By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: SoffidPublished November 20, 2025

TL;DR: A Zscaler study cited in the article says 96% of IT leaders believe their security is strong even as serious attacks keep rising, underscoring a persistent gap between perception and control maturity. The practical issue is not tooling volume, but whether identity, privileged access, and recertification actually constrain real attack paths.


At a glance

What this is: The article argues that enterprise cybersecurity problems are increasingly identity-led, with IAM, SSO, MFA, IGA, and PAM framed as the main controls for reducing attack exposure.

Why it matters: This matters because practitioners responsible for human identity, NHI, and privileged access all face the same failure mode: fragmented access governance that leaves attackers room to move.

By the numbers:

👉 Read Soffid's article on four enterprise IAM challenges and how it frames them


Context

Enterprise IAM fails when organisations treat identity as an access convenience layer instead of a control plane. In the article's framing, the real problem is not the number of users or systems, but the mismatch between access complexity, privilege scope, and the organisation's ability to verify, recertify, and contain that access.

The article points to a familiar pattern in enterprise security: fragmented access governance creates blind spots across human users, third parties, privileged accounts, and service access. That is why IAM, IGA, PAM, SSO, and MFA are presented together rather than as separate silos. For identity teams, the message is that control cohesion matters more than isolated point fixes.


Key questions

Q: How should security teams reduce enterprise risk with IAM, IGA, and PAM together?

A: Security teams should treat IAM, IGA, and PAM as one governance system, not separate projects. IAM establishes who can authenticate, IGA defines what access should exist, and PAM controls high-risk elevation. The practical goal is to make every access path visible, reviewable, and revocable from a single identity governance model.

Q: Why do SSO and MFA not solve identity risk on their own?

A: SSO and MFA reduce credential abuse, but they do not decide whether a user or account should have access after authentication. If permissions are overbroad, stale, or unreviewed, a valid login still gives an attacker too much reach. That is why access design and recertification must sit alongside authentication.

Q: What breaks when privileged access is not governed separately?

A: When privileged access is treated like ordinary access, the organisation loses control over blast radius. Elevated credentials become harder to audit, easier to persist, and more damaging if misused. Separate governance is needed because privileged identities can affect core systems, data, and recovery paths in a single session.

Q: How do organisations know whether access review is actually working?

A: Access review is working only when it removes unused permissions, clears stale entitlements, and produces evidence that access matches current business need. If reviews only create paperwork, they are not reducing risk. The useful signal is whether revoked access stays revoked across systems, vendors, and privileged workflows.


Technical breakdown

Why fragmented IAM increases attack surface

When identities are spread across disconnected systems, policy decisions become inconsistent and review cycles lose context. IAM, IGA, and PAM only reduce risk when they share authoritative identity data, privilege scope, and revocation processes. Otherwise, access may be granted in one system, reviewed in another, and never actually removed where it matters. That creates a governance gap attackers can exploit through old accounts, over-permissioned users, or third-party access paths.

Practical implication: map identity sources, entitlements, and revocation workflows into a single control view before trying to tighten access.

How SSO and MFA change enterprise access control

Single sign-on reduces password sprawl, while multifactor authentication adds a stronger verification step at login. Neither control solves authorisation by itself, because a valid session still needs least-privilege access downstream. In practice, SSO and MFA are front-door controls, not full governance controls. They lower the chance of credential abuse, but they do not replace role design, access certification, or privileged session oversight.

Practical implication: pair SSO and MFA with least-privilege policy and recurring access review, rather than treating them as the endpoint.

Why privileged access needs separate governance

Privileged accounts are high-impact identities because a single misuse event can affect systems, data, and operational continuity at scale. PAM exists to separate routine access from elevated access and to keep that elevation temporary, auditable, and tightly scoped. In an enterprise setting, the important issue is not only who gets privileged access, but whether the access path is controlled from request to revocation. Without that lifecycle, privileged access becomes a durable exposure instead of a managed exception.

Practical implication: enforce time-bounded privileged sessions and review elevated access as a distinct governance class.


Threat narrative

Attacker objective: The attacker wants to turn weak identity governance into broad internal access that can be monetised, used for data theft, or leveraged for operational disruption.

  1. Entry occurs through phishing, third-party exposure, or another identity-related weakness that gives the attacker a foothold in the enterprise access environment.
  2. Escalation follows when the attacker reaches over-permissioned accounts, weakly governed service access, or privileged credentials that were not tightly scoped or recertified.
  3. Impact comes from using that access to reach sensitive systems, disrupt operations, exfiltrate data, or damage trust in the organisation's security posture.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity governance is now the control plane for enterprise cyber risk. The article correctly groups IAM, IGA, MFA, SSO, and PAM because attackers do not respect organisational silos. When access is fragmented, governance becomes inconsistent, and the attacker only needs one weak identity path to expand further. The practitioner conclusion is straightforward: if identity is not unified, security is not enforceable.

