Six degrees of identity security issues in enterprise breaches

At a glance

What this is: This is an identity security analysis showing how access mismanagement, missing MFA, and over-privilege turn routine intrusions into major breaches.

Why it matters: It matters because IAM, PAM, and lifecycle controls are often the difference between a contained incident and enterprise-wide lateral movement across human and machine identities.

By the numbers:

• 75% of security incidents were caused by bad actors taking advantage of human errors, specifically errors related to access privileges and identity mismanagement.
• The global average cost of a data breach last year was $4.45 million.

👉 Read Opal Security's analysis of six identity security breach patterns

Context

Identity security problems become breach problems when access is not revoked, privileges are too broad, or authentication controls are inconsistently enforced. In this article, Opal Security argues that many headline incidents begin with identity mismanagement rather than exotic exploits, which is why IAM, PAM, and lifecycle governance remain central to breach prevention.

The core issue is not just whether a user or account can sign in. It is whether access is still valid, scoped tightly enough, and monitored well enough to stop a simple foothold from turning into lateral movement or data theft. That is a familiar failure pattern across both human and non-human identity programmes.

Key questions

Q: How should security teams prevent post-termination access from becoming a breach path?

A: They should make offboarding a verified security control, not a paperwork step. Remove access tokens, administrator entitlements, and application permissions before the leaver process is closed, then confirm revocation through audit logs or access reports. The key is proving that access no longer exists, not assuming HR closure means security closure.

Q: Why does missing MFA still lead to large breaches when organisations have other controls?

A: Missing MFA is dangerous because it lowers the cost of initial entry, but the breach becomes large only when the compromised identity can reach sensitive systems or move laterally. If privileges are broad, the attacker can turn one credential into multiple systems. MFA reduces entry risk, but least privilege determines how far the attacker can go.

Q: What do organisations get wrong about least privilege in real incidents?

A: They often treat least privilege as a policy label instead of an enforced operational state. In practice, accounts still have excessive access, long-lived admin rights, or production permissions that are rarely reviewed. Least privilege only limits incidents when access scope is enforced technically and kept narrow enough to fail safely under compromise.

Q: Who is accountable when over-privileged access leads to data theft?

A: Accountability usually sits with the identity owners who failed to define, enforce, and review the access boundary. That includes IAM teams, application owners, and security leaders responsible for privileged access governance. If a compromised account can still reach production or sensitive data, the control failure is organisational, not just individual.

Technical breakdown

Revoked access gaps and post-termination abuse

When employees, contractors, or administrators leave but their access remains active, the security model collapses at the lifecycle boundary. The problem is not authentication weakness alone, but the continued validity of credentials that should have been removed. In the Cash App example, the attacker did not need a novel exploit, only retained access after termination. That is why joiner-mover-leaver controls and periodic access review matter as much as detection. Practical implication: treat offboarding as a security control, not an HR task.

Practical implication: make termination-driven revocation a hard control with verification, not a best-effort workflow.

Missing MFA and privilege layering

Multi-factor authentication reduces the chance that a stolen password or session can be reused, but it does not by itself contain damage once an attacker is inside. The source article shows that when MFA is absent or unevenly deployed, the real escalation point becomes privilege structure. A low-friction entry point can still become a large incident if the account can reach sensitive systems or move laterally. Practical implication: pair MFA with least privilege and segmentation, especially for privileged and acquired environments.

Practical implication: do not treat MFA as a standalone control when privilege scope remains broad.

Standing privilege and real-time escalation

Standing privilege is what makes compromise durable. If users or administrators can reach production, sensitive data, or administrative functions without time limits, an attacker inherits that standing access once an account is compromised. The CircleCI and Deloitte examples both show how unrestricted or persistent elevation expands the blast radius. Just-in-time access helps, but only when privilege is actually time-bound and approved at the moment of need. Practical implication: reduce the duration and scope of any privilege that can reach production or regulated data.

Practical implication: replace always-on privilege with just-in-time access where production impact is possible.

Threat narrative

Attacker objective: The attacker aims to turn a single identity failure into broad access, data theft, and operational disruption.

1. Entry begins with compromised credentials, missing MFA, or retained access after termination.
2. Escalation occurs when the compromised identity can impersonate a user or reach privileged systems without time-bound checks.
3. Impact follows through lateral movement, production access, and sensitive data exfiltration at scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance failed here because access validity outlived accountability. The article’s cases show that revocation, review, and privilege scoping are not adjacent controls, they are the breach boundary. When access survives termination or acquisition changes, the attacker does not need sophistication, only time. The practitioner conclusion is that lifecycle enforcement must be treated as a primary defensive layer.

