Why IAM, PAM, and Zero Trust all leave the same credential gap

When Medibank's systems were breached in October 2022, exposing the personal health information of 9.7 million customers, investigators traced the attack's origin to compromised credentials. Despite multi-million-dollar investments in identity and access management systems, privileged access management tools, and emerging zero-trust architectures, the fundamental vulnerability remained unchanged: users controlled their own credentials, making them inherently susceptible to social engineering and phishing attacks.

The persistent credential problem in financial services

Financial institutions face a structural paradox. They implement sophisticated security frameworks—identity and access management (IAM) for user authentication, privileged access management (PAM) for critical system access, and zero-trust architectures for network security—yet credential compromise remains the primary attack vector. The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in 49% of breaches across all sectors, rising to 55% specifically within financial services.

This vulnerability stems from a fundamental design flaw: organisations authenticate identity but delegate credential control to users. Whether accessing core banking systems, insurance underwriting platforms, or customer databases, employees create, remember, and manage passwords themselves. This human element introduces systemic risk that no amount of perimeter security can eliminate.

Regulatory frameworks acknowledge this reality. The Financial Conduct Authority's operational resilience requirements mandate that firms "identify, monitor and manage" operational risks, explicitly including cyber threats. Similarly, Solvency II requires insurers to maintain "effective system of governance" over operational risks, while PCI DSS standards demand "strong access control measures" for payment processing environments.

The scale of credential vulnerability

Recent data illustrates the magnitude of this challenge. IBM's 2023 Cost of a Data Breach Report found that compromised credentials were the most common initial attack vector, present in 16% of all breaches and resulting in an average cost of $4.62 million per incident. For financial services specifically, this figure rises to $5.90 million—the highest across all industries.

The European Banking Authority's 2023 risk assessment identified credential compromise as a "high-priority risk" for EU financial institutions, noting a 78% increase in successful phishing attacks targeting banking credentials between 2022 and 2023. Within insurance, Lloyd's of London reported that 68% of cyber insurance claims in 2023 originated from compromised user credentials, representing £2.1 billion in total payouts.

Perhaps most concerning is the persistence of this vulnerability despite security investments. Gartner estimates that global spending on IAM solutions reached $16.9 billion in 2023, yet credential-based attacks continue to increase. The Ponemon Institute found that 65% of organisations experienced credential-related security incidents within the past 24 months, despite implementing multi-factor authentication and privileged access management systems.

Why current security architectures fail

Traditional security tools address symptoms rather than the underlying structural problem. IAM systems excel at verifying user identities once credentials are provided, but cannot prevent credential theft in the first place. PAM solutions secure privileged accounts through session monitoring and access controls, yet remain vulnerable if underlying credentials are compromised through phishing or social engineering.

Zero-trust architectures represent the most sophisticated approach, continuously verifying access requests and assuming no implicit trust. However, even zero-trust models typically rely on user-controlled credentials for initial authentication. If attackers obtain these credentials through phishing—increasingly sophisticated attacks that can bypass multi-factor authentication—they can potentially satisfy zero-trust verification requirements.

Single sign-on (SSO) solutions, while improving user experience, actually increase risk concentration. A single compromised credential can provide access to multiple systems, amplifying potential damage. Multi-factor authentication adds security layers but remains vulnerable to advanced phishing techniques and SIM-swapping attacks.

A structural approach to credential control

The solution requires fundamentally restructuring credential ownership. Rather than users creating and controlling credentials, organisations must generate, distribute, and manage all authentication materials directly. This approach ensures users never see, store, or transmit credentials—eliminating the human element that enables phishing and social engineering.

Under this model, credentials remain encrypted within organisational control systems, released only for specific authentication events through secure channels. Users authenticate through biometric or hardware-based methods, triggering automated credential release without human intervention. This architecture makes credentials "unphishable"—attackers cannot steal what users never possess.

Implementation requires minimal disruption to existing systems. Current IAM, PAM, and zero-trust investments remain valuable, enhanced by removing their shared vulnerability point. Authentication becomes organisationally controlled while preserving established access management frameworks.