Enterprise security confidence is often detached from identity reality. The article cites a study showing 96% of IT leaders believe their security is strong, yet serious attacks continue to rise. That pattern aligns with a broader governance problem: organisations frequently measure control presence instead of control effectiveness. The implication is that confidence without access evidence is not a control signal.

Privileged access remains the fastest route from compromise to material impact. PAM matters because elevated credentials compress the time between access and damage. In practical terms, the issue is not only privilege count but privilege persistence, auditability, and revocation discipline. If privileged access is not treated as a separate identity class, the organisation has already widened the blast radius.

Recertification failures are a lifecycle problem, not a policy problem. SOFFID IRC is presented as a continuous validation mechanism, which reflects the real issue: access reviews only matter when they are tied to current business need. Stale approvals, project-based access, and third-party entitlements all accumulate when lifecycle processes are weak. The practitioner conclusion is that governance must prove who still needs access, not simply record who once did.

Identity fragmentation creates hidden risk debt. Risk debt is the accumulation of unreviewed, duplicated, or poorly scoped access across disconnected identity systems. It grows when different teams own different parts of authentication, authorisation, and privileged access. The result is not just complexity, but delayed detection and slower containment. Practitioners should treat consolidation and governance alignment as risk reduction, not mere simplification.

From our research:

What this signals

Identity consolidation is no longer just an operational preference. Teams that keep authentication, recertification, and privileged access in separate systems are extending the time it takes to detect and remove dangerous permissions. The governance signal is clear: access sprawl becomes incident dwell time when identity data is fragmented.

Risk debt is the practical cost of letting identity governance lag behind business change. The more vendors, projects, and privileged workflows an organisation accumulates, the more likely it is that access will outlive its justification. Practitioners should watch for stale approvals, duplicated accounts, and access paths that no longer map to an owner.

With only 5.7% of organisations having full visibility into their service accounts, the same visibility gap that affects NHI governance also weakens human IAM and PAM programmes. The next step is not more tools alone, but better identity ownership, entitlement hygiene, and evidence-driven review cycles.


For practitioners

  • Unify identity sources and entitlement records Create one authoritative view of users, service accounts, third parties, and privileged identities so access can be reviewed against the same data set across IAM, IGA, and PAM.
  • Separate privileged access from standard access Treat elevated accounts as a distinct governance class with time-bounded access, stronger audit requirements, and explicit approval and revocation steps.
  • Tie recertification to live business need Run access reviews against current role, project, and vendor relationship data so dormant permissions are removed when the business context changes.
  • Use MFA and SSO as front-door controls only Keep authentication controls in place, but also enforce least privilege and session-level oversight downstream so authenticated access does not become uncontrolled access.

Key takeaways

  • The article's core message is that enterprise cyber risk is increasingly an identity governance problem, not just a perimeter problem.
  • The evidence points to a confidence gap, with organisations overestimating their security posture while attack volume and impact continue to rise.
  • The most effective response is to unify identity, access, and privileged governance so review, revocation, and audit operate on the same control plane.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4The article centres on identity-based access restriction and governance.
NIST SP 800-53 Rev 5AC-6Least privilege is the main control theme behind the article's IAM recommendations.
NIST Zero Trust (SP 800-207)The article aligns with zero-trust access principles and continuous verification.

Apply zero-trust principles so access is continuously verified rather than assumed after login.


Key terms

  • Identity governance: Identity governance is the set of processes that defines who should have access, who approves it, and how access is reviewed over time. In practice it connects policy, entitlement visibility, recertification, and revocation so access stays aligned with business need.
  • Privileged access management: Privileged access management is the control layer for high-risk accounts that can change systems, data, or security settings. It focuses on reducing standing privilege, limiting elevation to specific tasks, and keeping privileged actions auditable and time bound.
  • Single sign-on: Single sign-on lets a user authenticate once and then access multiple applications without repeated logins. It improves usability, but it does not replace authorisation, least privilege, or lifecycle controls, which must still determine what the authenticated identity may do.
  • Access recertification: Access recertification is the periodic review of existing permissions to confirm they are still required. It is only effective when tied to current role, project, or vendor context, and when revocation actually removes access across connected systems.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • A fuller walkthrough of how the platform positions IAM, IGA, SSO, MFA, ITDR, and PAM as a single operating model.
  • The specific way Soffid describes access unification across cloud and on-premise environments.
  • More detail on recertification, privileged access handling, and continuous validation in day-to-day administration.
  • The vendor's explanation of how it frames identity simplification for enterprise security teams.

👉 Soffid's full post explains the access unification, recertification, and privileged access details behind its IAM approach.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org