TL;DR: Credential management is framed here as the foundation for passwordless and zero-trust architectures, with the interview arguing that weak identity and credential controls can become a business continuity risk rather than a technical inconvenience, according to Versasec. The practical message is that IAM teams should treat credential lifecycle governance as infrastructure resilience, not as an optional control layer.
NHIMG editorial — based on content published by Versasec: Why Security is the Non-Negotiable Infrastructure Foundation, an interview with Fredrik Runnquist
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
Questions worth separating out
Q: How should security teams govern credential lifecycle in zero trust environments?
A: They should govern credential lifecycle as a continuous control, not a one-time setup.
Q: Why do passwordless programmes still need strong identity governance?
A: Passwordless reduces password risk, but it does not remove identity risk.
Q: What breaks when credential ownership is unclear across the enterprise?
A: Accountability breaks first, then revocation discipline, then audit confidence.
Practitioner guidance
- Inventory every credential-bearing control path Build a single inventory for certificates, smart cards, software credentials, service accounts, and API tokens so ownership and revocation are visible across the estate.
- Tie credential issuance to explicit ownership Require each credential class to have a named business owner, a technical custodian, and a defined retirement trigger before it reaches production.
- Test revocation as a production control Run revocation drills for certificates and other credentials to confirm removal happens quickly enough to shrink exposure before access is reused.
What's in the full article
Versasec's full article covers the operational detail this post intentionally leaves for the source:
- The board-level rationale for treating credential management as an infrastructure investment rather than a narrow security purchase.
- The interview’s discussion of UX and operational efficiency as adoption factors for credential tooling in large enterprises.
- The product context around vSEC:CMS and vSEC:CLOUD for organisations evaluating credential issuance and lifecycle control models.
- The author’s framing of how credential management supports passwordless and zero-trust architectures at scale.
👉 Read Versasec's interview on why credential management is a security foundation →
Credential management and zero trust: what IAM teams need now?
Explore further
Credential lifecycle is now an infrastructure resilience control, not an authentication detail. The article is right to frame security as foundational because operational continuity depends on how precisely credentials are issued, governed, and retired. In IAM terms, this is where policy, ownership, and revocation meet the business. Practitioners should treat credential lifecycle failures as resilience failures, not isolated control defects.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when credential failure affects production resilience?
A: Accountability should sit with the business owner of the service, the platform team running the credential system, and the security function that sets policy. Resilience failures become governance failures when no one can state who approves issuance, who reviews lifecycle exceptions, and who can revoke access under pressure.
👉 Read our full editorial: Security foundations for credential management and zero trust