Notifications
Clear all
Topic starter
07/06/2026 8:42 pm
TL;DR: The highest-risk exposures found were driven by inherited, stale, and indirect access paths, not data misplacement, with gaps such as nested groups, residual vendor access, and link-based sharing evading traditional DSPM, according to Cyera Research Labs. The real control problem is identity-data correlation, because location-based posture tools cannot enforce least privilege or prove access governance when SaaS and AI tooling extend entitlements.
NHIMG editorial — based on content published by Cyera: Access Is the New Exposure, Why Knowing Who Can Reach Your Data Matters More Than Where It Lives
Questions worth separating out
Q: How should security teams govern access to sensitive data in SaaS environments?
A: They should govern effective access, not only storage location or classification.
Q: Why do traditional DSPM tools miss the real exposure path?
A: Traditional DSPM is usually object-centric, so it can show where data lives but not how identities inherit access to it.
Q: What do security teams get wrong about AI assistants and data access?
A: They often assume the assistant creates a new risk category when the bigger issue is inherited privilege.
Practitioner guidance
- Map effective access paths, not just data locations Correlate identities, nested groups, OAuth scopes, shared links, and data objects so you can see who can actually reach sensitive files across SaaS and cloud platforms.
- Audit inherited and dormant permissions as active exposure Prioritise nested Azure AD groups, old vendor access, deactivated user accounts, and stale shared-mailbox permissions because they often remain reachable long after the business need has ended.
- Reassess AI-connected access against original user scope Review where AI assistants or copilots inherit human entitlements, then narrow the underlying access before machine-speed search and summarisation can surface buried content.
What's in the full article
Cyera's full research covers the operational detail this post intentionally leaves for the source:
- Detailed examples of how nested Azure AD groups create transitive access paths across SaaS estates.
- The access graph and remediation workflow used to correlate identities, entitlements, and data.
- Specific AI-assistant exposure patterns, including inherited OAuth context and recursive content retrieval.
- Operational guidance for revoking stale vendor access without breaking legitimate collaboration.
👉 Read Cyera's research on identity-driven data exposure in SaaS and AI systems →
Identity-driven access paths in SaaS and AI: what teams miss?
Explore further
08/06/2026 8:21 am
Identity-aware exposure is now the controlling concept for modern data security. The article is right to move the debate away from storage location and toward effective access. Data can be classified correctly and still be widely reachable through nested groups, inherited permissions, and dormant accounts. For identity governance, the problem is not where the file lives but whether the access path is still justified. Practitioners should treat identity-data correlation as a core control surface, not an optional enhancement.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How can organisations tell whether access intelligence is working?
A: It is working when access reviews can answer a concrete question about effective reach, not just entitlement ownership. Teams should be able to trace a sensitive object back through groups, roles, links, and delegated access, then revoke the exact path without breaking legitimate use. If they cannot, visibility is still incomplete.
👉 Read our full editorial: Identity-driven access now defines exposure in SaaS and AI systems
