Access control audits fail where authorization evidence is missing

At a glance

What this is: This is an analysis of why access control audits often fail even when IAM, MFA, and IGA are in place, with the central finding that provable authorization evidence is missing.

Why it matters: It matters because IAM teams must now govern not just identity and roles, but auditable, context-aware authorization across human, NHI, and agentic systems.

By the numbers:

• Broken access control has held the number-one spot on the OWASP Top 10 for two consecutive releases.
• In the 2025 edition, every single application tested showed some form of broken access control.
• The Verizon 2025 DBIR found that 22% of breaches began with stolen or compromised credentials.
• 88% of basic web application attacks involved stolen or compromised credentials.

👉 Read Cerbos's full analysis of access control audit blind spots

Context

Authorization is the layer that decides what an identity can do in a specific context, and this article argues that many enterprises still cannot prove those decisions after the fact. That is why audit failures often surface even when identity providers, MFA, and IGA reporting appear healthy on paper.

For IAM and security leaders, the issue is not only compliance documentation. It is whether access decisions are centralized, logged, and reconstructable for human users, service accounts, and AI agents when an auditor, investigator, or board asks for evidence.

Key questions

Q: How should security teams prove who had access to what in a regulated environment?

A: Security teams should prove access with runtime evidence, not just policy documents. That means every sensitive authorization decision needs to record the requesting identity, the resource, the action, the policy version, and the outcome. If the answer requires stitching together logs from several systems, the control is too weak for audit-grade assurance.

Q: Why do access reviews miss real authorization risk?

A: Access reviews often miss risk because they validate role labels instead of actual permissions. A role can be meaningful in one application and misleading in another, while the real entitlements may have drifted far beyond what managers can evaluate quickly. Effective reviews need resource-level visibility and evidence of what the identity can actually do.

Q: What breaks when non-human identities are authorized without oversight?

A: When non-human identities are left on standing privileges, access outlives the task, the owner, and sometimes the vendor relationship. That creates an oversized attack surface and audit trail gaps that are hard to reconcile later. The failure is not just poor inventory, but weak lifecycle governance for machine access.

Q: How should organisations authorize AI agents and service accounts differently from human users?

A: They should use the same governance goal, but a different control shape. Human identity can rely more on session-based assurance, while NHIs and agents need resource-level policies, short-lived credentials, and traceable delegation. The key is to make each request reviewable at runtime, not to infer trust from a persistent role.

Technical breakdown

Scattered authorization logic creates un-auditable access decisions

When authorization lives inside dozens of applications, each system makes access decisions differently and leaves a different logging trail. That makes policy drift inevitable and central review nearly impossible. Externalized authorization moves policy evaluation into a policy decision point, while policy enforcement points in apps, APIs, or proxies apply the result consistently. The architecture matters because it creates one place to test, log, and govern decisions across the stack.

Practical implication: Inventory where access decisions are made and move high-risk systems toward centrally governed policy enforcement.

Proof of enforcement matters more than policy intent

Documented policy is not the same as evidence that a real request was evaluated correctly at runtime. Auditors want to know what happened for a specific resource, action, identity, and policy version, not what the role model says should have happened. A usable authorization record needs decision outcome, request context, and traceability to the exact policy evaluated. Without that, teams reconstruct access from fragments instead of proving it directly.

Practical implication: Ensure every high-value authorization decision produces an auditable record tied to policy version and request context.

Fine-grained authorization is now required for non-human identities and agents

Service accounts, API keys, and AI agents often act with standing or delegated privileges that were never designed for contextual review. Role-based checks alone cannot describe what a machine identity can do on a specific resource at a specific moment. Fine-grained, context-aware authorization is the only practical model when the principal is not a person and the action may occur at machine speed across tool chains and delegated requests.

Practical implication: Apply resource-level authorization and logged decisioning to service accounts and agent tool calls, not just to human sessions.

Threat narrative

Attacker objective: The objective is to exploit unprovable authorization so excessive access, misuse, or breach impact cannot be cleanly traced or limited.

1. Entry occurs when long-lived credentials, embedded application logic, or delegated machine identities gain access without a reviewable authorization boundary.
2. Credential access is then hidden behind role labels or scattered code paths, so the real permissions are broader than the visible policy records suggest.
3. Impact follows when an auditor, investigator, or attacker cannot reconstruct who could access which resource, allowing overreach to persist undetected.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authorization evidence debt is now the core audit problem. Enterprises can often show policy, role design, and IGA output, but they still cannot prove runtime enforcement for a specific request. That gap turns access reviews into evidence reconstruction instead of control validation. The practitioner conclusion is simple: if you cannot prove enforcement, you do not yet have a defensible authorization programme.

