Cybersecurity challenges reveal where access control still fails

At a glance

What this is: This is a cybersecurity challenges overview that links common attack paths to identity and access failures across cloud, privilege, phishing, supply chain, IoT, and AI risk.

Why it matters: It matters because IAM teams increasingly have to govern human access, machine access, and adjacent automation as one control plane rather than treating these threats as separate security problems.

By the numbers:

• By March 9, 2021, an estimated 250,000 servers were affected, impacting around 30,000 companies in the US and 7,000 servers in the UK.

👉 Read Zluri's analysis of common cybersecurity challenges and access control gaps

Context

Cybersecurity challenges are often identity challenges in disguise. The article groups cloud compromise, ransomware, phishing, unmanaged privilege, supply chain weakness, serverless exposure, IoT botnets, and AI-enabled attacks under one operational theme: attackers succeed when access, trust, or verification is too broad or too weak.

For IAM and security teams, the useful question is not which threat is newest, but which identity control failed first. That means looking at authentication, privilege scope, access reviews, and lifecycle governance across humans, service accounts, and connected systems rather than treating each attack class as isolated.

Key questions

Q: What breaks when privileged access is not tightly governed in cybersecurity programmes?

A: When privileged access is not tightly governed, attackers and insiders can turn valid permissions into lateral movement, persistence, or sabotage. The problem is not just that access exists. It is that the access scope is broader than the task, the review cycle is too slow, and revocation happens after damage is already possible.

Q: Why do cloud and SaaS environments make identity governance harder to control?

A: Cloud and SaaS environments make identity governance harder because access is distributed across services, admins, APIs, and third-party integrations. That creates more trust edges to verify and more ways for a weak credential or excessive entitlement to become a security incident. Teams need continuous visibility, not periodic assumptions.

Q: What do security teams get wrong about phishing in modern environments?

A: They often treat phishing as a user-awareness problem alone. In practice, phishing succeeds when trust verification is weak, access is broad, and logging is insufficient to catch abnormal use after the first click. The right response combines identity proofing, least privilege, and strong detection.

Q: How should organisations reduce risk from unmanaged access privileges?

A: Organisations should inventory who has elevated access, remove rights that no longer match the role, and recertify high-risk permissions on a fixed cadence. If a privilege cannot be justified operationally, it should not remain available. Access that is not actively governed becomes a standing attack path.

Technical breakdown

Cloud access gaps turn configuration weaknesses into account takeover

Cloud compromise rarely begins with a dramatic platform failure. It usually starts with exposed services, weakly protected admin paths, or credentials that were accepted as valid for too long. In the article's Exchange example, exploited vulnerabilities gave attackers email access, password access, and administrative privileges, then a backdoor preserved access after patching. The core failure is not just vulnerability presence. It is the absence of access constriction, identity hardening, and post-exploit containment that would have limited blast radius even after initial compromise.

Practical implication: segment privileged cloud access, monitor for post-patch persistence, and treat admin credential exposure as an incident, not a configuration issue.

Unmanaged privilege creates the shortest path from valid access to insider harm

The article's insider-risk section shows the classic pattern of over-granted access turning into misuse, carelessness, or abuse. Once a user or partner has broader access than their job requires, the attacker does not need to break in again. They can operate from inside accepted trust boundaries. That is why privilege sprawl is so dangerous in identity programmes. It turns governance failure into an execution path, especially when access is not routinely reviewed, constrained by role, or removed when duties change.

Practical implication: tighten entitlement boundaries and recertify high-risk access before insiders can turn legitimate permissions into lateral movement.

AI attacks amplify existing identity weaknesses rather than replacing them

The article treats AI as an attack multiplier, not a separate control domain. That is the right lens. AI can make phishing more convincing, help attackers identify vulnerabilities faster, and increase the scale and speed of malicious campaigns. But the exploit still lands through identity trust, user deception, or weak security hygiene. For practitioners, the lesson is that AI does not remove the need for core IAM controls. It makes weak verification, poor monitoring, and permissive access far more exploitable.

Practical implication: pair user verification, anomaly detection, and access policy enforcement so AI-assisted attacks cannot rely on human trust alone.

Threat narrative

Attacker objective: The attacker aims to turn a weak access point into sustained operational disruption, credential exposure, or control over connected assets.

