TL;DR: OWASP’s latest Top 10 again places Broken Access Control at number one, reflecting how over-permissioned identities, static entitlements, and inconsistent enforcement across hybrid estates still leave authenticated users and workloads able to act beyond intended scope, according to P0 Security. The real gap is runtime entitlement governance, not login verification.
NHIMG editorial — based on content published by P0 Security: Why broken access control still tops the OWASP Top 10 and what it means for identity security in the era of hybrid cloud
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams govern access across hybrid cloud environments?
A: Security teams should govern hybrid access by measuring effective permissions, not just approved ones.
Q: Why does broken access control persist even when IAM policies exist?
A: Broken access control persists because policies are often static while infrastructure and identities are dynamic.
Q: What do teams get wrong about least privilege in cloud and on-prem estates?
A: Teams often treat least privilege as a provisioning decision instead of a runtime condition.
Practitioner guidance
- Inventory effective access across all control planes Build one view of effective permissions across AWS IAM, Azure roles, Kubernetes RBAC, and on-prem directories.
- Tie temporary access to task completion Replace persistent elevation with time-bounded access that expires when the work ends.
- Review cross-environment privilege combinations Look for identities that are benign in one system but dangerous when combined with rights in another.
What's in the full article
P0 Security's full article covers the operational detail this post intentionally leaves for the source:
- The OWASP Top 10 changes and how broken access control compares with the other ranked issues
- Examples of how AWS, Azure, Kubernetes, and on-prem identity models diverge in practice
- The article's own view of why runtime entitlement enforcement is harder than authentication hardening
- The original wording and context around just-in-time and continuous access governance
👉 Read P0 Security's analysis of broken access control in hybrid cloud →
Broken access control in hybrid cloud: is IAM keeping up?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Broken access control is now an identity governance failure, not just an application flaw. The article is right to move the problem out of the narrow developer bucket and into the operational reality of hybrid identity. When access is spread across cloud IAM, directory groups, Kubernetes RBAC, and workload identities, the meaningful control question is whether enforcement remains consistent after login. Security teams should treat authorization as a continuous governance domain.
A few things that frame the scale:
- From our research: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often effective access remains hidden from governance processes.
A question worth separating out:
Q: Which identity governance control best reduces hybrid cloud authorization risk?
A: Continuous entitlement discovery is the most effective control because it exposes what identities can do across systems in real time. That gives security teams the data needed to remove stale grants, reduce privilege creep, and block cross-environment combinations that turn one account into a broad breach path.
👉 Read our full editorial: Broken access control in hybrid cloud is still an IAM problem