TL;DR: Conditional access policies only protect the identities and apps they actually reach, and native tooling often leaves teams blind to ungated sign-ins, legacy auth paths, and exclusion drift, according to Abnormal AI. Coverage, not policy count, becomes the real control variable when provisioned identities outnumber active users and gaps compound unnoticed.
NHIMG editorial — based on content published by Abnormal AI: Conditional access policies are only as good as their coverage
Questions worth separating out
Q: How should security teams find conditional access gaps in practice?
A: Start by correlating sign-in telemetry with policy evaluation results, then isolate successful authentications that never received a conditional access decision.
Q: Why do legacy authentication paths undermine conditional access controls?
A: Legacy paths can authenticate outside the modern policy engine, so MFA and other conditional access checks may never run.
Q: What do security teams get wrong about conditional access exclusions?
A: They often treat exclusions as temporary configuration fixes instead of governance items that change the control boundary.
Practitioner guidance
- Build a coverage map for every successful sign-in Correlate authentication events with policy decisions so you can identify identities that authenticated without a conditional access policy applied, and separate those from covered sessions.
- Inventory legacy authentication paths across apps and integrations List protocols, apps, and service connections that can bypass modern conditional access evaluation, then isolate them from normal user access paths where possible.
- Review exclusions as living governance objects Track every exclusion by owner, reason, age, and business justification, and require periodic recertification before the exception remains in force.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step ways to identify sign-ins that occurred without a conditional access policy applied.
- Coverage checks for legacy authentication paths and application reachability outside MFA enforcement.
- Exception and exclusion review patterns that reveal scope drift across the identity estate.
- Practical examples of how identity posture workflows surface ungated paths continuously.
👉 Read Abnormal AI's analysis of conditional access coverage gaps in Entra ID →
Conditional access coverage gaps: are your controls reaching every identity?
Explore further
Coverage, not policy volume, is the real conditional access control gap. Organisations can build many policies and still leave large parts of the estate untouched if identities or applications never enter scope. Native dashboards often report what exists, not what was actually enforced, which means governance teams may be measuring intent instead of control reach. The practitioner conclusion is simple: if coverage is incomplete, conditional access is an assurance claim, not a control outcome.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do organisations know if conditional access is actually working?
A: They should test coverage by asking which identities authenticated successfully without a policy applied, which applications are still reachable through legacy paths, and which exclusions have drifted since the last review. If those answers are unclear, the control is not fully operational.
👉 Read our full editorial: Conditional access coverage gaps are the hidden identity risk