A funny thing happened on our way to 2025. IAM – the cybersecurity discipline we all know and love as “Identity and Access Management” – stumbled and fell. Worse, it was a slow-motion, arm-flailing, Wile E. Coyote-style messy sort of spill, and IAM broke an aging and brittle hip. It was forced into a long, anxious touch-and-go hospital stay.
On returning to active duty – with its new, titanium-alloy hyper-resilient hip in place – the old discipline not only adopted a new moniker but also challenged every practitioner and strategist and bystander to either address it by its new name or be ignored.
The new name? “ICAM,” or Identity, Credential and Access Management.
The Downfall of IAM
In a cybersecurity world full of self-important acronyms, “IAM” was arguably the oldest, most evolved, and richest. It was the original security category, born from Fernando Corbató's work at MIT in 1960 to create the first digital password that allowed users to access their own private files on a time-sharing computer. It evolved through numerous improvements from the 70s on. And, it made piles and piles of money: the U.S. IAM market was about $18 billion in 2023, forecast to become $63 billion by 2032.
But the last few years have been brutal for IAM. The number of identities exploded to include 30 identities for every knowledge worker, and a 45:1 ratio of machine identities to every human. MFA was widely adopted for access, but breaches continued unabated and even increased, largely because of a preference for the weaker flavors of MFA or even incomplete MFA. A prime example of this is last year’s Change Healthcare breach, which affected 100 million Americans. And, one of the leaders in enterprise-scale management of identity security – Okta – suffered its own painful breach due to mismanagement.
The hard truth is identity and access management alone simply is not good enough.
ICAM Takes the Stage
While this was happening, a curious shift occurred in cybersecurity thinking. It was led (oddly) by new thinking in the federal government, who after years of relying on “best-of-breed" tools defined by the commercial sector, started to define their own requirements for what made acceptable cybersecurity practices.
This long hard look included a new executive order in 2021 that empowered CISA (the Cybersecurity and Infrastructure Security Agency) to bring new requirements, standards and guidelines to the fore. This, in turn, spawned a new working group whose recommendation didn’t exactly turn the world on its head, but fundamentally rebuilt the meaning of “IAM” so it could become “ICAM.” It seemed that “credentials” had, overnight, risen in stature, importance, and prominence. But why?
To explain the why we need to look at the fundamentals of authentication, which is the practice that connects the “I” to the “A” in IAM. Authentication asserts that “Identity A” can “access” Resource B. To do that, authentication always relies on factors: knowledge factors, possession factors and inherence factors.
- Knowledge factors: things only the user knows, like passwords or key facts;
- Possession factors: thinks only the user has, like keys, certificates or credentials; and
- Inherence factors: things that reflect what the user inherently and demonstrably is, like fingerprints or retinas or DNA.
Knowledge factors were cheap and easy and relatively secure... until the bottom fell out. Failing passwords were the root cause, of course. Two prime examples are: RockYou24 and GenAI. RockYou24 was an event in 2024 where a malicious actor leaked nearly 10 billion unique plaintext passwords on a popular hacking forum. If you use a password for any online account, it’s probably in RockYou24. And, the kind of phishing and spear phishing bonanzas that can be created through the marriage of generative AI and nearly 10 billion mostly viable records? CISA was quick to see that no password was safe.
Credentials, on the other hand, are more unique than passwords. They can be physical or digital or both. Whether these credentials are transport layer security (TLS) user certificates, TLS machine certificates, FIDO passkeys, hardware keys or API keys, credentials are the bionic add-on to IAM.
In 2023, CISA published ICAM 101 Briefing for Public Safety Officials to illustrate some of these points and to get federal identity architects to think in a new way. This document defines credential management as “the set of practices that an organization uses to issue, track, update and revoke credentials for identities within a given context.” Essentially, knowledge factors are to be replaced en masse by possession factors that are in turn based on solid, unique, irrefutable credentials.
What’s In a Name?
By shifting the IAM center of gravity away from passwords and to strong credentials, ICAM thinking and ICAM system designs remove the cancer that passwords have become from healthy cybersecurity programs. They offer a solution for what has become an increasingly intractable problem.
To be fair, other problems will be introduced: we will have to adopt and leverage systems that can manage many, many thousands of credentials at scale and with a high degree of efficiency. But it's possible and practical. But for now, the cybersecurity world will say thanks to IAM for a job well done. Take a seat. ICAM will take it over from here.