Legacy IAM leaves identity-centric attacks with too many gaps

At a glance

What this is: This is an analysis of why legacy IAM struggles against identity-centric attacks, with visibility, authorization, and overprovisioning emerging as the main failure points.

Why it matters: It matters because IAM, NHI, and human identity programmes now share the same exposure pattern: stolen credentials and excess access outpace controls that were built for static users and bounded perimeters.

By the numbers:

• A 2025 Forbes Technology report shows that 87% of breaches now stem from identity-based attacks.

👉 Read Zluri's analysis of why legacy IAM fails against identity-centric attacks

Context

Legacy IAM was designed for a world of static users, on-prem systems, and clear network boundaries. That model breaks when attackers use stolen credentials, session cookies, and token abuse to appear legitimate while moving across cloud and SaaS environments.

The identity governance problem is broader than authentication alone. Once service accounts, bots, APIs, contractors, and remote users all share the same access fabric, teams need visibility, authorization, and lifecycle control that can follow the identity rather than the network edge.

Key questions

Q: How should security teams reduce risk from identity-centric attacks in legacy IAM environments?

A: Start by treating identity as the enforcement boundary, not the login event. Combine complete identity visibility, contextual authorisation, and lifecycle reconciliation so a stolen credential does not automatically become trusted access. The practical goal is to make replayed identity data harder to use, especially across cloud and SaaS environments where attack paths are wide.

Q: Why do legacy IAM systems struggle with modern cloud access patterns?

A: They were designed for stable users and static perimeters, so they often miss contractors, service accounts, bots, and fragmented entitlements. In cloud environments, that creates blind spots in access review, offboarding, and privilege control. The result is not just weak authentication, but incomplete governance over who can still reach what.

Q: What breaks when access is assigned through broad group-based provisioning?

A: Broad groups over-assign privilege, which means users receive access that exceeds their job need and attackers inherit that excess after compromise. The failure is not only policy drift, but attack amplification. When entitlement scope is too wide, lateral movement and privilege escalation become simpler because the account already carries surplus access.

Q: How do teams know if identity governance is actually closing access gaps?

A: Look for whether offboarding, recertification, and entitlement review remove access across every linked record, not just the primary directory entry. If duplicate identities, stale accounts, or unmanaged service credentials still exist after lifecycle actions, the programme is not closing the gap. True closure means the identity graph is reconciled end to end.

Technical breakdown

Why credential theft defeats authentication-only IAM

Legacy IAM often validates that a credential is correct, then assumes the session is trustworthy. That works only when the credential itself is trustworthy and the surrounding context is stable. Modern identity-centric attacks invert that assumption: phishing, credential stuffing, and session hijacking supply valid tokens or cookies, so the system authenticates an attacker as if they were the real user. Without contextual authorization, behaviour analysis, and risk-based policy checks, the platform cannot distinguish legitimate access from stolen identity reuse.

Practical implication: add contextual authorisation and session-risk checks, not just stronger login gates.

How fragmented identity data creates hidden access paths

When SSO, PAM, and other identity tools store records differently, legacy IAM may synchronise data without truly reconciling it. That creates duplicate or stale identity objects, which means deprovisioning one record does not necessarily remove every access path. In practice, the identity graph becomes incomplete, especially for non-standard identities and hybrid environments. Attackers benefit from those blind spots because orphaned access and mismatched records are harder to detect than active users with clear ownership.

Practical implication: build a reconciled identity inventory so offboarding and review actions apply across all linked records.

Why overprovisioned groups expand attack surface

Static, group-based provisioning assigns access by department or broad role rather than by current task, sensitivity, and risk. That simplifies administration, but it also means users often inherit permissions they do not need. In an identity-centric attack, excess privilege becomes the acceleration layer after initial access. Once an attacker lands in an overprovisioned account, lateral movement and privilege escalation become easier because the account already carries more access than the business requirement justified.

Practical implication: shift provisioning from static groups to context-aware entitlement design with tighter least-privilege review.

Threat narrative

Attacker objective: The attacker wants to look legitimate long enough to move laterally, expand access, and reach sensitive systems without triggering the old perimeter-era control model.

1. Entry begins when attackers obtain valid credentials, tokens, or session cookies through phishing, credential stuffing, or session hijacking, then log in as a legitimate identity.
2. Escalation follows when the attacker uses fragmented records and overprovisioned access to move laterally, change scope, or reach systems the original user should not have touched.
3. Impact occurs when the attacker operates undetected inside cloud or SaaS environments, exfiltrates data, or prepares follow-on access while legacy IAM reports the session as valid.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy IAM fails because it was built to authenticate known users, not to govern identity trust after credentials are stolen. That is the core mismatch in identity-centric attacks. Once a password, token, or session cookie is compromised, the old control plane often has no meaningful second decision point. The implication is that identity governance must move from login validation to continuous trust evaluation across the full session.