Strategic implications

Financial institutions and insurers face a clear choice: continue investing in perimeter security while leaving the credential gap exposed, or address the structural vulnerability directly. Given regulatory pressures, rising breach costs, and increasing attack sophistication, organisations that fail to control credentials face escalating operational and reputational risks.

The technology exists to eliminate credential-based vulnerabilities entirely. The question is whether financial services leaders will recognise that identity verification and access control, while necessary, are insufficient without organisational credential control.

How M&S Lost £300m to a Credential It Didn’t Control

When Marks & Spencer's former head of technology sold the retailer's customer database to competitors in 2022, the £300 million damages weren't just about lost data. They revealed a fundamental weakness in how financial services and retail organisations control access to their most valuable assets.

The M&S case, which concluded in the High Court this year, centred on a senior executive who retained access to critical systems after joining a competitor. Despite sophisticated identity management systems, the organisation had no control over the actual credentials that unlocked its commercial crown jewels.

The Hidden Vulnerability in Financial Services Access Control

Financial services firms invest heavily in identity and access management, yet most operate under a dangerous assumption: that users will responsibly manage the credentials they create. This model treats identity verification and access control as synonymous—a conflation that costs the sector billions annually.

The fundamental issue isn't who someone is, but how they access systems. Current approaches focus on authenticating identity through passwords, tokens, or biometrics that users ultimately control. Once authenticated, these credentials become transferable assets that can be shared, stolen, or retained beyond employment.

For financial institutions handling sensitive customer data, trading algorithms, or regulatory filings, this represents an unquantified risk. The moment an employee creates a password or receives an authentication token, the organisation cedes control of that access pathway.

The Scale of Credential-Based Losses

Industry data reveals the magnitude of this vulnerability. The 2024 Verizon Data Breach Investigations Report found that 68% of breaches in financial services involved human elements—predominantly credential misuse rather than sophisticated technical attacks.

IBM's Cost of a Data Breach Report 2024 places the average cost of a financial services breach at £4.8 million, with credential compromise being the leading attack vector in 31% of cases. More significantly, breaches involving stolen credentials take an average of 292 days to identify and contain—nearly double the timeline for other attack types.

The Financial Conduct Authority's annual enforcement actions provide additional context. In 2023, UK financial firms faced £206 million in penalties, with operational resilience failures—often linked to inadequate access controls—representing the fastest-growing category of violations.

These figures exclude the hidden costs of insider threats and competitive intelligence loss, as demonstrated in the M&S case, where the damage extended far beyond immediate financial penalties to encompass long-term market disadvantage.

Why Current Solutions Fall Short

Identity and Access Management (IAM) systems excel at verifying who should have access but cannot control how that access is exercised once granted. Even sophisticated implementations using role-based access control merely determine the scope of permissions, not the security of the access mechanism itself.

Privileged Access Management (PAM) solutions attempt to address this by monitoring and recording high-risk activities, but they fundamentally rely on users controlling their own authentication. A privileged user with legitimate credentials appears identical to a malicious actor using those same credentials.

Single Sign-On (SSO) systems consolidate the problem rather than solve it. By reducing multiple credentials to a single authentication point, they create a more valuable target while maintaining user control over the critical access pathway.

Multi-Factor Authentication (MFA) adds layers of verification but doesn't address the core issue. The factors—whether SMS codes, authenticator apps, or hardware tokens—remain under user control and can be transferred, shared, or compromised.

Zero Trust architectures promise "never trust, always verify" but typically implement this through user-controlled credentials verified at each access point. The trust model remains fundamentally flawed if the verification mechanism itself cannot be trusted.

The common thread across all these approaches is that they enhance the security of user-controlled credentials rather than eliminating user control entirely.

The Structural Solution: Organisational Credential Control

The solution requires inverting the current model. Instead of users creating and controlling their own access credentials, organisations must generate, distribute, and revoke every credential while ensuring users never gain direct control over them.