Role-centric governance was designed for stable abstractions, not real resource permissions. That assumption fails when a role label no longer describes the actions an identity can actually take across applications, APIs, and data layers. This is why coarse-grained reviews miss over-provisioning and create a false sense of control. The implication is that authorization governance must move from role labels to resource-level entitlement evidence.

Non-human identities are the fastest path from authorization theory to breach reality. Service accounts and API keys are often granted standing privileges at creation and then left outside the normal review cycle. That creates a governance gap where machine identities are more numerous, more persistent, and less visible than humans. Practitioners should treat NHI authorization as a board-level control problem, not an implementation detail.

Identity blast radius: the distance between what a policy says and what an identity can actually reach is the new measure of authorization risk. When access cannot be narrowed, logged, and reconstructed per request, the blast radius expands invisibly across human, NHI, and agentic workflows. This is the control concept auditors are already testing, even when they do not use that name. The practitioner conclusion is to shrink the reachable set, not just document the intended one.

AI agents make the authorization gap harder because speed and delegation compress reviewability. The article points to agentic systems as the next blind spot, and that matters because authorization requests can be generated, chained, and executed faster than human review cycles can observe. That does not replace human IAM or NHI governance, it exposes where both were already too slow. The implication is that teams must redesign authorization for runtime decisioning before agent deployments scale.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why access evidence remains difficult to produce at audit time.
• That visibility gap is explored further in NHI Lifecycle Management Guide, where lifecycle governance is framed as the practical control plane for provisioning, rotation, and offboarding.

What this signals

Identity blast radius: access governance is now about limiting the set of actions an identity can prove it is allowed to perform, not just listing the roles it holds. As authorization moves closer to runtime enforcement, teams will need more than IGA reports to satisfy auditors and investigators.

The programme signal is clear: service accounts, API keys, and AI agents should be treated as first-class governed identities, because their access paths are often broader and less visible than human users. With 97% of NHIs carrying excessive privileges, the operational question is whether your controls can narrow and evidence that blast radius before an incident or review forces the issue.

For practitioners

• Inventory where authorization decisions actually occur Map each sensitive application, API, and data layer to the system that makes the access decision, the system that enforces it, and the system that logs it. Prioritise systems where policy is embedded in code or dispersed across multiple components.
• Require proof of enforcement for critical systems For your most sensitive applications, verify that every decision records the requesting identity, resource, action, outcome, policy version, and timestamp. If evidence requires stitching together multiple logs, the control is not yet defensible.
• Rework access reviews around actual entitlements Stop validating only role names. Build reviews that expose resource-level permissions, inherited entitlements, and drift between assigned roles and what the identity can really do.
• Apply the same authorization rigor to NHIs Assign owners, review dates, and minimum-necessary permissions to every service account and API key with access to critical systems. Pair that with short-lived credentials and auditable decision logs for machine identities.
• Design agent authorization before deployment scales For AI agents, define the permitted tools, resources, and escalation boundaries before production use. Every tool invocation should be evaluated by policy, logged, and traceable to the delegation chain that authorized it.

Key takeaways

• Access control audits fail when organisations can document policy but cannot prove enforcement at the point of decision.
• The scale of the problem is already visible in broken access control rankings and credential-driven breach patterns.
• Teams need runtime authorization evidence, resource-level entitlement visibility, and NHI governance that treats machine access as auditable identity, not infrastructure noise.

Key terms

• Externalized Authorization: A model where access decisions are made outside the application and enforced through a shared policy decision point. This separates policy from code, creates a consistent control layer, and makes each decision easier to log, test, and audit across human, NHI, and agentic workloads.
• Policy Enforcement Point: The system component that applies an authorization decision at the moment a request is made. It does not decide whether access is allowed. Instead, it asks a policy engine, receives the decision, and enforces it in-line so the request can be permitted or denied with traceable context.
• Resource-level entitlement: The exact set of actions an identity can perform on a specific resource, such as read, write, invoke, or modify. This is more precise than a role label and is the level at which meaningful access reviews and audit evidence become possible.
• Non-Human Identity: A digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, workloads, bots, and AI agents. These identities often operate with standing or delegated access, which makes lifecycle control, scope limitation, and auditability essential.

Deepen your knowledge

Authorization evidence, resource-level entitlement visibility, and runtime policy enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still proving roles instead of decisions, this course helps close that gap.

This post draws on content published by Cerbos: access control audit blind spots and authorization governance. Read the original.