TL;DR: Identity failures drove 75% of security incidents in the source analysis, with examples spanning revoked access, missing MFA, over-privileged accounts, and lateral movement across major incidents at Cash App, Change Healthcare, CircleCI, Deloitte, Microsoft, and Snowflake. The pattern is clear: breach containment depends on identity governance, not just perimeter defence.
NHIMG editorial — based on content published by Opal Security: Six Degrees of Identity Security Issues
By the numbers:
- 75% of security incidents were caused by bad actors taking advantage of human errors, specifically errors related to access privileges and identity mismanagement.
- The global average cost of a data breach last year was $4.45 million.
Questions worth separating out
Q: How should security teams prevent post-termination access from becoming a breach path?
A: They should make offboarding a verified security control, not a paperwork step.
Q: Why does missing MFA still lead to large breaches when organisations have other controls?
A: Missing MFA is dangerous because it lowers the cost of initial entry, but the breach becomes large only when the compromised identity can reach sensitive systems or move laterally.
Q: What do organisations get wrong about least privilege in real incidents?
A: They often treat least privilege as a policy label instead of an enforced operational state.
Practitioner guidance
- Tighten termination-driven revocation Build a hard offboarding check that confirms user access, tokens, and administrative entitlements are removed before the leaver process closes.
- Enforce MFA on acquired and critical systems Do not rely on enterprise-wide policy statements if subsidiary or legacy environments still accept weaker access paths.
- Convert standing privilege to just-in-time access Remove always-on production rights from accounts that only need elevated access intermittently.
What's in the full article
Opal Security's full analysis covers the operational detail this post intentionally leaves for the source:
- Incident-by-incident walkthroughs of how each breach unfolded and which identity control failed first
- Practical examples of access review, revocation, and just-in-time access decisions in real environments
- The vendor's discussion of MFA, least privilege, and monitoring controls in the context of specific customer cases
- Additional context on how identity mismanagement patterns repeat across multiple organisations
👉 Read Opal Security's analysis of six identity security breach patterns →
Identity mismanagement in breaches: what IAM teams are missing?
Explore further
Identity governance failed here because access validity outlived accountability. The article’s cases show that revocation, review, and privilege scoping are not adjacent controls, they are the breach boundary. When access survives termination or acquisition changes, the attacker does not need sophistication, only time. The practitioner conclusion is that lifecycle enforcement must be treated as a primary defensive layer.
A few things that frame the scale:
- From our research: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Our research also finds that only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which explains why lifecycle gaps persist.
A question worth separating out:
Q: Who is accountable when over-privileged access leads to data theft?
A: Accountability usually sits with the identity owners who failed to define, enforce, and review the access boundary. That includes IAM teams, application owners, and security leaders responsible for privileged access governance. If a compromised account can still reach production or sensitive data, the control failure is organisational, not just individual.
👉 Read our full editorial: Six degrees of identity security issues in enterprise breaches