This approach, implemented through encrypted credential distribution systems, maintains credentials in an organisationally controlled state throughout their lifecycle. When an employee requires system access, they receive an encrypted credential that operates transparently without revealing its contents or allowing manual manipulation.

The distinction is critical: users retain the ability to access necessary systems while losing the ability to extract, share, or retain the underlying credentials. This creates genuinely unphishable access—credentials cannot be stolen because they cannot be seen or manually transmitted.

From a regulatory perspective, this model aligns with emerging requirements around operational resilience and third-party risk management. The FCA's operational resilience framework emphasises maintaining control over critical business services, which necessarily includes controlling how those services are accessed.

For financial institutions, the implications extend beyond security to competitive advantage. In an industry where proprietary algorithms, customer insights, and trading strategies represent core value, controlling access to these assets becomes a strategic imperative rather than merely a compliance requirement.

The Strategic Imperative

Financial services leaders face a binary choice. They can continue refining systems that ultimately depend on user-controlled credentials, accepting the inherent risks and associated costs, or they can implement structural solutions that eliminate user credential control entirely.

The M&S case provides a stark illustration of these costs in practice. Beyond the immediate £300 million damages, the breach highlighted how traditional access controls fail when facing determined insiders with legitimate but uncontrolled credentials.

For organisations serious about protecting their competitive position and regulatory standing, the question is not whether to implement organisational credential control, but how quickly they can deploy it across their most critical systems.

The technology exists. The regulatory drivers are clear. The only remaining variable is organisational willingness to challenge the fundamental assumption that users must control their own access credentials.

The PAM credential problem: why the vault is only as secure as the technician who holds the key

In August 2024, CrowdStrike's incident commander revealed how a single privileged credential had enabled attackers to maintain persistence across their environment for weeks before the global outage. The breach highlighted a fundamental flaw in how managed service providers (MSPs) approach privileged access management: even the most sophisticated vault is worthless if technicians can be tricked into surrendering the keys.

For MSPs managing hundreds of client environments with elevated privileges, this represents an existential threat. Every technician with privileged access becomes a potential breach vector, regardless of how securely those credentials are stored.

The managed services credential conundrum

MSPs face a unique credential challenge. Unlike traditional enterprises managing a single environment, they require privileged access to hundreds or thousands of client systems. A single Level 2 technician might hold administrative credentials for dozens of client domains, cloud platforms, and critical infrastructure systems.

This creates what security professionals term "credential sprawl at scale". Each technician becomes a walking master key to multiple client environments. Traditional privileged access management (PAM) solutions attempt to secure these credentials in vaults, but they fundamentally rely on human operators who must authenticate themselves to retrieve credentials when needed.

The model assumes that verifying a technician's identity is sufficient to grant access. But this assumption proves catastrophically flawed when that technician receives a convincing phishing email or falls victim to social engineering. Once an attacker compromises the technician's authentication method, they inherit access to every client system that technician can reach.

The data tells a stark story

According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involved a human element, with phishing attacks increasing by 76% year-over-year. For MSPs, these statistics translate into amplified risk across their entire client base.

The Ponemon Institute's 2024 Cost of Insider Threats report found that credential theft incidents cost organisations an average of $4.99 million per breach, with MSPs facing additional liability through their client contracts. More concerning, the report revealed that 60% of insider threat incidents involved privileged users – exactly the technician population that MSPs rely upon for daily operations.

Research from the Cybersecurity and Infrastructure Security Agency (CISA) shows that 90% of successful cyberattacks involve compromised credentials. For MSPs, this means that traditional identity verification – even with multi-factor authentication – creates a single point of failure that can cascade across multiple client environments.

The UK's National Cyber Security Centre reported that MSPs were targeted in 47% of supply chain attacks in 2023, with compromised privileged credentials being the primary attack vector in 73% of these incidents.

Why existing security tools fail the MSP model

Most organisations deploy a stack of identity and access management tools: privileged access management (PAM) vaults, single sign-on (SSO) platforms, multi-factor authentication (MFA), and increasingly, zero trust frameworks. Yet breaches continue to occur with regularity.

