Identity mismanagement in breaches: what IAM teams are missing

TL;DR: Identity failures drove 75% of security incidents in the source analysis, with examples spanning revoked access, missing MFA, over-privileged accounts, and lateral movement across major incidents at Cash App, Change Healthcare, CircleCI, Deloitte, Microsoft, and Snowflake. The pattern is clear: breach containment depends on identity governance, not just perimeter defence.

NHIMG editorial — based on content published by Opal Security: Six Degrees of Identity Security Issues

By the numbers:

• 75% of security incidents were caused by bad actors taking advantage of human errors, specifically errors related to access privileges and identity mismanagement.
• The global average cost of a data breach last year was $4.45 million.

Questions worth separating out

Q: How should security teams prevent post-termination access from becoming a breach path?

A: They should make offboarding a verified security control, not a paperwork step.

Q: Why does missing MFA still lead to large breaches when organisations have other controls?

A: Missing MFA is dangerous because it lowers the cost of initial entry, but the breach becomes large only when the compromised identity can reach sensitive systems or move laterally.

Q: What do organisations get wrong about least privilege in real incidents?

A: They often treat least privilege as a policy label instead of an enforced operational state.

Practitioner guidance

• Tighten termination-driven revocation Build a hard offboarding check that confirms user access, tokens, and administrative entitlements are removed before the leaver process closes.
• Enforce MFA on acquired and critical systems Do not rely on enterprise-wide policy statements if subsidiary or legacy environments still accept weaker access paths.
• Convert standing privilege to just-in-time access Remove always-on production rights from accounts that only need elevated access intermittently.

What's in the full article

Opal Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Incident-by-incident walkthroughs of how each breach unfolded and which identity control failed first
• Practical examples of access review, revocation, and just-in-time access decisions in real environments
• The vendor's discussion of MFA, least privilege, and monitoring controls in the context of specific customer cases
• Additional context on how identity mismanagement patterns repeat across multiple organisations

👉 Read Opal Security's analysis of six identity security breach patterns →

Identity mismanagement in breaches: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →