TL;DR: Identity weaknesses now appear in nearly 90% of cyber incidents and 89% of cases in Unit 42’s 2026 incident response report, while 99% of cloud users, roles, and services hold excessive permissions, often unused for 60 days or more. Static perimeter controls cannot contain valid-credential abuse when identities themselves are the attack path.
NHIMG editorial — based on content published by Zero Networks: Perimeter-Based to Identity-Centric: Enforcing Least-Privilege Access Everywhere
By the numbers:
- Identity security weaknesses play a material role in nearly 90% of cyber incidents today.
Questions worth separating out
Q: How should security teams implement least privilege across hybrid environments?
A: Security teams should start with identity segmentation around the most sensitive systems, then expand to cloud, SaaS, and on-prem paths.
Q: Why do excessive permissions make valid credentials so dangerous?
A: Excessive permissions turn any stolen or abused credential into a much larger problem because the attacker inherits the identity’s existing reach.
Q: What do teams get wrong about perimeter security in identity-heavy environments?
A: They assume the perimeter still decides trust, when in reality many attacks now begin with valid access and then move internally.
Practitioner guidance
- Inventory identity-to-asset reachability Document which users, service accounts, and applications can reach each critical asset, then remove paths that are not required for the current business function.
- Apply identity segmentation to privileged accounts first Start with domain admins, cloud operators, and high-risk machine identities because those credentials create the largest blast radius if stolen.
- Replace static trust with contextual enforcement Tie network access to identity, device, and workload context so access decisions can change with the connection, not just the login.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- The webinar discussion on identity segmentation design across SaaS, cloud, and on-prem environments.
- The practical trade-offs between blocking, containing, and allowing identity-based traffic in production.
- The role of automated learning in building least-privilege policies without hand-crafting every rule.
- The examples of how microsegmentation and just-in-time network-layer MFA fit into a broader control stack.
👉 Read Zero Networks' analysis of identity-centric least privilege and segmentation →
Identity-centric least privilege: what it means for IAM teams?
Explore further
Identity segmentation is now the practical boundary for least privilege. Perimeter controls can still matter, but they no longer determine whether a stolen credential can spread across cloud, SaaS, and on-prem environments. The governance question is no longer whether an account can authenticate, but where that identity can operate after authentication. Practitioners should treat identity reachability as a first-class control surface.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation windows often outlast attacker dwell time.
A question worth separating out:
Q: How can organisations reduce lateral movement without breaking normal operations?
A: They should use human-on-the-loop automation to learn normal access patterns, then enforce granular identity-aligned policies with exception handling. That approach limits unnecessary movement while preserving legitimate traffic. The key is to control where identities can operate, not to block everything indiscriminately.
👉 Read our full editorial: Identity-centric least privilege is replacing perimeter trust models