The fundamental problem lies in a flawed equation that underpins all these solutions: identity equals access. Every existing tool operates on the principle that verifying who someone is should determine what they can access. Prove your identity through passwords, biometrics, or hardware tokens, and the system grants corresponding access rights.

This approach creates an inherent vulnerability. No matter how sophisticated the identity verification process, once an attacker successfully impersonates a legitimate user, they inherit all that user's access rights. A compromised MSP technician doesn't just represent a single breach – they represent potential compromise across every client environment they can access.

PAM vaults exemplify this problem. They secure credentials behind robust authentication, but ultimately rely on human operators to retrieve and use those credentials. The vault protects credentials at rest, but cannot prevent a compromised technician from accessing and misusing them. SSO and MFA simply move the vulnerability to different authentication factors, while zero trust frameworks still depend on identity verification as their foundation.

Separating identity from access

The solution requires abandoning the identity-equals-access paradigm entirely. Instead of asking "who is this person and what should they access?", the question becomes "how do we enable necessary business functions without exposing credentials to human operators?"

This approach, termed "credential-less access", ensures that users never see, hold, or control the credentials that grant them system access. Rather than storing credentials in a vault for retrieval, the organisation generates, encrypts, and manages every credential centrally. When a technician needs to access a client system, the credential is transmitted directly to the target system without ever being visible to the user.

MyCena's patented solution demonstrates this principle in practice. When an MSP technician needs administrative access to a client's domain controller, they don't retrieve a password from a vault. Instead, the system generates an encrypted credential, transmits it directly to the target system, and establishes the session without the technician ever seeing the authentication material.

This makes phishing attacks fundamentally impossible. An attacker who compromises a technician's device or account finds no credentials to steal. The technician themselves cannot accidentally expose credentials because they never possess them. Social engineering attacks fail because there are no secrets for the technician to reveal.

From a regulatory compliance perspective, this approach addresses requirements across multiple frameworks. SOC 2 Type II controls around credential management become demonstrable through technical architecture rather than policies and procedures. ISO 27001's requirements for privileged access management shift from administrative controls to automated technical controls. For MSPs serving regulated industries, this provides auditable evidence of credential security without relying on human behaviour.

The path forward for MSPs

The credential problem facing MSPs requires architectural change, not additional layers of identity verification. organisations that continue to operate on the identity-equals-access model will find themselves vulnerable regardless of their security investment.

MSPs should evaluate their current credential exposure across their technician workforce. How many client environments could be compromised if a single technician fell victim to a phishing attack? What would be the financial and reputational impact of a breach that cascaded across multiple client environments?

The transition to credential-less access represents a fundamental shift in security architecture, but it addresses the root cause rather than symptoms. For MSPs facing increasing regulatory scrutiny and client security requirements, this approach provides demonstrable protection against the attack vectors that have proven most successful against their sector.

The question is not whether MSPs will face credential-based attacks, but whether they will implement solutions that make such attacks impossible before they become the next headline.

SolarWinds: How One Vendor Credential Reached 18,000 Organisations Including the US Government

On 13 December 2020, cybersecurity firm FireEye disclosed that nation-state attackers had infiltrated SolarWinds' Orion network management software, creating what would become the most significant supply chain cyberattack in history. The breach exposed a fundamental vulnerability in how organisations manage vendor access: a single compromised credential cascade through 18,000 customers, including nine US federal agencies and Fortune 500 companies.

The attack began with attackers inserting malicious code into SolarWinds' software updates between March and June 2020. When customers installed routine updates, they unknowingly granted attackers persistent access to their networks. This breach demonstrated how vendor credential management failures can transform trusted business relationships into national security threats.

The Critical Gap in Government Vendor Access Control

Defence and public sector organisations face a unique challenge in vendor credential management. Unlike private companies that can limit third-party access, government agencies require extensive contractor and vendor integration for everything from IT infrastructure to classified research programmes. Each vendor relationship creates potential attack vectors through shared credentials, privileged access, and interconnected systems.

