Authn and authz are diverging under modern IAM pressure

TL;DR: Authentication and authorization are the two core controls that determine who a system accepts and what that identity can do, and Opal Security uses a Deloitte breach to show how weak password-only access and overbroad permissions can cascade into enterprise-wide compromise. The lesson is that IAM programmes fail when verification and privilege governance are treated as separate problems instead of one control plane.

NHIMG editorial — based on content published by Opal Security: Authn and Authz: Two Sides of the IAM Coin

Questions worth separating out

Q: How should security teams balance authentication strength and authorization scope?

A: Security teams should treat authentication and authorization as one decision chain.

Q: Why do privileged accounts create such large breach impact?

A: Privileged accounts often sit at the intersection of identity, administration, and internal connectivity.

Q: What do security teams get wrong about MFA and access control?

A: Teams often assume MFA solves the access problem by itself.

Practitioner guidance

• Strengthen privileged authentication Require phishing-resistant factors for all administrative and high-value accounts, and remove password-only access wherever a compromise would expose internal systems or data.
• Reduce administrative blast radius Rebuild privileged roles so no single administrator account can reach broad internal assets by default.
• Tie authorization to job function Review whether role assignments reflect current operational need or historical convenience.

What's in the full article

Opal Security's full post covers the detailed authentication methods, authorization models, and failure examples this post intentionally leaves at a higher level of analysis:

• Factor-by-factor discussion of passwords, MFA, biometrics, geolocation, and behavioural authentication
• Expanded walkthrough of RBAC, ABAC, DAC, MAC, and emergency access control models
• The full Deloitte breach narrative with the access path, persistence details, and control failures
• Practical examples of how contextual and conditional controls change authorization decisions

👉 Read Opal Security's analysis of authn, authz, and IAM failure modes →

Authn and authz are diverging under modern IAM pressure?

Explore further

View Full Forum →  |  NHI Foundation Course →