TL;DR: RSA frames its next phase around enterprise passwordless, higher-assurance identity for regulated environments, and identity security posture management, while tying those priorities to rising identity complexity and a workforce gap of roughly 83 cybersecurity workers for every 100 open jobs, according to RSA. The practical signal is that identity programmes now need stronger assurance, clearer risk prioritisation, and broader lifecycle governance, not just better login flows.
NHIMG editorial — based on content published by RSA Security: The Next Chapter for RSA
By the numbers:
- With roughly 83 cybersecurity workers for every 100 jobs, AI-powered cybersecurity tools can help organisations keep identities secured.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should organisations govern passwordless authentication in regulated environments?
A: Treat passwordless as an access assurance programme, not a convenience feature.
Q: Why do IAM programmes need identity security posture management?
A: Because access risk now accumulates across too many identities, entitlements, and environments for periodic review alone.
Q: How can security teams use AI in identity governance without over-automating decisions?
A: Use AI for correlation, prioritisation, and analyst support, but keep policy decisions, exceptions, and approvals human-owned.
Practitioner guidance
- Define passwordless coverage boundaries Map which applications, device types, and user populations are in scope for passwordless and where fallback methods remain allowed.
- Use ISPM to drive remediation ownership Route posture findings into named remediation workflows for access owners, application owners, and governance teams.
- Review identity controls across human and machine access Assess whether the same governance model can handle employee identities, service accounts, and other machine users without manual exceptions.
What's in the full article
RSA’s full blog post covers the operational detail this post intentionally leaves for the source:
- The product and platform specifics behind RSA’s passwordless roadmap across different device and application environments.
- The ISPM dashboard capabilities inside RSA Governance & Lifecycle and how the vendor positions them for compliance workflows.
- The way RSA describes AI-enhanced risk scoring and how it fits into its IAM and IGA data model.
- The regulated-industry deployment context that the source uses to frame higher-assurance identity requirements.
👉 Read RSA Security’s update on passwordless, ISPM, and identity AI →
RSA’s passwordless push and ISPM focus: what changes for IAM teams?
Explore further
Passwordless programmes fail when they are treated as authentication projects instead of governance programmes. RSA’s framing shows that passwordless only works at enterprise scale when it is tied to device coverage, fallback policy, and lifecycle control across regulated environments. If teams focus only on removing passwords, they miss the harder question of who can authenticate, from where, and under what conditions. The practical conclusion is that passwordless maturity is a policy and governance problem before it is a user-experience upgrade.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- Another finding from our Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts.
A question worth separating out:
Q: What is the difference between passwordless and stronger identity governance?
A: Passwordless changes how users authenticate, but it does not by itself govern who should have access, when access should be removed, or how exceptions are managed. Strong identity governance covers entitlement lifecycle, policy enforcement, and continuous visibility. In practice, passwordless is one control inside a broader governance model.
👉 Read our full editorial: RSA’s next chapter centers on passwordless and identity posture