Yes, while passwords still exist in business workflows. Enterprise password managers remain useful for secure storage, sharing, and visibility into risky credentials during the transition. They are not the end state, but they are still part of the control stack until passwords are genuinely removed from critical paths.
Why This Matters for Security Teams
Passkeys reduce dependence on shared passwords, but they do not instantly remove every password-bearing workflow. Security teams still need a control plane for legacy logins, break-glass access, shared vendor portals, and administrative exceptions. Enterprise password managers remain useful because they centralise storage, improve visibility, and support safe sharing while the organisation is still in transition. The real risk is treating passkey adoption as a flag day instead of a phased migration with overlapping controls.
This matters because unmanaged credentials remain a primary source of identity compromise. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now highlights how often secrets remain exposed outside proper control, and the same pattern applies to human and shared credentials during passkey rollout. The NIST Cybersecurity Framework 2.0 reinforces the need for continuous identity visibility and risk management rather than one-time cleanup. In practice, many security teams encounter password sprawl only after a failed login, emergency access event, or leaked credential has already created an incident.
How It Works in Practice
Enterprises should keep the password manager until passwords are genuinely out of critical paths. That means more than browser autofill. It includes service desks, privileged admin accounts, third-party portals, app recovery flows, and any system that still cannot support passkeys or phishing-resistant authentication. During migration, the password manager becomes a transitional control for visibility, policy enforcement, and safer handling of exceptions.
Practically, teams should use the password manager to:
- Inventory where passwords still exist, especially privileged and shared accounts.
- Enforce strong generation, storage, and rotation for credentials that cannot yet be retired.
- Restrict who can view, export, or share secrets, with approval workflows for sensitive access.
- Track which systems support passkeys, which support both, and which remain password-only.
- Reduce risky shadow storage by replacing notes, spreadsheets, and browser-saved passwords with managed vaults.
That transition should be aligned with broader lifecycle governance. The NHIMG Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is a useful reminder that identities only become safer when issuance, access, rotation, and revocation are managed end to end. While that guide focuses on NHIs, the operational lesson applies here: visibility without lifecycle control leaves hidden risk in place. In parallel, passwordless adoption should be tracked as a control objective inside IAM, PAM, and help desk procedures, not only as an authentication project. These controls tend to break down in large enterprises with many inherited applications because exception handling starts to outnumber the migration plan.
Common Variations and Edge Cases
Tighter password governance often increases operational overhead, requiring organisations to balance faster passkey rollout against the reality of legacy dependencies. Some environments can remove password managers from end-user workflows sooner, but very few can eliminate them entirely at the start.
Current guidance suggests three common edge cases. First, regulated or air-gapped systems may remain password-based longer because their authentication options are constrained. Second, shared administrative access often still needs a controlled vault even when user logins have moved to passkeys. Third, recovery and break-glass accounts need exceptional handling because they are intentionally rare but operationally critical. Best practice is evolving, but there is no universal standard for when a password manager can be retired completely.
Use the transition period to define exit criteria: no password-only production access, no unmanaged shared credentials, no secret storage outside approved systems, and no business process that depends on a password manager for routine access. The NHIMG Top 10 NHI Issues is relevant here because the same hidden-credential failures that affect NHIs also show up in human workflows when migration is incomplete. Organisations should keep the password manager until those exceptions are measured, not assumed away.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control cover the transition from passwords to passkeys. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret lifecycle management is relevant while passwords still exist in shared and admin workflows. |
| NIST AI RMF | GOVERN | Governance is needed to manage phased authentication change and exception handling. |
Inventory remaining password use and enforce stronger access controls until passwordless coverage is complete.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
