TL;DR: Legacy infrastructure does not have to be fully replaced to support digital transformation, but integration choices such as APIs, service layers, and data access layers create their own maintenance and security trade-offs, according to Seamfix. The governance challenge is less about wholesale replacement and more about controlling obsolete components, integration points, and exposure created by mixed estates.
NHIMG editorial — based on content published by Seamfix: legacy system integration and digital transformation
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.
Questions worth separating out
Q: What breaks when identity governance cannot reach legacy and core systems?
A: Access reviews, entitlement discovery, and compliance evidence all become partial.
Q: Why do legacy modernisation projects create identity and access risk?
A: They create risk because each new integration point adds another trust relationship that must be authenticated, authorised, logged, and reviewed.
Q: What do security teams get wrong about API-based integration?
A: They often treat APIs as a technical convenience instead of an access boundary.
Practitioner guidance
- Map every legacy integration path Document each API, middleware layer, and data access layer that connects old and new systems, then identify which identities, tokens, and service accounts use them.
- Classify integration layers as privileged systems Apply the same change control, logging, and monitoring expectations to service layers as you would to administrative tools.
- Review NHI access tied to modernisation projects Look for service accounts, automation tokens, and application credentials created to support hybrid estates, then set an owner and lifecycle review date for each one.
What's in the full article
Seamfix's full article covers the operational detail this post intentionally leaves for the source:
- Practical examples of how to use APIs, service layers, and data access layers to connect legacy systems without a full rebuild.
- The article's discussion of obsolete code and integration points that can affect maintenance planning and system design choices.
- Additional context on why some components should be replaced rather than continually adapted in place.
- Seamfix's broader explanation of how its approach fits into a digital transformation programme.
👉 Read Seamfix's analysis of legacy system integration for digital transformation →
Legacy integration gaps: what security teams should plan for now?
Explore further
Legacy modernisation is really a trust re-architecture problem. The article frames integration as a practical alternative to full replacement, but the deeper issue is that every bridge from old to new systems creates a new trust boundary. That boundary must account for authentication, privilege, and data handling across mixed estates. For identity programmes, the important lesson is that modernisation should be governed as a change in access model, not only as a software refresh.
A question worth separating out:
Q: How should organisations govern middleware in hybrid estates?
A: They should govern middleware as a privileged component with owners, logs, review dates, and explicit retirement criteria. Middleware often translates data and brokers access between systems, so it can quietly expand blast radius if its credentials, permissions, or transformation rules are not tightly controlled.
👉 Read our full editorial: Legacy system integration is the real test of digital transformation