Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity mismanagement in breaches: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Identity failures drove 75% of security incidents in the source analysis, with examples spanning revoked access, missing MFA, over-privileged accounts, and lateral movement across major incidents at Cash App, Change Healthcare, CircleCI, Deloitte, Microsoft, and Snowflake. The pattern is clear: breach containment depends on identity governance, not just perimeter defence.

NHIMG editorial — based on content published by Opal Security: Six Degrees of Identity Security Issues

By the numbers:

Questions worth separating out

Q: How should security teams prevent post-termination access from becoming a breach path?

A: They should make offboarding a verified security control, not a paperwork step.

Q: Why does missing MFA still lead to large breaches when organisations have other controls?

A: Missing MFA is dangerous because it lowers the cost of initial entry, but the breach becomes large only when the compromised identity can reach sensitive systems or move laterally.

Q: What do organisations get wrong about least privilege in real incidents?

A: They often treat least privilege as a policy label instead of an enforced operational state.

Practitioner guidance

  • Tighten termination-driven revocation Build a hard offboarding check that confirms user access, tokens, and administrative entitlements are removed before the leaver process closes.
  • Enforce MFA on acquired and critical systems Do not rely on enterprise-wide policy statements if subsidiary or legacy environments still accept weaker access paths.
  • Convert standing privilege to just-in-time access Remove always-on production rights from accounts that only need elevated access intermittently.

What's in the full article

Opal Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • Incident-by-incident walkthroughs of how each breach unfolded and which identity control failed first
  • Practical examples of access review, revocation, and just-in-time access decisions in real environments
  • The vendor's discussion of MFA, least privilege, and monitoring controls in the context of specific customer cases
  • Additional context on how identity mismanagement patterns repeat across multiple organisations

👉 Read Opal Security's analysis of six identity security breach patterns →

Identity mismanagement in breaches: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity governance failed here because access validity outlived accountability. The article’s cases show that revocation, review, and privilege scoping are not adjacent controls, they are the breach boundary. When access survives termination or acquisition changes, the attacker does not need sophistication, only time. The practitioner conclusion is that lifecycle enforcement must be treated as a primary defensive layer.

A few things that frame the scale:

  • From our research: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Our research also finds that only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which explains why lifecycle gaps persist.

A question worth separating out:

Q: Who is accountable when over-privileged access leads to data theft?

A: Accountability usually sits with the identity owners who failed to define, enforce, and review the access boundary. That includes IAM teams, application owners, and security leaders responsible for privileged access governance. If a compromised account can still reach production or sensitive data, the control failure is organisational, not just individual.

👉 Read our full editorial: Six degrees of identity security issues in enterprise breaches



   
ReplyQuote
Share: