TL;DR: Legacy IAM tools still centre on authentication and perimeter-era access patterns, but modern attackers are stealing credentials, hijacking sessions, and exploiting fragmented identity data to move laterally, according to Zluri and a 2025 Forbes Technology report that puts identity-based attacks at 87% of breaches. Legacy IAM is failing because access control now has to follow identity context, not just validate login events.
NHIMG editorial — based on content published by Zluri: Access Management Why Legacy IAM Fails Against Modern Identity-Centric Attacks
By the numbers:
- A 2025 Forbes Technology report shows that 87% of breaches now stem from identity-based attacks.
Questions worth separating out
Q: How should security teams reduce risk from identity-centric attacks in legacy IAM environments?
A: Start by treating identity as the enforcement boundary, not the login event.
Q: Why do legacy IAM systems struggle with modern cloud access patterns?
A: They were designed for stable users and static perimeters, so they often miss contractors, service accounts, bots, and fragmented entitlements.
Q: What breaks when access is assigned through broad group-based provisioning?
A: Broad groups over-assign privilege, which means users receive access that exceeds their job need and attackers inherit that excess after compromise.
Practitioner guidance
- Rebuild identity visibility across the full estate Inventory users, contractors, service accounts, bots, and APIs in one reconciled view so stale or duplicate records do not hide active access paths.
- Add contextual authorisation to login events Do not stop at successful authentication.
- Remove broad group-based entitlement defaults Replace static departmental access with role- and context-aware provisioning.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- A breakdown of the vendor’s identity visibility methods across employees, contractors, service accounts, and SaaS apps.
- A walkthrough of its authentication and authorisation workflow, including rule-based access assignment examples.
- A closer look at how it reconciles fragmented identity records into a single source of truth.
- Implementation detail on replacing static group provisioning with context-aware access controls.
👉 Read Zluri's analysis of why legacy IAM fails against identity-centric attacks →
Legacy IAM and identity attacks: where access control breaks down?
Explore further
Legacy IAM fails because it was built to authenticate known users, not to govern identity trust after credentials are stolen. That is the core mismatch in identity-centric attacks. Once a password, token, or session cookie is compromised, the old control plane often has no meaningful second decision point. The implication is that identity governance must move from login validation to continuous trust evaluation across the full session.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why stale identity paths often survive routine administration, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How do teams know if identity governance is actually closing access gaps?
A: Look for whether offboarding, recertification, and entitlement review remove access across every linked record, not just the primary directory entry. If duplicate identities, stale accounts, or unmanaged service credentials still exist after lifecycle actions, the programme is not closing the gap. True closure means the identity graph is reconciled end to end.
👉 Read our full editorial: Legacy IAM leaves identity-centric attacks with too many gaps