Identity Management Considered Harmful

From MgmtWiki
Jump to: navigation, search

Meme

For decades, digital infrastructure has been built on the premise that identity must be managed. Directories, IdPs, and IAM suites treat people as entries in a database—objects to be provisioned, suspended, or revoked. This framing is not just outdated; it means that Identity Management Considered Harmful. Yes this is a riff on the letter "goto considered harmful"[1].

Category Error: Identity is not a resource. It is relational, contextual, and lived. To “manage” it is to misname it.

Centralization of Power: IAM consolidates authority in a handful of providers, creating choke points for surveillance, breach, and abuse.

Security Theater: Password resets, MFA fatigue, and endless portal logins create friction without delivering proportional assurance.

Misaligned Incentives: IAM systems are built for administrators, not for the humans whose identities they claim to “manage.”

Brittle Abstractions: Coarse-grained roles and static scopes fail to capture the nuance of real-world trust and delegation.

The Consequences Overprovisioning: Most breaches exploit over‑entitled accounts.

Loss of Agency: Individuals are reduced to credentials, stripped of control over their digital selves.

Erosion of Trust: Systems designed to “manage” identity end up alienating the very people they are meant to serve.

The Alternative We must move from identity management to trust mediation.

From Objects to Relationships: Identity is not a profile; it is a set of verifiable relationships.

From Roles to Intent: Authorization should reflect purpose, context, and consent—not static scopes.

From Centralization to Polycentricity: Governance must be distributed, consent‑driven, and resilient.

From Friction to Agency: Systems should empower individuals to act, delegate, and revoke on their own terms.

The Mandate To continue building IAM as we know it is to double down on a failed abstraction. The future belongs to mutualist, trust‑aware architectures—systems that recognize people as first‑class actors, not managed assets.

Identity Management is harmful. Trust mediation is necessary. Agency is non‑negotiable.

Solutions

because it echoes Dijkstra’s famous “goto considered harmful.” To say “Identity Management Considered Harmful” is to argue that the very paradigm of managing identity is flawed at its core, not just poorly implemented. Here’s why that critique has teeth: 

Why “Identity Management” Is Problematic

Category Error: Identity isn’t a resource to be managed like files or servers. It’s relational, contextual, and emergent. Treating it as a static object leads to brittle systems.

Centralization of Power: Traditional IAM (Identity and Access Management) consolidates control in directories, IdPs, or cloud providers—creating single points of failure and surveillance.

Overprovisioning & Risk: Studies show that overprivileged identities are implicated in the vast majority of breaches. IAM systems often grant more access than necessary, because their abstractions are too coarse.

Misaligned with Human Agency: IAM frameworks are designed for administrators, not for the people whose identities are being “managed.” This strips individuals of autonomy.

Security Theater: Password resets, MFA fatigue, and endless portal logins create friction without necessarily improving assurance. The system “manages” credentials, not trust. The Alternative Frame Instead of “managing identity,” we should be:

Mediating Trust: Focus on verifiable relationships, not static profiles.

Delegating Intent: Authorization should be tied to purpose and context, not just role or scope.

Distributing Authority: Polycentric, consent-driven governance avoids IAM’s central choke points.

Designing for Agency: Individuals should be first-class actors, not objects in a directory. 

Why the Phrase Works

Calling it “considered harmful” is rhetorical judo:

It signals that the problem is structural, not incidental.

It invites a paradigm shift—from IAM to trust-aware, intent-driven architectures.

It resonates with technologists who recognize the pattern: when a tool becomes the wrong abstraction, it’s time to retire it.

So, to say “Identity Management Considered Harmful” is to argue that the very act of trying to manage identity is the wrong game. We should be building systems that recognize, attest, and negotiate trust—not ones that file humans away in directories like assets.


References

  1. Edsger W. Dijkstra. goto considered harmful CACM 11 No. 3, pp. 147–148 (1968-03)
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Identity_Management_Considered_Harmful&oldid=25106"