Standing privilege is the real blast-radius multiplier. Missing MFA matters, but the damage grows when compromised identities can reach production, sensitive data, or admin functions without constraint. CircleCI and Deloitte both show that a single compromised account can become a broad enterprise incident when privilege is always on. The practitioner conclusion is that privilege scope, not just login hardness, determines containment.

Identity review cadences are too slow for modern compromise paths. The article repeatedly points to issues that should have been caught earlier by access reviews, but point-in-time checks cannot compensate for weak enforcement between reviews. In practice, this means access governance must operate continuously around high-risk identities. The practitioner conclusion is to reduce the gap between entitlement changes and governance visibility.

Least privilege is a breach-limiting assumption, not a static policy. The source article shows that least privilege only helps when it is actually enforced at the system level and does not rely on good intent or manual discipline. Where privileges remain broad, lateral movement becomes the default outcome after initial access. The practitioner conclusion is that policy language without technical enforcement does not contain incidents.

Identity mismanagement is now a cross-domain problem across human and machine access. The same failure pattern that exposes employees and administrators also applies to service accounts, API keys, and other non-human identities when they are over-privileged or left active too long. That is why governance models need to span human IAM, PAM, and NHI lifecycle control. The practitioner conclusion is to unify access governance across all identity types.

From our research:

• From our research: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Our research also finds that only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which explains why lifecycle gaps persist.
• For a broader view of breach patterns, see 52 NHI Breaches Analysis for the recurring control failures that turn identity gaps into incidents.

What this signals

Identity governance has to move closer to the event, not just the review cycle. If access reviews happen after the breach path has already played out, they are audit evidence rather than control evidence. Teams should focus on revocation latency, escalation detection, and entitlement drift as operational signals of programme health.

Standing privilege remains the most practical place to reduce blast radius. The article’s breach examples show that a compromised account becomes far more dangerous when it can reach production or administrative systems without friction. The control question is no longer whether privilege exists, but how quickly it can be constrained when risk appears.

For teams aligning identity governance with NIST Cybersecurity Framework 2.0, the issue sits squarely across Protect and Detect. Organisations that can pair tighter entitlement boundaries with continuous monitoring will have a materially better chance of stopping identity-led incidents before they spread.

For practitioners

• Tighten termination-driven revocation Build a hard offboarding check that confirms user access, tokens, and administrative entitlements are removed before the leaver process closes. Validate the revocation path with audit evidence, not only ticket closure.
• Enforce MFA on acquired and critical systems Do not rely on enterprise-wide policy statements if subsidiary or legacy environments still accept weaker access paths. Prioritise systems that can reach sensitive data or production workloads.
• Convert standing privilege to just-in-time access Remove always-on production rights from accounts that only need elevated access intermittently. Require approval and time limits at the moment privilege is needed, especially for admin and release functions.
• Monitor privilege escalation in real time Instrument alerts for unusual elevation, impersonation, and access to production systems from accounts that do not normally perform those actions. Make escalation telemetry part of identity monitoring, not only endpoint detection.

Key takeaways

• The article’s central lesson is that most major breaches become severe only after identity controls fail at the lifecycle, authentication, or privilege layer.
• The evidence is broad enough to matter to programme design, not just incident review, because the same pattern appears in termination gaps, missing MFA, and standing privilege.
• The practical response is to make revocation, least privilege, and escalation monitoring continuous controls rather than periodic governance activities.

Key terms

• Standing Privilege: Standing privilege is access that remains continuously available instead of being issued only when needed. It becomes a major breach amplifier because any compromise of the identity also inherits the permanent access path, including production, administrative, or sensitive-data permissions.
• Just-in-Time Access: Just-in-time access is a time-bound access model where elevated permissions are granted only for the duration of a task. It reduces the value of compromised credentials by shrinking the window in which an attacker can use them, especially for administrative and production systems.
• Access Review: Access review is the process of checking whether an identity still needs the permissions it has been granted. In practice, it only works when changes are enforced quickly, because point-in-time reviews cannot contain a compromised identity that already has active, excessive, or outdated access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security: Six Degrees of Identity Security Issues. Read the original.