TL;DR: Corporate fraud still thrives where organisations trust employees more than their controls, with ACFE research cited in the source putting annual insider-fraud losses at about 5% of revenue and $1.7 million per case. The lesson is that access review, segregation of duties, and least privilege fail when they are treated as administrative formality rather than enforced governance.
At a glance
What this is: This is a fraud-focused analysis of how insider abuse succeeds when internal controls, access reviews, and segregation of duties are weak or bypassed.
Why it matters: It matters because the same control failures that enable employee fraud also expose broader IAM, PAM, and lifecycle weaknesses across human and non-human access programmes.
By the numbers:
- Companies lose approximately 5% of annual revenue to insider risk fraud, with a $1.7M average loss per case.
- ACFE analyzes around 2,000 fraud cases from 130+ different countries for its global study on occupational fraud.
👉 Read Delinea's analysis of real-life corporate fraud examples
Context
Insider fraud is a control problem as much as it is a behaviour problem. When trusted employees can create, approve, and conceal transactions within the same system, access governance stops being preventive and becomes forensic.
The primary identity issue here is not external compromise but excessive trust in human accounts. That makes the article relevant to IAM, PAM, access reviews, and segregation of duties, because the same governance failures that let fraud persist also leave room for privilege abuse in other programmes.
Key questions
Q: How should security teams reduce insider fraud risk with IAM controls?
A: Start by separating conflicting duties, then verify that access reviews test real transaction capability rather than just role membership. Limit who can initiate, approve, reconcile, and export inside the same workflow, and recertify those permissions regularly. In practice, least privilege only reduces fraud when it is measured against how business systems are actually used.
Q: Why do user access reviews often fail to stop insider fraud?
A: They fail when reviewers check account lists instead of control combinations. A user can look properly provisioned while still holding the power to create, approve, and conceal improper activity. Access reviews must be tied to workflow authority, exception paths, and evidence of conflicting permissions in the systems where fraud can happen.
Q: What is the difference between segregation of duties and least privilege?
A: Segregation of duties splits risky business tasks across people, while least privilege limits how much access each person has. Both matter, but they solve different problems. SoD prevents one identity from completing and hiding a transaction. Least privilege reduces how far that identity can go if controls fail or trust is misplaced.
Q: Who is accountable when insider fraud happens in a shared business system?
A: Accountability usually sits with the business owner of the process, the IAM or IGA team that governs access, and the control owners who approved the workflow design. If a system lets one person initiate and conceal fraud, accountability also extends to the control model that allowed that combination to exist.
Technical breakdown
Why insider fraud survives weak segregation of duties
Segregation of duties separates initiation, approval, reconciliation, and reporting so no single user can both execute and conceal a fraudulent action. When those boundaries collapse, fraud can be disguised as routine administration, especially in finance and ERP systems. User access reviews matter only if they test whether people can combine conflicting permissions, not just whether accounts exist. The problem is structural: access that looks legitimate on paper can still enable abuse if one identity can move through the entire transaction chain unchecked.
Practical implication: map toxic permission combinations in core business systems and remove any role that can initiate and close the same financial workflow.
How over-trust turns access into concealment
Insider fraud rarely depends on a single dramatic exploit. It usually depends on repeated use of trusted access, weak oversight, and the ability to disguise suspicious activity as valid business operations. That is why user access governance must look at transaction patterns, not just provisioning records. In the retailer example, improper accrual entries turned an error into a cover-up because the controls that should have flagged unusual accounting behaviour were too weak to intervene early.
Practical implication: monitor for behavioural mismatches between a role’s stated purpose and the transactions it actually performs.
Why least privilege reduces the blast radius of internal abuse
Least privilege limits how far an employee can go once trust is misplaced or compromised. In fraud scenarios, that means constraining both financial permissions and supporting access such as reporting, exports, and reconciliation functions. Zero Trust adds the assumption that any identity can become risky, so access should be continuously validated rather than granted on reputation alone. For IAM teams, the value is not theoretical: narrower access makes concealment harder and investigation faster.
Practical implication: combine least privilege with periodic recertification of supporting access, not just primary application roles.
Threat narrative
Attacker objective: The attacker objective is to siphon funds or conceal financial manipulation long enough to avoid detection and preserve the false record.
- Entry occurs through legitimate employee access to finance, accounting, or payment systems rather than external compromise.
- Escalation happens when the insider uses weak controls to create secret accounts, misstate entries, or override review points.
- Impact follows when fraudulent activity is concealed for long periods, producing financial loss, misstated reporting, and delayed detection.
