TL;DR: Operational resilience is still being undermined by siloed recovery tools, fragmented teams, and overreliance on “hero” expertise, while AI-enabled threats and cloud complexity raise the stakes, according to Commvault. The real shift is from separate plans to a continuous operating model that treats resilience as governance, not a tool purchase.
NHIMG editorial — based on content published by Commvault: ResOps as a shared framework for scalable enterprise resilience
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
A: They should bring identity recovery, incident response, and operational restoration into one governed workflow with clear ownership, shared metrics, and tested handoffs.
Q: Why does hero expertise create resilience risk in IAM and NHI programmes?
A: Because resilience cannot scale when critical steps live in one person's memory.
Q: What breaks when resilience planning treats security and operations as separate disciplines?
A: Recovery slows because each team optimises its own priorities, tools, and escalation path.
Practitioner guidance
- Define resilience ownership across identity and operations Assign explicit ownership for identity recovery, privileged access, and incident handoffs within the resilience operating model so no step depends on informal coordination.
- Document recovery playbooks for access-critical systems Turn emergency access, secret rotation, and administrative override procedures into tested runbooks that can be executed without tribal knowledge or a single expert.
- Map resilience controls to zero trust boundaries Ensure emergency access stays time-bound, approved, and traceable even during disruption, with recovery workflows aligned to zero trust architecture and least privilege.
What's in the full article
Commvault's full fireside chat covers the operational detail this post intentionally leaves for the source:
- The CEO-level sponsorship model and how executive accountability is used to drive resilience priorities.
- The practical operating changes needed to unify ITOps, SecOps, and DevOps around one resilience workflow.
- The discussion of why isolated recovery tools and undocumented expert knowledge slow recovery at scale.
- The way AI-enabled threats are changing the assumptions behind resilience planning and business continuity.
👉 Read Commvault's fireside chat on ResOps and enterprise resilience →
ResOps and resilience operations: what IAM teams should take away?
Explore further
Resilience operations exposes the governance gap between recovery capability and recovery accountability. The article shows that enterprises often have tools for backup, response, and continuity, but not a single operating model that binds them together. That is an identity problem as much as an infrastructure problem, because access, restoration, and authorisation all become unstable when ownership is fragmented. The practitioner conclusion is that resilience must be governed as a lifecycle, not assembled ad hoc after disruption.
A few things that frame the scale:
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to The 2024 State of Secrets Management Survey.
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.
A question worth separating out:
Q: Who should be accountable for resilience operating models in identity-heavy environments?
A: Executive sponsorship matters because resilience spans business risk, infrastructure recovery, and identity governance. The CEO, CIO, CTO, CISO, and business leaders should define outcomes and priorities, while operational teams implement the playbooks. Without top-level accountability, resilience becomes a collection of local optimisations instead of a strategic discipline.
👉 Read our full editorial: ResOps shows why resilience must become an operating model