The SolarWinds incident exposed how traditional credential management approaches fail at scale. Government agencies typically manage vendor access through manual processes, shared accounts, or basic identity management systems that assume credentials remain secure once issued. This assumption proved catastrophic when attackers gained access to SolarWinds' internal systems and leveraged existing vendor credentials to move laterally across customer networks.

The attack succeeded because it exploited the trust relationship between vendors and customers. SolarWinds' legitimate credentials provided attackers with authorised access to customer systems, bypassing traditional perimeter security controls. For government agencies handling classified information or critical infrastructure, this represented a complete failure of access control architecture.

The Scale of Compromise: By the Numbers

The SolarWinds breach affected approximately 18,000 organisations that downloaded compromised software updates, according to SolarWinds' own SEC filings. However, the attackers demonstrated strategic targeting, with Microsoft estimating that fewer than 1,000 organisations were actually compromised through follow-on activities.

Among confirmed victims, nine US federal agencies were breached, including the Departments of State, Treasury, Homeland Security, Energy, and Commerce. The attackers maintained persistent access for up to nine months before detection, with some intrusions continuing for months after the initial disclosure.

Financial impact data reveals the true cost of credential compromise. SolarWinds reported spending over $18 million on incident response in 2021 alone, while facing multiple federal investigations and lawsuits. The company's market capitalisation fell by approximately $3.3 billion in the weeks following disclosure, according to financial filings.

The UK's National Cyber Security Centre identified that British government departments were among those affected, though the full extent remains classified. Similar impacts were reported across NATO allies, demonstrating how vendor credential compromise can cascade across international government networks.

Why Traditional Security Tools Failed

The SolarWinds attack succeeded despite extensive deployment of modern security tools across victim organisations. Identity and Access Management (IAM) systems failed because they authenticated legitimate SolarWinds credentials — the attackers were using valid access tokens obtained through the supply chain compromise.

Privileged Access Management (PAM) solutions, designed to control high-value accounts, proved ineffective because the attackers leveraged standard vendor access rather than obviously privileged credentials. The malicious code operated within normal software update processes, avoiding PAM monitoring focused on administrative activities.

Single Sign-On (SSO) and Multi-Factor Authentication (MFA) provided no protection because attackers bypassed these controls entirely. Once inside victim networks through legitimate SolarWinds access, attackers could move laterally without triggering authentication challenges designed for external access.

Zero Trust architectures, increasingly adopted across government agencies, failed to prevent the breach because they still relied on validating credentials rather than controlling their creation and distribution. The fundamental assumption — that credentials can be trusted once verified — remained intact and exploitable.

These tools address authentication and monitoring but do not solve the core problem: organisations cannot control credentials they allow others to create and hold. Vendor credentials, by definition, exist outside organisational control boundaries, creating persistent blind spots in security architecture.

Structural Solution: Organisational Credential Control

The SolarWinds breach demonstrates that effective security requires organisations to maintain complete control over all credentials accessing their systems, including vendor access. This means shifting from credential verification to credential generation and distribution.

Under a controlled credential model, organisations generate all access credentials centrally, distribute them in encrypted form, and maintain continuous revocation capability. Vendors and contractors never possess plaintext credentials, eliminating the possibility of credential theft or misuse. Access becomes truly unphishable because users cannot disclose credentials they do not hold.

This approach transforms vendor relationships from trust-based to verification-based. Rather than trusting vendors to secure their own credentials, organisations maintain cryptographic control over access rights. When vendors require system access, they request specific permissions that are granted through encrypted credential distribution, not permanent credential sharing.

MyCena's patented technology implements this model by ensuring users never see or control their own credentials. The system generates cryptographically secure credentials, distributes them in encrypted form, and enables instant revocation across all access points. For government agencies, this means vendor access can be controlled with the same rigour applied to classified information handling.