Breaches seen in the wild
- JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
- LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Trust is not a governance control. Insider fraud persists when organisations confuse familiarity with assurance. The article’s examples show that trusted users can still create hidden accounts, override controls, and falsify records when access governance is weak. That is a failure of control design, not just employee ethics. Practitioners should treat trust as a hypothesis to test, not a substitute for access enforcement.
Standing privilege creates fraud opportunity long before it creates a breach headline. In human identity programmes, the real problem is often not initial access but persistent access that can be reused across many transactions. That pattern aligns directly with NIST CSF and zero-trust thinking: access must be continuously bounded, reviewed, and split across control points. The practitioner conclusion is simple, even if the implementation is not: remove the ability for one identity to both act and hide.
Application Access Governance is the missing control layer in many finance-driven insider cases. The retailer and municipality examples both show that access reviews are ineffective when they do not examine transaction authority, reconciliation rights, and exception paths together. This is where access governance becomes operational rather than administrative. If a role can initiate, approve, and reconcile within the same workflow, the organisation has created a fraud-ready identity pattern.
Least privilege only works when it is measured against real business workflows. A role that looks minimal in a provisioning table can still carry dangerous compound authority in ERP, CRM, or HCM systems. The article reinforces a classic failure mode: organisations audit accounts instead of auditing what those accounts can combine. Practitioners should reframe access governance around transaction boundaries, not just entitlement counts.
Fraud control is lifecycle governance, not a one-time access decision. Access reviews, SoD, and provisioning are only effective when they are re-run as roles, duties, and business relationships change. That assumption holds for human identities today, but it also matters wherever delegated or service-style access can influence financial systems. The broader lesson is that lifecycle discipline is what turns identity from a static record into a control surface.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which is why access governance needs to move beyond account counting.
- For a broader breach lens, see The 52 NHI breaches Report for repeated patterns of exposed credentials and persistent abuse.
What this signals
Identity governance teams should treat insider fraud controls as part of the same programme that manages privileged access and lifecycle reviews. The operational lesson is that role design, approval boundaries, and reconciliation rights need joint review, because a clean provisioning record can still hide a fraud-ready workflow.
With 72% of organisations reporting or suspecting an NHI breach in our research, the wider governance takeaway is that trust-based access models fail across both human and machine identities. The control pattern is the same: excessive standing access makes abuse easier and detection later.
Privilege blast radius: the next maturity step is to measure how much damage one identity can cause before any anomaly is detected. That shifts the programme from compliance-led recertification toward transaction-led containment, which is where real insider-risk reduction happens.
For practitioners
- Map toxic permission combinations Identify roles that can initiate, approve, reconcile, and export data within the same business process, then remove those overlaps in core ERP, CRM, and finance systems.
- Rebuild user access reviews around transactions Review what each identity can actually do in a workflow, not just whether the account exists or the role name looks acceptable on paper.
- Separate reconciliation from execution Prevent the same user from creating entries, correcting exceptions, and posting final adjustments in any process that affects financial reporting or payment.
- Add behavioural fraud signals to governance Flag unusual spend patterns, hidden bank accounts, repeated override actions, and unexplained changes in working patterns as identity governance signals, not only finance anomalies.
Key takeaways
- Insider fraud succeeds when organisations mistake trust for control and leave conflicting access paths in place.
- The source article’s examples show that weak segregation of duties and ineffective access reviews can turn routine accounting access into multi-million-dollar loss.
- Practitioners should redesign governance around transaction boundaries, not just roles, so one identity cannot initiate and conceal the same action.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Shared permissions and weak role boundaries enabled the fraud cases. |
| NIST CSF 2.0 | PR.AC-5 | Segregation of duties failures sit at the centre of the article. |
| NIST SP 800-63 | Useful for identity proofing and lifecycle discipline around account ownership. |
Tie account issuance and recertification to verified identity and business ownership.
Key terms
- Segregation Of Duties: Segregation of duties is the practice of splitting risky work so one identity cannot complete, approve, and conceal the same transaction. In identity governance, it is a core fraud control because it turns single-user access into distributed accountability across business processes.
- Application Access Governance: Application Access Governance is the discipline of reviewing and enforcing who can do what inside business applications, not just who has an account. It connects entitlements, approvals, and transaction authority so teams can detect access combinations that create fraud or misuse risk.
- Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. It increases insider-risk exposure because the same permissions can be reused repeatedly without fresh approval, making misuse easier to hide and harder to contain.
- Least Privilege: Least privilege means giving each identity only the access required for its current task and nothing more. In practice, it is effective only when mapped to real workflows, because a role that looks small on paper can still carry hidden authority across multiple business steps.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Delinea: Reduce insider risk: Real-life corporate fraud examples. Read the original.
Published by the NHIMG editorial team on 2026-02-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
