Ownership should sit jointly across IAM, clinical operations, and security, because the problem spans access design, workflow timing, and risk control. If only the security team drives it, the result often misses clinical reality. If only operations drives it, assurance can be too weak. Shared governance is the practical answer.
Why This Matters for Security Teams
Passwordless transformation in healthcare is not just an authentication upgrade. It changes how clinicians sign in, how shared workstations are handled, how emergency access works, and how auditability is preserved across regulated systems. That is why ownership cannot sit with a single control function. The practical question is who can balance clinical workflow, identity assurance, and risk acceptance without creating unsafe workarounds.
Security teams often frame passwordless as a technology migration, but healthcare operations experience it as a workflow redesign. If the ownership model is too narrow, implementation usually breaks at the point of care, especially where shift handovers, roaming users, and urgent access to EHR systems are involved. Current guidance on resilience and access control, including the NIST Cybersecurity Framework 2.0, supports shared accountability rather than isolated control ownership.
NHI Management Group research shows the scale of identity risk that surrounds this work: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs. In practice, many healthcare organisations only discover ownership gaps after rollout stalls, rather than through intentional design.
How It Works in Practice
Operationally, ownership should be structured as shared governance with clear decision rights. IAM usually owns the identity architecture, authentication methods, federation, and lifecycle controls. Security owns assurance requirements, risk thresholds, policy, and exception handling. Clinical operations owns workflow fit, downtime procedures, bedside usability, and whether the solution actually works during care delivery. That split keeps the programme from being treated as either an IT hardening project or a front-line process change.
In practice, a strong model includes a steering group with one accountable executive sponsor, then working ownership across three domains:
IAM: selects phishing-resistant authenticators, defines enrolment, recovery, and device-binding standards.
Clinical operations: validates workflow timing, shared device use, and emergency access scenarios.
Security: sets acceptable risk, logging, monitoring, and break-glass governance.
Passwordless adoption also needs a migration path, not a single cutover. Start with high-friction user groups, privileged staff, and remote access. Then test recovery paths carefully, because passwordless systems fail badly when account recovery is more cumbersome than password resets. NHI Management Group’s Ultimate Guide to NHIs is especially relevant here because the same governance discipline that reduces secret sprawl also improves identity lifecycle control across human and non-human access.
For implementation detail, authentication design should align with strong identity assurance practices in NIST Cybersecurity Framework 2.0, with additional attention to device trust, session control, and logging. These controls tend to break down when legacy clinical apps cannot support modern federation, because teams then resort to exceptions that recreate password-based risk.
Common Variations and Edge Cases
Tighter passwordless controls often increase implementation overhead, requiring organisations to balance security uplift against clinical continuity. That tradeoff becomes more visible in emergency departments, operating theatres, and shared workstation environments where latency, recovery, and downtime procedures matter as much as authentication strength.
There is no universal standard for this yet, but current guidance suggests that the ownership model should change by use case. For example, workforce sign-in at managed endpoints can be owned primarily by IAM with security oversight, while clinical mobility and shared access workflows need heavier operational ownership. Break-glass access is another special case: it should remain rare, monitored, and jointly approved, not left as an informal local workaround.
Healthcare organisations also need to avoid the common mistake of treating passwordless as complete once passwords disappear. Account recovery, device replacement, temporary access, and contractor onboarding still require strong governance. Where identity sprawl is already high, the same NHI discipline described in the Ultimate Guide to NHIs helps prevent new authentication methods from becoming just another unmanaged access layer.
The best owner is usually not a single department but a jointly governed programme with one accountable executive and shared operational control. That model holds until the organisation must support highly variable legacy applications, because application constraints often force local exceptions that weaken the standard.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication support shared passwordless ownership. |
| NIST CSF 2.0 | PR.AA-03 | Passwordless access depends on secure authentication and recovery processes. |
| NIST CSF 2.0 | GV.OV-01 | Shared governance is needed to make ownership explicit and auditable. |
Use PR.AA-01 to define who approves stronger authentication and how users are enrolled.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
