OWASP Top 10 2025 exposes an identity reality gap in enterprises

At a glance

What this is: This analysis argues that OWASP Top 10 2025 risks increasingly surface through identity, access, and third-party governance gaps rather than code alone.

Why it matters: It matters because IAM, IGA, PAM, NHI, and security architecture teams need to treat authorization drift and third-party access as core risk drivers, not downstream hygiene issues.

By the numbers:

• OWASP states that 100% of the applications tested were found to have some form of broken access control.
• OWASP states that 100% of the applications tested were found to have some form of misconfiguration.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Nexis' analysis of OWASP Top 10 2025 and the identity reality gap

Context

OWASP Top 10 2025 still frames risk through application security categories, but the article's central claim is that many failures now persist because identity and access are not governed closely enough across modern enterprise ecosystems. For IAM, the key issue is not whether controls exist in principle, but whether authorization, ownership, and third-party access stay aligned as systems change.

That shift matters because identity reality gaps are created by drift. Roles change, service relationships change, configuration changes, and effective permissions often do not keep up. In practice, the article argues that application security only closes part of the exposure unless identity governance, access reviews, and third-party controls are continuous rather than episodic.

Key questions

Q: What breaks when access control is not governed continuously across applications and third parties?

A: Permissions drift away from business intent, ownership becomes unclear, and access that should have expired remains effective. That creates exploitable paths even when the original application logic looks sound. The practical failure is not only unauthorized access but the collapse of accountability across internal teams and external suppliers.

Q: Why do misconfiguration and broken access control keep showing up together in enterprise risk?

A: Because configuration and authorization are increasingly the same thing in practice. Role definitions, attribute mappings, and access rules determine who can do what, so if they drift or are not validated, misconfiguration becomes an access-control failure. Teams need continuous validation against live entitlements, not just design-time approval.

Q: What do security teams get wrong about third-party access in application ecosystems?

A: They often treat supplier access as a procurement issue instead of a revocable identity state. Once a third party can administer systems or integrations, that access must be owned, reviewed, and removed through the same governance process as internal privileged access. Otherwise, supplier trust becomes persistent attack surface.

Q: How should IAM and AppSec teams work together on OWASP Top 10 findings?

A: They should share evidence on effective permissions, ownership, and lifecycle state. AppSec can identify where controls fail, but IAM must confirm whether access is excessive, stale, or inherited from third parties. The useful outcome is a single view of intended access versus actual access.

Technical breakdown

Broken access control and authorization drift

Broken access control happens when enforcement is inconsistent between intended policy and actual permission checks. In enterprise environments, this often emerges as authorization drift, where access accumulates over time, ownership becomes unclear, and third-party relationships outlive the permissions attached to them. The result is not just a coding flaw but a governance failure that creates exploitable paths across systems. OWASP treats this as an application risk, but the article correctly shows that the underlying cause is often identity misalignment at scale.

Practical implication: review entitlement ownership and effective permissions together, not as separate IAM and AppSec tasks.

Security misconfiguration now includes IAM governance artefacts

Security misconfiguration is no longer limited to infrastructure defaults. In the article's framing, IAM documentation, role definitions, attribute mappings, and third-party access rules are configuration artefacts because they directly shape who can do what. When those governance artefacts diverge from effective access, teams get a false sense of compliance. That is why identity security posture management and continuous validation matter: they compare documented intent with real access and highlight deviations before attackers do.

Practical implication: treat IAM documentation as security configuration and verify it continuously against live entitlements.

Third-party access turns supply chain risk into identity risk

Software supply chain failure is often discussed as a code integrity problem, but the article pushes the more useful view that it is also an identity problem. Third parties, service accounts, and pipeline identities can administer applications and integrations, so the trust boundary is not just the dependency graph. If access is not explicitly governed, suppliers inherit broad operational power that is difficult to detect or unwind. That is where contract boundaries become security boundaries in practice.

Practical implication: include third-party and service identity governance in supply chain risk reviews, not only dependency scanning.

Threat narrative

Attacker objective: The attacker aims to exploit governance gaps to perform unauthorized actions using access that should not have remained valid or effective.