Authentication without contextual authorisation creates a false sense of control. A system can confirm who logged in and still fail to answer whether that identity should access this application, from this device, in this state. That gap is especially dangerous in cloud and SaaS estates where access paths are many and identity signals are fragmented. Practitioners must treat authorisation as the real enforcement layer, not a post-login courtesy.

Fragmented identity records create entitlement debt. When one identity appears differently across tools, lifecycle actions do not reach every access path, and stale access survives. That is why offboarding, recertification, and entitlement review have to work across the identity graph, not inside one system of record. Practitioners should assume the weak link is reconciliation, not policy wording.

Overprovisioning is no longer a convenience problem, it is an attacker advantage. Static group models put broad access into too many accounts before risk is assessed. That makes lateral movement cheaper the moment an identity is compromised. Practitioners should view least privilege as a runtime entitlement discipline, not a one-time provisioning event.

Identity-centric attack defence now depends on governing humans and machines with the same discipline. Service accounts, bots, APIs, and remote users all inherit the same failure mode when access outlives context. The implication is that identity security programmes must unify visibility, authorisation, and lifecycle governance across human IAM and NHI estates, or attackers will continue to exploit the seams.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why stale identity paths often survive routine administration, according to Ultimate Guide to NHIs.
• For a broader control lens, see 52 NHI Breaches Analysis for repeated patterns of excess access, poor lifecycle control, and compromised machine identities.

What this signals

Identity blast radius: the useful way to read this topic is as a programme design problem, not a single product gap. When access is granted, reused, and left behind across multiple systems, the practical question becomes how much damage one compromised identity can still reach before lifecycle controls close it down.

With 91.6% of secrets still valid five days after notification, remediation latency is already longer than most teams assume. That means identity governance must be measured in exposure duration, not just in policy presence, because attackers exploit the time between detection and revocation.

Teams should also expect human IAM and NHI controls to converge operationally. Service accounts, bots, and SaaS identities now fail in the same places where human access does: incomplete visibility, stale entitlement, and weak reconciliation. The programme signal to watch is whether offboarding and review actually remove access everywhere it exists.

For practitioners

• Rebuild identity visibility across the full estate Inventory users, contractors, service accounts, bots, and APIs in one reconciled view so stale or duplicate records do not hide active access paths. Link identity records to the applications they touch and validate that deprovisioning reaches every connected system.
• Add contextual authorisation to login events Do not stop at successful authentication. Evaluate device posture, location anomalies, session risk, and requested resource sensitivity before granting or continuing access, especially in cloud and SaaS environments where credentials can be replayed.
• Remove broad group-based entitlement defaults Replace static departmental access with role- and context-aware provisioning. Review high-risk groups first, then tighten access so excess permissions do not become the attacker’s next move after initial compromise.
• Test offboarding against stale access paths Verify that removing one account actually revokes every linked entitlement, including duplicate identity records and shadow access in connected tools. A deprovisioning process that leaves one path open is not complete.

Key takeaways

• Legacy IAM fails most visibly when stolen credentials are treated as legitimate access instead of a governance event.
• Identity-based breaches now exploit visibility gaps, fragmented records, and overprovisioned access more than perimeter weakness.
• Practitioners should measure success by how completely they reconcile, authorise, and revoke identity access across the full estate.

Key terms

• Identity-centric attack: An identity-centric attack is a compromise path that uses valid credentials, tokens, or sessions instead of breaking technical controls at the network edge. The attacker behaves like a legitimate identity long enough to move laterally, escalate privilege, or exfiltrate data while appearing authorised.
• Context-aware authorisation: Context-aware authorisation is the practice of deciding access based on more than a correct login. It evaluates signals such as device posture, location, session behaviour, and resource sensitivity so that access can be limited or blocked even when the credential itself is valid.
• Identity graph: An identity graph is the connected map of users, machines, accounts, entitlements, and linked records across systems. It matters because lifecycle actions only work if they reach every related object, including duplicates, stale identities, and non-human access paths that can otherwise survive revocation.
• Overprovisioning: Overprovisioning occurs when an identity receives more access than its job, task, or risk profile requires. In practice, it increases attack surface and makes lateral movement easier because a compromised account already carries permissions that the attacker can reuse immediately.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Access Management Why Legacy IAM Fails Against Modern Identity-Centric Attacks. Read the original.