How many tools do you have for managing identities? If your organization is like most, the answer is ‘a lot’.
Identity has become the front line of cybersecurity. Whether it’s an employee logging into a SaaS application or an API connecting to a backend database, every access request is tied to an identity. And yet, most organizations struggle to manage them well.
Research from Rubrik and Zscaler states that roughly 60–80% of cyber incidents today involve compromised identities. These breaches happen not because of missing tools, but because identity management is often split into two separate worlds: human identities managed by IT, and machine (non-human) identities managed by DevOps or platform engineering.
Each group uses different tools, processes, and priorities, and they rarely share information. Neither group has visibility into what’s happening in the other, nor can they see suspicious interactions between human and non-human identities. And that’s a problem.
In this blog post, you’ll learn:
- Why the current siloed approach can’t last
- What an identity fabric is and why it matters
- Six critical challenges it helps solve
- Actionable patterns to start today — without replacing your existing tools
»What’s the problem?
For human identities, the work is typically handled by IT teams using identity and access management (IAM) platforms tied into corporate directories. On paper, it looks fine. Employees and partners authenticate through a standard process, often governed by formal access policies. But beneath the surface, it’s messy. Different systems may be used for internal and external users, and sometimes these are managed by different teams. Legacy integrations are brittle, and no one wants to touch them for fear of breaking something. And multi-cloud deployments scatter identity configurations across multiple providers.
Non-human (or machine) identities live in a different universe. Managed by DevOps or platform engineering teams, these identities include everything from API keys to SSL certificates, and cloud credentials to service accounts, and are commonly embedded in code or configuration files. They often outnumber human identities by a factor of 10, 20, or even 45 to 1. Yet, they’re largely invisible to IT and the office of the CISO, and governance is minimal. Hardcoded static secrets are common. Rotating credentials on schedule is the exception, not the rule.
What makes this worse is the organizational gap. The IT team and the DevOps/platform team might meet occasionally, maybe once a month, but they speak different operational languages. In our latest Cloud Complexity Report, nearly three-quarters of respondents reported that their security teams and platform engineering teams do not work as a unified function. IT focuses on compliance, governance, and user experience. DevOps is driven by speed, scalability, and uptime. The tools are different. The priorities are different. And because the two sides rarely share a unified view of identities, it’s easy for suspicious activity to go unnoticed.
»Why the current approach is not sustainable
When you manage human and non-human identities in silos, the weaknesses multiply. Attackers have learned to exploit the gaps. According to IBM’s Cost of a Data Breach Report 2024, it took organizations an average of 292 days to identify and contain a cyberattack using compromised credentials. That’s a huge window for an attacker (the longest-lasting vector in the report).
A compromised service account can be used by a malicious actor to gain access to sensitive data, while a developer’s stolen credentials can be used to manipulate automated processes. Without a shared system of oversight, no one team has the full picture, and no one realizes something’s wrong until it’s too late.
This issue only gets more serious as systems evolve. The rise of AI and agentic AI, which exponentially increases non-human identities, threatens to multiply the complexity and the risk.
»The identity fabric: A new vision for identity management
Imagine what it would be like if you could bring these two groups together, where both IT and DevOps/platform teams can see what is happening with all identities and quickly detect when something unusual is taking place. Sound like a fantasy? It’s not. It can be done today by creating an identity fabric.
An identity fabric is a flexible yet integrated approach to managing and observing all identities, human and non-human alike. Think of it as weaving together the threads of existing tools, processes, and teams into one coherent structure. The identity fabric doesn’t necessarily replace your current tools; instead, it connects them. It creates a layer of visibility and governance that spans your entire identity landscape.
With an identity fabric, both IT and DevOps/platform teams can see the same reality in real time. Suspicious crossovers between human and machine identities, such as a human user account suddenly leveraging a service account, become visible instantly. And once you can see these patterns, you can act on them.
An identity fabric isn’t just a new way to think about security. It tackles some of the most pressing identity management challenges organizations face today.
- Identity observability: It gives you the ability to see where identities exist, how they’re being used, and whether those uses make sense.
- Frictionless access: It simplifies the user experience, replacing clumsy passwords with secure, seamless authentication.
- Secrets management: It replaces hard-coded credentials with centralized secrets management, ideally issuing short-lived credentials that expire before they can be misused, and controls privileged accounts with fine-grained access controls.
- Privileged account management (PAM): It allows teams to monitor and control accounts with elevated permissions (both human and non-human).
- Threat detection and management: It detects identity-focused policy violations or unusual activity in real time, allowing you to respond before damage is done.
- Governance and lifecycle management: An identity fabric gives you the ability to grant, modify, and revoke access in a consistent, policy-driven way.
These capabilities are powerful when combined into one central solution. Making it easier to reduce the risk of breaches, simplify operations, and help organizations stay compliant without slowing down the business.
»Creating an identity fabric with IBM and HashiCorp
While the concept of the identity fabric is technology-agnostic, making it real requires tools that can deliver on its promises today. In practice, this often involves combining:
- A robust secrets management platform for machine identities
- A mature IAM and governance suite for human identities, and
- Layering an AI-driven observability capability over both
An identity fabric should be built to work with existing tooling from a variety of IAM vendors. This is what IBM and HashiCorp, an IBM company, have done.
»Human identity
Traditionally, when we talk about identity and access management (IAM) for humans, we think in two primary segments.