Implications for Defence and Public Sector Leaders

The SolarWinds breach created lasting regulatory and operational changes across government agencies. The US Executive Order on Cybersecurity (EO 14028) now mandates specific controls for software supply chains and vendor access management. Similar requirements are emerging across allied nations, creating compliance obligations that traditional security tools cannot address.

Government leaders must recognise that vendor credential compromise represents a systemic risk requiring architectural solutions, not incremental security improvements. The shift toward controlled credential distribution will become a requirement, not an option, as regulatory frameworks evolve.

Organisations should immediately audit vendor access arrangements and identify credentials existing outside their direct control. Each uncontrolled credential represents a potential SolarWinds-style compromise vector that could provide attackers with authorised access to critical systems.

The lesson from SolarWinds is clear: in an interconnected threat environment, credential control cannot be delegated to third parties, regardless of trust relationships or contractual obligations. Security architecture must assume credential compromise and design accordingly.

One vendor credential. Every operator they serve. The supply chain cascade.

When hackers breached Colonial Pipeline in May 2021, shutting down America's largest fuel pipeline for six days, investigators traced the attack to a single compromised credential belonging to a former employee. That one password — likely harvested from the dark web — gave DarkSide ransomware operators access to the entire network, triggering fuel shortages across the Eastern seaboard and $4.4 million in ransom payments.

The incident exposed a fundamental vulnerability in critical infrastructure: the cascade effect of credential compromise through supply chains. One breached vendor credential can unlock access to dozens of downstream operators, creating systemic risk that regulators are only beginning to understand.

The multiplier effect in critical infrastructure

In the energy sector, a single technology vendor typically serves multiple grid operators, pipeline companies, and power generation facilities. When that vendor's credentials are compromised, attackers gain potential access to every client in their portfolio. The mathematics are stark: one successful phishing attack can multiply into dozens of simultaneous infrastructure breaches.

This supply chain credential risk is particularly acute in industrial control systems, where vendors require privileged access to monitor and maintain critical operational technology. A single engineering firm might hold administrative credentials for wind farms across three states. A SCADA software provider could have remote access capabilities across dozens of water treatment facilities.

The problem extends beyond direct vendor relationships. Subcontractors, consultants, and temporary workers create additional credential pathways, each representing potential vectors for lateral movement through interconnected infrastructure networks.

The scale of exposure

Recent data from the Cybersecurity and Infrastructure Security Agency reveals the scope of this vulnerability. CISA's 2023 Critical Infrastructure Threat Assessment identified credential compromise as the initial attack vector in 82% of successful breaches against energy sector targets, with supply chain relationships facilitating lateral movement in 67% of cases.

The Department of Energy's cyber incident reporting data shows that vendor-related breaches affect an average of 3.4 additional infrastructure operators beyond the initial target. In the most severe cases, a single compromised vendor credential has cascaded to impact up to 12 separate facilities across multiple states.

Financial losses compound accordingly. While direct breach costs for energy companies average $6.25 million according to IBM's Cost of a Data Breach Report 2023, supply chain incidents generate additional liability exposure. Colonial Pipeline's total incident costs, including business disruption and regulatory penalties, exceeded $90 million.

The North American Electric Reliability Corporation (NERC) reported 263 cyber security incidents across the bulk power system in 2022, with 34% traced to third-party credential compromise. Each incident triggered mandatory reporting requirements and potential compliance violations under NERC CIP standards.

Why current security tools fail the cascade test

Identity and Access Management (IAM) systems excel at managing internal user lifecycles but struggle with external vendor credential oversight. Most IAM platforms cannot enforce consistent credential policies across third-party relationships, creating governance gaps that attackers exploit.

Privileged Access Management (PAM) solutions address some vendor access challenges by creating secure credential vaults and session monitoring. However, they typically operate within individual organisational boundaries. When a vendor's PAM-managed credential is compromised at their home organisation, that breach can still cascade to client environments where the same vendor maintains separate access rights.

