phone verification paths wherever possible and use repeatable identity proofing steps that are enforced by policy.
• Design recovery to work off-network by default Make sure remote users can reset access without VPN dependence and without manual IT intervention.

What's in the full article

Bravura Security's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of centralised password reset features across hybrid environments, including on-premises and cloud directories.
• Examples of self-service reset workflows that reduce help desk load while keeping policy enforcement in place.
• Guidance on audit logging and compliance reporting for organisations that need evidence for SOX, HIPAA, NIST, and similar obligations.
• Implementation considerations for off-network password recovery without VPN dependence or manual IT intervention.

👉 Read Bravura Security's article on modernising enterprise password management →

Password resets in hybrid IT: where identity controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →