Telecom security regulation is exposing identity visibility gaps

At a glance

What this is: Telecom regulation is shifting identity security from guidance to enforceable mandates, and the article argues that incomplete visibility is the main barrier to compliance.

Why it matters: IAM, NHI, and PAM teams must now govern access across legacy, cloud, and supplier estates, or they will not be able to prove control over security-critical functions.

By the numbers:

• Traditional Identity Governance and Administration tools typically see only 20-30% of actual access due to limited connectors.
• Traditional Identity Governance and Administration tools typically see only 20-30% of actual access due to limited connectors.

👉 Read Hydden's analysis of telecom security regulation and identity visibility gaps

Context

Telecom security regulation now treats identity as part of operational resilience, not just an IT control. The UK Telecommunications Security Act, NIS2, and Australia’s SOCI regime all expect organisations to prove who has access, why they have it, and how that access is monitored across complex infrastructure.

That expectation collides with telecom reality. Legacy platforms, network devices, cloud services, development tools, and third-party access paths are often managed outside traditional IGA and PAM coverage, which leaves compliance teams unable to show complete control over security-critical functions.

Key questions

Q: How should telecom security teams govern privileged access across legacy and cloud environments?

A: They should start with discovery, not policy. Telecom environments often mix legacy systems, network equipment, cloud platforms, and supplier access, so privileged governance only works when teams can inventory every account, map indirect privilege paths, and prove that temporary access is actually temporary across all those systems.

Q: Why do telecom regulations expose gaps in traditional IAM and PAM programmes?

A: Because these programmes often depend on connectors and known accounts, while telecom operations contain many identities outside standard coverage. When IGA sees only part of the estate, and PAM only manages the accounts it knows about, regulators will still see an incomplete control picture.

Q: What breaks when third-party access is not included in identity governance?

A: Auditability breaks first, followed by containment. Supplier accounts can remain active across multiple systems without clear ownership, which makes it difficult to prove who authorised access, whether it was still needed, and whether privileged activity was monitored throughout the relationship.

Q: Who is accountable when telecom access controls fail regulatory scrutiny?

A: Accountability sits with the organisation that must demonstrate control, even when access is operated by suppliers or managed service partners. Regulators expect evidence of ownership, monitoring, and review, so delegating access does not delegate responsibility for proving that access was governed.

Technical breakdown

Security-critical functions and assumed compromise in telecoms

Telecom regulation now focuses on assets whose compromise would affect network operations, often described as security-critical functions or network oversight functions. The operational model behind these rules is assumed compromise: organisations should behave as if some access paths are already under hostile observation. That changes identity security from periodic certification to continuous control over who can reach the most sensitive parts of the network, and how quickly that access can be found, reviewed, and revoked.

Practical implication: classify security-critical functions first, then map every identity path that can reach them before you design control coverage.

Why IGA and PAM miss telecom access paths

Traditional IGA is connector-dependent, so it often sees only the systems that fit neatly into directory-based governance. PAM is stronger on known privileged accounts, but it still depends on knowing which accounts exist, where they live, and how privilege is obtained indirectly through groups, local credentials, or embedded service accounts. In telecom environments, that leaves large blind spots across network equipment, legacy systems, SaaS, and third-party operations.

Practical implication: treat discovery as the prerequisite control, not an optional inventory project.

Third-party access, audit trails, and continuous monitoring

Telecom regulation increasingly assumes that supplier access is part of the attack surface, not a separate governance problem. That means access logs, approval records, shared responsibility evidence, and monitoring of vendor activity must be available across systems that suppliers touch, including environments they do not administer directly. Continuous monitoring matters because point-in-time reviews cannot show whether a third party has drifted into standing access or unmanaged privilege.

Practical implication: extend monitoring and audit evidence to supplier access paths, not only to employee accounts.

Threat narrative

Attacker objective: The attacker seeks persistent access to telecom control planes, supplier pathways, or network oversight functions without being detected or certified out of the environment.

1. Entry occurs through identity paths that are not covered by standard governance tooling, including unmanaged privileged accounts, supplier access, or embedded credentials inside telecom systems.
2. Escalation happens when standing privilege, local admin rights, or indirect trust relationships are used to reach security-critical functions without timely review.
3. Impact is achieved when attackers or unauthorised parties maintain covert access to network oversight functions, supplier environments, or regulated telecom infrastructure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Telecom compliance is now an identity visibility problem before it is a policy problem. The article shows that the UK TSA, NIS2, and SOCI all converge on the same expectation: prove control over every access path that can touch critical infrastructure. Traditional IAM programmes fail here when they cannot see legacy, network, cloud, and supplier identities together. The practical conclusion is that compliance readiness starts with discovery, not with certification campaigns.

Discovery gaps create a governance gap that PAM alone cannot close. PAM controls privileged sessions well only after the accounts are known and in scope. In telecom environments, many of the highest-risk identities live outside standard connector coverage, including local accounts, embedded service accounts, and vendor-held access. That means the control failure is not insufficient session logging, but incomplete account inventory and incomplete privilege mapping.

Assumed compromise is the right operating model for telecom identity security. The TSA’s wording is important because it shifts the baseline from trust and review to continuous skepticism. If oversight functions may already be compromised, then periodic access reviews are too slow unless they are fed by real-time identity intelligence. The implication for practitioners is to rebuild governance around continuous visibility and short-lived privilege, not around static entitlement lists.

Supplier access is part of the regulated identity perimeter. Telecom organisations often still treat third-party access as a contract issue or an audit exception. The article shows that regulators do not. Supplier access must be logged, bounded, segregated, and auditable across the systems suppliers actually touch. Practitioners should therefore design third-party governance as a first-class identity domain, not a side workflow.

Identity governance in telecom now depends on proving control over the unknown. The most important shift in this article is that compliance no longer rewards partial visibility. If your tools only see part of the environment, your governance claims are incomplete by definition. That makes identity intelligence, not just policy, the deciding factor in whether telecom security programmes can satisfy modern regulation.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 59% of security leaders cite "confidently wrong" AI configuration as their top fear, according to The 2026 Infrastructure Identity Survey.
• For the broader identity control model behind this issue, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

The deeper lesson for telecom programmes is that governance now fails at the boundary between what tools can see and what regulators expect you to prove. With 70% of organisations granting AI systems more access than human employees, the wider industry is already normalising access asymmetry, which makes rigorous identity scoping even harder to defend across hybrid estates.

Identity perimeter drift: telecom teams should expect the regulated perimeter to keep expanding from core infrastructure into supplier pathways, network appliances, and cloud control planes. That means discovery, certification, and monitoring must be designed as a single operating model, not separate towers of work.

Programmes that still rely on partial connector coverage will struggle to evidence assumed compromise, because the control gap is not theoretical. The practical response is to align telecom identity governance with continuous inventory, short-lived privilege, and audit-ready supplier access records before the next compliance cycle.

For practitioners

• Map security-critical functions first Identify the telecom systems, network components, and oversight functions whose compromise would materially affect operations. Use that inventory to scope identity discovery, access reviews, and privileged control coverage before you expand into lower-risk systems.
• Close the discovery gap before expanding PAM Inventory local accounts, embedded service credentials, vendor accounts, and non-directory identities across legacy, cloud, and network platforms. Feed that inventory into PAM and IGA so reviews are based on actual access rather than connector coverage.
• Treat supplier access as regulated access Require documented responsibility boundaries, separate management environments, and auditable access records for every third party with telecom access. Monitor those identities continuously, because supplier paths often drift into standing privilege without formal offboarding.

Key takeaways

• Telecom regulation now turns incomplete identity visibility into a compliance risk, not just an operational weakness.
• Traditional IGA and PAM often miss the very accounts, devices, and supplier paths that telecom regulators expect to be governed.
• The control model that fits modern telecom is discovery first, continuous monitoring second, and short-lived privileged access throughout.

Key terms

• Security-critical function: A security-critical function is an identity-controlled capability whose compromise would materially affect operations, resilience, or oversight. In telecom, these functions often sit across network, supplier, and cloud environments, which means governance must cover every access path, not just the obvious privileged accounts.
• Assumed compromise: Assumed compromise is an operating model that treats sensitive access paths as potentially observed or already breached. It pushes teams toward continuous verification, stronger visibility, and rapid revocation, because periodic reviews alone cannot prove that covert access has been removed.
• Identity discovery: Identity discovery is the process of finding and classifying all accounts, credentials, and access paths across an environment. It is the prerequisite for governance in complex estates because you cannot certify, monitor, or revoke identities you have not discovered first.
• Supplier access governance: Supplier access governance is the set of controls used to bound, monitor, and evidence third-party access to systems and data. It extends beyond contracts to include inventory, segmentation, logging, and revocation, because outsourcing administration does not outsource accountability.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: telecom security regulation and the identity governance gaps it exposes. Read the original.