Single Sign-On (SSO) reduces credential proliferation but creates single points of failure. A compromised SSO credential grants access to multiple connected systems simultaneously. For vendors serving multiple infrastructure clients, SSO compromise amplifies rather than reduces cascade risk.

Multi-Factor Authentication (MFA) provides additional security layers but remains vulnerable to sophisticated phishing attacks. The Lapsus$ group demonstrated advanced MFA bypass techniques in their 2022 infrastructure targeting campaign, using social engineering to overcome authentication barriers.

Zero Trust architectures improve security posture by assuming breach and continuously validating access requests. However, they do not solve the fundamental problem: users still create, know, and control their own credentials. A compromised user can still authenticate legitimately within a Zero Trust framework.

Separating identity from credential control

The structural solution requires separating identity verification from credential ownership. Rather than allowing users to create and manage their own passwords and access tokens, organisations must retain complete control over credential generation, distribution, and revocation.

This principle shifts the security paradigm from "trust but verify" to "control and distribute". Under this model, users prove their identity through biometric or other verification methods, but never possess the actual credentials that grant system access. Instead, encrypted credentials are generated centrally and delivered directly to target systems without user visibility.

MyCena's patented approach implements this separation by removing human knowledge from the credential equation. Users authenticate their identity, but the organisation maintains exclusive control over the cryptographic keys that actually unlock system access. Because users never see or handle these credentials, they cannot be phished, stolen, or misused across multiple client environments.

This architecture prevents supply chain cascade failures by ensuring that even if a vendor's identity verification process is compromised, the underlying credentials remain secure and cannot be replayed against client systems. Each access session requires fresh cryptographic validation from the controlling organisation.

Regulatory convergence demands action

Multiple regulatory frameworks are converging on supply chain credential management requirements. The Transportation Security Administration's cybersecurity directives for pipeline operators explicitly require "cybersecurity risk assessments" of third-party remote access. The Securities and Exchange Commission's new cyber disclosure rules include materiality thresholds that treat vendor credential breaches as potentially reportable events.

NERC CIP-004 standards mandate "personnel risk assessments" for vendor access, while proposed updates to CIP-013 would strengthen supply chain cybersecurity requirements. The Federal Energy Regulatory Commission has indicated that future compliance examinations will focus heavily on third-party access controls.

For critical infrastructure operators, the message is clear: credential cascade risk is transitioning from a cybersecurity concern to a regulatory compliance requirement. Organisations that cannot demonstrate robust vendor credential governance face increasing scrutiny from multiple oversight bodies.

The mathematics of supply chain credential risk are unforgiving. One compromised vendor affects multiple operators. Multiple operators create systemic infrastructure vulnerability. Systemic vulnerability attracts regulatory intervention and potential enforcement action. The most effective defence is preventing the initial credential compromise through organisational control rather than user responsibility.

AI Trading Systems Hold Live Credentials. Nobody Governs Them.

In August 2024, a major European investment bank discovered its algorithmic trading system had been accessing client portfolios using credentials belonging to a trader who had left the firm three months earlier. The automated system continued executing trades worth €47 million daily, operating under a digital identity that should have been deactivated. The incident, kept confidential until regulatory filing requirements forced disclosure, illuminates a dangerous blind spot in financial services: artificial intelligence systems are accumulating live credentials with minimal oversight.

The problem extends far beyond a single institution. As trading algorithms become more sophisticated and autonomous, they require persistent access to market data feeds, execution platforms, and client accounts. Yet these AI systems operate using the same credential frameworks designed for human users—frameworks that assume conscious decision-making, regular password changes, and the ability to recognise suspicious activity.

The Credential Accumulation Crisis

Financial institutions have embraced AI trading at unprecedented scale. According to Greenwich Associates, algorithmic trading now accounts for 85% of equity trading volume in developed markets, up from 65% in 2019. Each trading algorithm requires multiple sets of credentials: market data access, order management systems, risk monitoring platforms, and regulatory reporting tools.

The Bank for International Settlements' 2024 survey of 47 major banks revealed that institutions deploy an average of 127 distinct AI trading models, each requiring between 8 and 23 separate credential sets. This creates what researchers term "credential sprawl"—a web of digital identities that grows faster than governance frameworks can manage.

PwC's Financial Services Technology Survey found that 73% of banks cannot accurately inventory which credentials their AI systems hold, while 81% lack automated processes to revoke AI access when algorithms are decommissioned. The European Banking Authority's recent stress testing identified credential management as a "material operational risk" across 89% of supervised institutions.

The insurance sector faces parallel challenges. AI systems underwriting policies, processing claims, and managing investment portfolios require access to vast databases containing sensitive customer information. Lloyd's of London reported that credential-related breaches in member organisations increased 156% between 2022 and 2024, with AI systems involved in 34% of incidents.

Why Traditional Security Fails

Conventional identity and access management (IAM) systems treat AI as sophisticated users rather than fundamentally different entities. Privileged access management (PAM) solutions store AI credentials in vaults, but algorithms often require persistent access that bypasses human approval workflows. Single sign-on (SSO) reduces credential proliferation but creates single points of failure when AI systems are compromised.

Multi-factor authentication becomes meaningless when algorithms cannot respond to push notifications or biometric requests. Zero Trust architectures promise continuous verification, but struggle with AI systems that generate thousands of access requests per second during volatile trading periods.

The fundamental issue is structural. Traditional security models assume that users create, know, and manage their credentials. This assumption breaks down when applied to AI systems that may operate continuously for months, accessing resources through credentials that exist beyond any individual's knowledge or control.

Redefining Credential Control

The solution requires abandoning the assumption that identity equals access. Instead of allowing AI systems to hold credentials, organisations need architecture where credentials are generated, encrypted, and distributed by central authority—never exposed to the systems that use them.

This approach, pioneered by companies like MyCena, separates credential ownership from credential usage. When an AI trading system needs to access a market data feed, it requests access through an encrypted channel. The credential management system authenticates the request, retrieves the appropriate credential from secure storage, and facilitates the connection without ever exposing the actual authentication data to the AI system.

The AI system gains access to required resources but never possesses the credentials themselves. This makes the access "unphishable"—even if the AI system is compromised, attackers cannot extract credentials that were never present in the system's memory or storage.

For financial institutions, this architecture provides granular control over AI access patterns. Trading algorithms can be granted time-limited access to specific market segments, with credentials automatically rotated without system downtime. When algorithms are retired or modified, access revocation is immediate and complete, eliminating the orphaned credentials that plague traditional deployments.

The Regulatory Response

Regulators are beginning to address AI credential risks explicitly. The European Central Bank's draft guidance on AI in banking, published in October 2024, requires institutions to maintain "comprehensive inventories of AI system access rights" and demonstrate "technical controls preventing unauthorised credential retention by automated systems."

The Federal Reserve's recent supervisory letter SR 24-7 instructs banks to ensure that "artificial intelligence and machine learning applications cannot independently create, modify, or retain authentication credentials." The Prudential Regulation Authority has indicated similar requirements will be incorporated into UK banking rules by 2025.

Insurance regulators are following similar paths. Solvency II's upcoming technical standards revision includes provisions requiring "demonstrable technical controls over automated system credentials" for AI applications processing customer data or making underwriting decisions.

The Path Forward

Chief Information Security Officers and Chief Risk Officers in financial services face an immediate choice. They can continue applying human-centric security models to AI systems, accepting the growing accumulation of unmanaged credentials and associated regulatory risks. Or they can implement credential control architectures that treat AI systems as fundamentally different from human users.

The European investment bank that discovered its rogue trading algorithm has since implemented credential control systems across all automated trading operations. The firm reports zero credential-related incidents in the eight months following deployment, while reducing credential management overhead by 67%.

As AI systems become more autonomous and widespread, the credential risks will only intensify. Financial institutions that address these challenges now—through proper architectural controls rather than incremental security additions—will find themselves better positioned for both regulatory compliance and operational resilience in an increasingly AI-driven industry.