1. Entry occurs through exposed cloud services, phishing lures, default IoT credentials, or leaked access paths that give the attacker a valid foothold.
2. Escalation follows when excessive privileges, unpatched systems, or weak access controls let the attacker move from entry to admin-level action or botnet control.
3. Impact arrives as email compromise, ransomware disruption, DDoS activity, persistent backdoors, or broader business interruption across connected systems.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cybersecurity challenge lists are really identity governance failure maps. The article spans cloud compromise, ransomware, phishing, unmanaged privilege, supply chain risk, and AI-enabled attacks, but the common denominator is access control that no longer matches how systems are actually used. That is why IAM, PAM, and lifecycle governance sit at the centre of the problem, not at the edge of it. Practitioners should read these threats as one control gap with many expressions.

Unmanaged access privilege is the most durable breach condition in the article. Excessive access appears again and again, whether the issue is insider abuse, lateral movement, or attacker persistence after exploitation. That pattern aligns with OWASP-NHI and NIST-CSF thinking, because over-broad access creates reusable leverage long after the original trigger has passed. The practitioner conclusion is that entitlement scope is the control that determines whether incidents stay local or spread.

Default credentials and weak verification show how fast trust collapses when identity is assumed rather than governed. The Mirai example is especially revealing because the devices were not obscure targets. They were widely deployed systems left in a state that made compromise cheap and scalable. This is the kind of visibility and baseline-hygiene problem that identity programmes often miss when they focus only on user accounts. Practitioners should treat unmanaged defaults as part of the identity surface.

AI raises the speed and quality of abuse, but it does not change the underlying security equation. The article's AI section still describes phishing, vulnerability discovery, and malware effectiveness, which means the attacker is using AI to exploit existing trust failures rather than inventing a new one. That is why identity controls, verification, and monitoring remain the primary counterweights. The practitioner implication is to harden trust paths before AI makes them cheaper to abuse.

Cloud, IoT, and AI together form a single governance problem: who or what is trusted, by whom, and for how long. The article unintentionally shows why identity programmes can no longer be organised around only human users. Service access, device access, and machine-mediated execution all create the same operational question around entitlement and revocation. The practitioner conclusion is to govern the full access surface as one programme, not three disconnected ones.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• For deeper context on how these access patterns become breach conditions, see The 52 NHI breaches Report.

What this signals

Identity sprawl is now the common substrate across cloud, device, and AI risk. Teams that still separate user IAM, machine access, and adjacent automation will miss the combined blast radius of weak verification and broad entitlement. The practical shift is toward one governance model for all non-human access, with visibility into who or what is trusted and why.

The visible pattern here is not more threats, but more ways for the same control gaps to be exploited. In our view, that makes entitlement review, access telemetry, and offboarding discipline the first investments to revisit, especially where third-party access and service credentials are involved.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the governance problem is already bigger than most inventories suggest.

For practitioners

• Map attack classes to identity controls Link each major threat type in your environment to the access control that would fail first, including authentication, privilege scope, logging, and offboarding.
• Review privileged access before it becomes insider risk Identify employees, contractors, and partners with broad rights that are no longer necessary, then recertify and remove excess privilege on a fixed schedule.
• Harden cloud and serverless trust paths Treat exposed cloud services and serverless backends as identity-dependent surfaces, and verify that leaked credentials cannot reach sensitive data without additional checks.
• Reduce default and shared device credentials Eliminate unchanged factory usernames and passwords on IoT and connected devices, then inventory those assets so they are covered by the same governance process as other identities.
• Add AI-aware phishing resilience Assume that phishing messages may be more convincing and scale faster, so reinforce verification steps, detection signals, and user reporting paths.

Key takeaways

• The article shows that cloud compromise, ransomware, phishing, IoT abuse, and AI-enabled attacks all succeed when identity controls fail first.
• The strongest evidence in the article is that poor patching, default credentials, and excessive access can each scale a local weakness into a broad incident.
• IAM and PAM teams should treat privilege review, access visibility, and verification as shared controls across human, machine, and connected-device risk.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, devices, or automated processes rather than a person. It includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents when they are acting in systems. Governance focuses on ownership, scope, rotation, and revocation.
• Privilege Sprawl: Privilege sprawl is the gradual accumulation of permissions beyond what an identity needs to do its job. In practice, it creates reusable access that attackers and insiders can exploit for lateral movement or persistence. The risk grows when review, recertification, and removal processes lag behind operational change.
• Identity Surface: The identity surface is the full set of accounts, credentials, integrations, devices, and trust relationships that can be used to access systems and data. It is broader than the user directory because it includes machine access and third-party connections. Managing it well means reducing exposure, not only strengthening login controls.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Top 8 Challenges of Cyber Security & How to Address Them. Read the original.