Rethinking governance in a decentralized identity world
Decentralized identity (DID) is gaining traction, and for CISOs, it’s becoming a part of long-term planning around data protection, privacy, and control. As more organizations experiment with verifiable credentials and self-sovereign identity models, a question emerges: Who governs the system when no single entity holds the reins?
The governance gap
Traditional identity systems come with built-in governance. Central authorities validate users, issue credentials, and set policies for revocation and auditing. In decentralized ecosystems, these responsibilities are spread across many actors: issuers, holders, verifiers, and ledger operators. This distribution increases flexibility and privacy, but it also complicates control.
“Security leaders can take three discrete actions to improve identity and access management across a complex, distributed environment, starting with low hanging fruit before maturing the processes,” Karen Walsh, CEO of Allegro Solutions, told Help Net Security.
The first step, Walsh said, is to implement SSO across all standard accounts. “The same way they limit the attack surface by segmenting networks, they can use SSO to consolidate identity management.”
Next, security teams should give employees a password manager for both business and personal use, something many organizations overlook despite the risks. “Compromised and weak passwords are a primary attack vector, but too many organizations fail to give their employees a way to improve their password hygiene. Then, they should allow the password manager plugin on all corporate approved browsers. Since attackers can compromise browsers to steal passwords stored in them, an end-to-end encrypted password manager improves security and, by integrating with the rest of the organization’s security technology stack, overall identity governance and management.”
The third action is often the most technically demanding: linking human user accounts to machine identities. “They should assign a human user account and identity to all machine identities, including IoT, RPA, and network devices,” Walsh explained. “This provides an additional level of insight into and monitoring over how these typically unmanaged assets behave on networks to mitigate risks from attackers exploiting vulnerabilities.”
Taken together, these actions offer a practical path forward, starting with quick wins like SSO and password managers and building toward a more integrated identity strategy that covers even the most overlooked endpoints.
Three pillars of decentralized governance
To manage this complexity, CISOs need to focus on three governance pillars:
1. Credential lifecycle management: Verifiable credentials can be issued and stored independently of a central system. That means organizations must build processes to manage credential expiration, revocation, and updates. This is especially critical in high-trust environments like healthcare and finance.
2. Policy coordination across participants: Unlike traditional federated identity systems, decentralized identity lacks a central policy authority. Governance must emerge from shared agreements, technical standards, and interoperable frameworks like the Trust Over IP stack. Participation in governance groups such as the Decentralized Identity Foundation (DIF) or W3C working groups can help organizations shape and adopt consistent rules.
3. Risk and compliance alignment: Decentralized identity introduces unique risks: dependence on public ledgers, lack of centralized control, and unclear liability in multi-party ecosystems. CISOs must ensure governance structures align with regulatory obligations under frameworks like GDPR, NIST 800-63, and regional data residency laws.
Choosing the right stack
Most decentralized identity implementations rely on building blocks like:
- DIDs for unique identifiers not tied to a centralized registry
- Verifiable Credentials (VCs) for portable, tamper-evident proof
- Distributed ledgers like Hyperledger Indy, Sovrin, or Ethereum to anchor trust
But not all stacks are created equal. Some prioritize privacy, while others lean into transparency. CISOs need to assess the trade-offs.
What CISOs should do now
CISOs should start by auditing which business functions still depend on centralized identity systems. These dependencies can create operational bottlenecks, lock-in risks, or limit the ability to interoperate with identity frameworks.
As your organization explores decentralized identity, evaluate pilot projects with an eye on governance: who can issue or revoke credentials, and how trust gets established across participants.
The standards space is still in motion. Engaging in relevant industry bodies and technical working groups can help you shape emerging governance frameworks while staying ahead of changes that might impact your roadmap.
It’s also important to plan for a hybrid identity environment. Decentralized identity won’t replace traditional systems overnight. Your governance strategy should address how both approaches will coexist, especially in scenarios involving federated access or enterprise directories.
Lastly, make sure legal and compliance teams are part of the conversation. Governance isn’t just a technical issue. In decentralized models, roles and responsibilities can become murky, until something goes wrong. Defining who holds liability under different scenarios is a critical step in making the model viable.
Governance as risk mitigation
Without governance, decentralized identity systems can become fragmented, inconsistent, and insecure. Verifiable credentials that aren’t properly governed can be misused or fail to meet audit requirements. Worse, they can expose your organization to regulatory penalties or reputational harm.
DID technology offers new ways to reduce identity fraud, improve user control, and streamline onboarding. But the promise only pays off if there is a shared understanding of roles, responsibilities, and rules.
According to Nick Kathmann, CISO at LogicGate, “Organizations looking to move towards decentralized identity systems will have a heavier reliance on Identity Management (IDM) solutions to ensure account provisioning, revocation, and authorization grants are as automated as possible.”
This shift away from centralized control brings new architectural considerations. “In decentralized identity systems,” Kathmann explained, “the main factor will be ensuring the management of the identities (Authentication) is automated through an IDM, and that the grants/roles (Authorization) are managed in the IDP itself.” This separation of duties is key to preserving the core benefits of decentralization.
By ensuring that IDMs do not double as centralized gatekeepers, organizations can reduce the risk of a single point of failure. “This keeps the IDM solution from becoming just another centralized identity solution in itself,” Kathmann added, “as attacking the IDM solution would only allow malicious users to revoke or add users in the IDPs, but the newly created accounts won’t have any actual permissions to perform actions.” This layered design helps prevent privilege escalation even in the event of a compromised IDM.
Bottom line
Decentralized identity governance isn’t about removing control. It’s about shifting it from central authorities to distributed stakeholders. For CISOs, that shift requires a new kind of leadership: one that builds trust frameworks across organizations, sectors, and technologies.
The future of identity may be decentralized, but governance can’t be.