• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Cybersecurity

    IAM’s Unraveling: How Identity & Access Management Fell and ICAM Took Over

    Feb. 18, 2025
    As cybersecurity threats evolved and passwords became a liability, the shift from IAM to ICAM redefined identity security by prioritizing strong credentials over outdated authentication methods.
    Axiad
    ICAM has replaced outdated password-based security with strong credentials, marking a fundamental shift in identity management.
    ICAM has replaced outdated password-based security with strong credentials, marking a fundamental shift in identity management.

    A funny thing happened on our way to 2025. IAM — the cybersecurity discipline we all know and love as “identity and access management” — stumbled and fell.

    Worse, it was a slow-motion, arm-flailing, Wile E. Coyote-style messy sort of spill, and IAM broke an aging and brittle hip. It was forced into a long, anxious, touch-and-go hospital stay.

    On returning to active duty — with its new, titanium-alloy hyper-resilient hip in place — the old discipline not only adopted a new moniker but challenged every practitioner, strategist and bystander to either address it by its new name or be ignored.

    The new name? “ICAM,” or identity, credential and access management.

    The Downfall of IAM

    In a cybersecurity world full of self-important acronyms, IAM was arguably the oldest, most evolved, and richest:

    • It was the OG security category, born from Fernando Corbató's work at MIT in 1960 to create the first digital password that allowed users to access their own private files on a time-sharing computer.

    • It evolved through numerous improvements from the 1970s on, with the introduction of TLS and SSH and Kerberos and SSO and federation.

    • It made piles and piles of money: the IAM market was about $18 billion in 2023, forecast to become $63 billion by 2032. (That’s about a 15% CAGR for anyone looking to invest.) Along the way it made many companies very wealthy: RSA was bought for $2.1 billion in 2006, and a string of noteworthy IPOs or acquisitions soon followed for IAM companies led by names like Okta, Ping Identity, HID, ForgeRock and CyberArk.

    But the last few years have been brutal for IAM. The number of identities exploded to include 30 identities for every knowledge worker, and a 45:1 ratio of machine identities to every human. Multifactor authentication (MFA) was widely adopted for access, but breaches continued unabated and even increased, largely because of a preference for the weaker flavors of MFA or even incomplete MFA (see last year’s Change Healthcare breach affecting 100 million Americans and read the government report citing causes). And one of the leaders in enterprise-scale management of identity security — Okta — suffered its own painful breach due to mismanagement.

    I admittedly highlighted certain key words in the previous paragraph to make my own point, but that doesn't make the conclusion less valid:

    identity + access + management = simply not enough

    ICAM Takes the Stage

    While this was happening a curious shift occurred in cybersecurity thinking. It was led (oddly) by new thinking in the federal government, who after years of relying on “best-of-breed” tools defined by the commercial sector, started to define their own requirements for what made acceptable cybersecurity practices. (In hindsight, it seems obvious that the federal government would take a long hard look at how the civilian sector’s “best-of-breed” technologies — like Solar Winds — had let them down.)

    This long hard look included a new executive order in 2021 that empowered the Cybersecurity and Infrastructure Security Agency (CISA) to bring new requirements, standards and guidelines to the forefront. This, in turn, spawned a new working group whose recommendation didn’t exactly turn the world on its head, but fundamentally rebuilt the meaning of IAM (again the oldest, most evolved, and richest of all cybersecurity product categories!) so it could become ICAM or identity, credential and access management.

    It seemed that “credentials” had, overnight, risen in stature, importance, and prominence. Why?

    To explain the “why” we need to look at the fundamentals of authentication, which is the practice that connects the “I” to the “A” in IAM. Authentication asserts that “Identity A” can “access” Resource B. To do that, authentication always relies on factors: knowledge factors, possession factors, and inherence factors.

    • Knowledge factors: things only the user knows, like passwords or key facts

    • Possession factors: things only the user has, like keys, certificates, or credentials (I'm sure you see where this leads)

    • Inherence factors: things that reflect what the user inherently and demonstrably is, like fingerprints, retinas or DNA   

    Knowledge factors were cheap, easy, and relatively secure — until the bottom fell out. We won’t take time here to list all the failings of passwords, but two points are worth mentioning: RockYou24 and generative artificial intelligence (GenAI). RockYou24 was an event in 2024 where a malicious actor leaked nearly 10 billion unique plaintext passwords on a popular hacking forum. If you use a password for any online account, it’s probably in RockYou24.

    Why GenAI, though? Well, imagine the kind of phishing and spear phishing bonanzas that can be created through the marriage of GenAI and nearly 10 billion mostly viable records? CISA was quick to see that no password was safe.

    Credentials, on the other hand, are more unique than passwords. They can be physical or digital or both. Whether these credentials are TLS user certificates, TLS machine certificates, FIDO passkeys, hardware keys, or API keys, credentials are the bionic add-on to IAM.

    In 2023, CISA published “ICAM 101 Briefing for Public Safety Officials” to illustrate some of these points and to get federal identity architects to think in a new way. This document defines credential management as “the set of practices that an organization uses to issue, track, update, and revoke credentials for identities within a given context.”

    Essentially, knowledge factors are to be replaced en masse by possession factors that are in turn based on solid, unique, irrefutable credentials.

    Axiad
    The CISA note on ICAM and the critical role of strong credentials.
    The CISA note on ICAM and the critical role of strong credentials.

    What’s In a Name?

    You may now be thinking, “So IAM changes its name to ICAM... is that really a big deal?”  Well, it has the potential to be a very big deal indeed.

    By shifting the IAM center of gravity away from passwords and to strong credentials, ICAM thinking and ICAM system designs remove the cancer that passwords have become from healthy cybersecurity programs. They offer a solution for what has become an increasingly intractable problem.

    To be fair, other problems will be introduced: we will have to adopt and leverage systems that can manage many, many thousands of credentials at scale and with a high degree of efficiency. But it’s possible and practical.

    But for now, the cybersecurity world will say thanks to IAM for a job well done. Take a seat. ICAM will take it over from here.

    About the Author

    Bassam Al-Khalidi | Co-founder and chief innovation officer of Axiad

    Bassam Al-Khalidi is the co-founder and chief innovation officer of Axiad, San Jose-based identity security company. He is an industry expert with over 20 years of experience designing and deploying identity and access management solutions across large government, enterprise and healthcare organizations. He is a leading expert in authentication, CAC/PIV smart card and PKI deployment, and has been involved in multiple enterprise-class authentication deployments over the last several years.