Cryptographic key management (CKM) schemes can be used to support identity management (IM) systems where linking users securely to data objects is important. CKM schemes enforce data security by encrypting data granting access only to authorized users and security compromises are prevented by updating any keys that are held by users from whom access rights have been revoked. Handling key updates efficiently and providing security against collusion attacks is challenging in dynamic environments like the Internet where manual Security management increases the likelihood of delayed responses. Delay increases the system's vulnerability to security attacks and the potential of the system's violating its service level agreements. Adaptive CKM has emerged as a possibility of addressing this problem but needs to be designed in a way that justifies the cost/benefit tradeoff. In this paper, we show that the key update and collusion avoidance problems are NP-complete and need heuristic algorithms to prevent performance degradations in comparison to standard CKM schemes. As an example of the benefits of a good heuristic, we present a collusion detection and resolution algorithm whose running time is polynomial in the number of keys. The algorithm operates by mapping the generated key set onto a key graph whose independent set is computed. In the key graph, the vertices represent the keys and the edges the probability that their endpoints can be combined to provoke a collusion attack. Collusion possibilities are resolved by applying a heuristic that resets the probability to zero. The performance of our algorithm is analyzed in comparison to the Akl and Taylor scheme that is secure against collusion attack, and the experimental results indicate that collusion prevention can be done dynamically without affecting performance. Copyright © 2010 John Wiley & Sons, Ltd.