First, there’s Consumer or Customer Identity and Access Management (CIAM), focusing on external users like customers. Then we have Workforce Identity and Access Management (WIAM), which handles employees, agents, and contractors.
Typically, these two segments are managed by different tools and often by different vendor systems. That means CIAM might be handled by a solution like Okta, Ping, or IBM Verify, while WIAM could be managed by Microsoft Entra ID, IBM Verify, or another tool.
When organizations adopt cloud or multi-cloud environments, this complexity grows. Now you have CIAM and WIAM directories provided by AWS, Azure, or Google Cloud, with each adding another layer.
But it doesn’t stop there. As teams look beyond these two main segments, they often find additional directories in the form of homegrown or line-of-business legacy applications that manage their own authentication. These might rely on a simple SQL table, a flat file, or even hard-coded credentials.
»Non-human identity
For non-human identities or service accounts, many companies start by creating identity principals in Microsoft Entra ID or Active Directory. These identities often have a standard naming convention to visually tell them apart from humans, such as ‘svcWebAppXYZ-dev’ and ‘svcWebAppXYZ-prod’. This works for a time, but as workloads need additional access to services such as the Google Cloud control plane or Snowflake API, where do these credentials get stored? Commonly they get stored in application configuration files.
»Static secrets management
Companies or teams that have realized that secret sprawl is a risk will often start to adopt a secrets management tool. This could be HashiCorp Vault, Azure KeyVault, AWS Secrets Management, or a combination of them all. And even though these static secrets are now ‘vaulted’, they are distributed across operating environments and lack centralized governance.
»Observability with AI/ML
IBM Verify Identity Protection (VIP) provides deep visibility and insights into the connections between people, systems, and credentials, through artificial intelligence and machine learning applied against network logs, cloud traffic, and identity telemetry. For example, VIP discovers shadow assets and directories, remnants of Active Directory Application Mode or isolated HashiCorp Vault clusters, as well as cloud-native secrets managers scattered around your infrastructure.
Once teams understand the different directories and secrets managers supporting their environments, they need to inspect the actual secrets being used in those environments.
»Secret scanning
This is where HCP Vault Radar comes in. Vault Radar can evaluate your source code, configuration files, and even collaboration platforms like Microsoft Teams and Slack. It helps identify where secrets, like cloud keys, private keys, SSL certificates, and API keys, are being stored or shared as static credentials.
We recommend starting with this inspection phase to understand the scale of your identity directory and secret sprawl. Once we have that visibility, we tie the inspection of these secrets back into our overall identity fabric. This lets you see which applications are consuming these static secrets and how you can replace them with more secure, short-lived credentials.
»MFA
Next, you would move on to the protect phase, where we ensure corporate policies related to human identities are enforced, such as multi-factor authentication (MFA) or passkeys. We also plug holes that we found with VIP, such as MFA bypass or other anomalies that erode our security posture.
»Dynamic secrets management
We will then focus on non-human identities, moving them into a centralized vault such as HashiCorp Vault, which provides fine-grained access control through policies, the ability to audit and report to meet compliance goals, and a central control plane for all non-human identity management.
Teams typically start with the static, long-lived secrets such as database credentials, API keys, and cloud access keys. Once they have them centrally vaulted, they can start to understand which secrets need to have rotations, and also evaluate which secrets can be moved from static to fully dynamic secrets.
»Workflows and edge cases
We also start to take a hard look at our human workflows and identity paths and address things such as MFA bypass or implementing frictionless access. We spend time tightening up the use cases and edge cases. We look at systems that don’t natively support SSO/federation or newer authentication methods, and we layer on technologies such as IBM Verify Application Gateway and IBM Verify Trust that work with existing identity providers. I’ve yet to run across any enterprise that isn’t composed of years of technology sprawl, through M&A or organic growth.
»Secure remote access
Then we start to look at how the most privileged of workflows can be secured. I’m a developer and an operator at heart, and my main goal is to reduce the friction of the security systems so that they are easily adoptable and can integrate into existing workflows.
For operators who need to sometimes pull a log or a stack trace off of a pod running on OpenShift or Kubernetes, HashiCorp Boundary can provide transparent connection and access to dynamic resources such as virtual machines, containers, or more traditional infrastructure such as databases and storage arrays on-premises.
»Governance
We then move into the govern phase, where we can apply consolidation, governance, and policy enforcement to the directories that were discovered. Many of the products and patterns mentioned provide governance in their own domains. For broader Identity Governance and Administration (IGA) patterns, we recommend IBM Verify Identity Governance to provide holistic governance support for onboarding and offboarding human identities.
»What this means to your organization
When done right, an identity fabric strengthens security, makes operations more efficient, and reduces compliance headaches. The security gains come from faster detection and response to identity-based threats. Efficiency improves because teams spend less time reconciling disparate tools and more time solving problems that matter. Compliance becomes easier because the unified view makes it simple to prove who had access to what and when. And perhaps most importantly, it lays the groundwork for managing the explosive growth in identities that AI will bring.
For more information about how to create an identity fabric with IBM and HashiCorp, reach out to your account team to schedule a discovery session and deep dives. We find that every customer is unique in their own ways, and we recommend engaging our subject matter experts so that they can understand what is unique about you. Get in touch and we can schedule a discovery session.
»Learn more
We have published a short video that explains these same concepts, and helps to frame the problem for executive audiences.