1. Entry occurs through excessive or unclearly governed access, where authorization drift or misconfiguration gives an actor more reach than intended.
2. Escalation follows when over-privileged identities, weak review cycles, or third-party access rules allow the actor to move beyond the original business purpose.
3. Impact occurs as broken access control, misconfiguration, or supply-chain trust failures are converted into unauthorized actions, data exposure, or control bypass.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity reality gap is the more useful framing than broken access control alone: the article shows that modern risk persists when governance intent and effective permissions diverge over time. Access reviews, ownership models, and third-party relationships all age faster than the controls built to manage them. That is why application security findings increasingly become identity governance failures in practice.

Authorization drift is a lifecycle problem, not just a vulnerability class: the article's strongest point is that entitlements accumulate, change owners, and outlive the original use case. This is exactly where recertification and access governance fail when they are periodic instead of continuous. Practitioners should read broken access control as evidence of stale identity decisions, not merely bad code.

Security misconfiguration now includes governance configuration: role definitions, attribute mappings, and third-party access rules are treated as operational configuration because they determine live security posture. The practical implication is that organisations must validate governance artefacts against effective access, especially where internal teams and external suppliers share administration paths.

Third-party access without lifecycle discipline is a structural supply chain weakness: the article makes clear that suppliers and service identities are part of the attack surface when access is not explicitly bounded and reviewed. This is not only a vendor management issue; it is an identity ownership and offboarding problem. Enterprises need to treat external access as revocable security state, not as a contract footnote.

Continuous identity validation is the missing control plane: OWASP categories describe where systems fail, but the deeper enterprise lesson is that static IAM design cannot keep pace with changing roles, integrations, and configuration drift. The field needs a model that compares intended access, effective access, and third-party exposure continuously. Practitioners should align AppSec findings with identity governance evidence, not separate them.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• To extend that governance lens, read 52 NHI Breaches Analysis for the recurring failure patterns that turn identity drift into incidents.

What this signals

Identity reality gap: organisations should expect application security findings to keep surfacing as identity governance failures until entitlement ownership, third-party access, and effective permissions are reviewed as one control set. The practical signal is simple: if your AppSec and IAM teams cannot reconcile live access with documented intent, drift is already part of the attack surface.

The article points toward a programme model where IAM governance becomes a continuous validation layer rather than a periodic control. That means access reviews must be tied to change events, third-party relationship changes, and role redesigns, with evidence captured in a form that security and audit teams can both trust.

With 5.7% of organisations having full visibility into their service accounts, the broader lesson is that identity blind spots are not edge cases but a structural constraint. Teams that still separate application risk from identity risk will keep remediating symptoms instead of the permission state that makes the symptoms possible.

For practitioners

• Map OWASP findings to identity ownership: Assign every access path, role, and third-party entitlement to an accountable owner, then require that owner to sign off on effective permissions, not just documented intent.
• Treat IAM artefacts as security configurations: Include role definitions, attribute mappings, approval flows, and third-party access rules in the same change-control and validation process used for other security-critical settings.
• Run continuous access reviews on high-risk systems: Prioritise systems with external integrations, privileged roles, or broad function-level permissions, and verify whether access still matches the business relationship that justified it.
• Fold third-party access into supply chain reviews: Review supplier accounts, service identities, and admin paths alongside dependency and build integrity checks so trust does not stop at the code package boundary.

Key takeaways

• OWASP Top 10 2025 is increasingly an identity governance story, because access drift and third-party exposure can turn ordinary application weaknesses into enterprise risk.
• Broken access control and misconfiguration persist because governance artefacts, not just code, drift away from effective permissions over time.
• IAM and AppSec teams need a shared view of ownership, entitlement state, and third-party access if they want to reduce exploitable authorization gaps.

Key terms

• Authorization drift: Authorization drift is the gradual mismatch between intended access and real access as roles, ownership, and relationships change. It happens when permissions are not revalidated often enough, leaving stale or excessive access in place. In identity governance terms, drift is the condition that turns design-time approval into runtime risk.
• Identity reality gap: Identity reality gap is the distance between what a governance model says should be true and what effective access actually is. It appears when documented roles, mappings, and approvals no longer reflect live entitlements, especially across third parties and privileged paths. The gap is measured in security exceptions, not intentions.
• Third-party access lifecycle: Third-party access lifecycle is the end-to-end management of access granted to suppliers, contractors, and service partners. It covers approval, scope definition, review, renewal, and revocation. The security problem is not merely granting access, but ensuring that external access expires or changes when the relationship changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Nexis: OWASP Top 10 2025 and the Identity Reality Gap. Read the original.