Notifications
Clear all
Topic starter
25/06/2026 5:14 pm
TL;DR: Splitting secrets management, privileged access, and certificate lifecycle across multiple products increases glue work, audit fragmentation, and policy drift, while one control plane reduces that complexity, according to Akeyless. The deeper lesson is that identity programmes fail when credential, access, and certificate governance are treated as separate systems instead of one lifecycle.
NHIMG editorial — based on content published by Akeyless: Akeyless vs CyberArk, focused on secrets, access, and certificate lifecycle management
Questions worth separating out
Q: How should security teams reduce glue work between secrets, PAM, and certificates?
A: They should define one governance boundary for credential issuance, privileged session access, and certificate lifecycle, then remove duplicate workflows that cross tool lines.
Q: Why does fragmented identity tooling increase audit risk?
A: Fragmented tooling forces auditors to reconcile separate logs, approval records, and revocation events across products that do not share the same state.
Q: When does just-in-time access still leave standing risk?
A: Just-in-time access still leaves standing risk when the session credential, revocation event, and audit record are not managed in one lifecycle.
Practitioner guidance
- Map identity control boundaries Document where secrets, privileged access, and certificate lifecycle are governed today, then identify where policy, logging, and revocation change hands between products.
- Collapse duplicate approval paths Remove separate approval flows for application secrets, human access, and certificate issuance where they create inconsistent entitlement records.
- Validate revocation across all three layers Test whether revoking a secret, ending a remote session, and removing a certificate attachment all produce immediate and traceable state changes in the same audit trail.
What's in the full article
Akeyless's full post covers the operational detail this analysis intentionally leaves for the source:
- Step-by-step walkthrough of dynamic secret issuance for PostgreSQL workloads and the API flow behind it.
- Certificate chain creation and attachment steps for provisioning TLS material onto a target machine.
- Secure Remote Access session flow for human DBA access without shared SSH keys or VPN dependency.
- Unified audit trail examples showing secret requests, certificate issuance, and remote session records in one console.
👉 Read Akeyless's comparison of secrets, access, and certificate lifecycle control →
Secrets, access, and certificates: what fragmented identity control breaks?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:49 pm
Identity security fragments when teams bolt together secrets, PAM, and certificate tools. The article illustrates a common enterprise pattern: controls are purchased in layers, then governed as if they were one system. In reality, separate admin layers create separate policy assumptions, which is where drift starts. The implication is that identity governance needs a lifecycle view, not just a product inventory.
A few things that frame the scale:
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management, according to The 2024 State of Secrets Management Survey.
- Only 44% of organisations are currently using a dedicated secrets management system, which helps explain why fragmented identity control remains common in practice.
A question worth separating out:
A: Separate certificate management focuses on issuance and renewal as a technical task. Identity-led management treats certificates as part of the same trust boundary as secrets and privileged access, so ownership, revocation, and audit are aligned. That approach is easier to govern and much easier to defend during incidents.
👉 Read our full editorial: Akeyless and CyberArk show the cost of fragmented identity control
