Legacy IAM and identity attacks: where access control breaks down

TL;DR: Legacy IAM tools still centre on authentication and perimeter-era access patterns, but modern attackers are stealing credentials, hijacking sessions, and exploiting fragmented identity data to move laterally, according to Zluri and a 2025 Forbes Technology report that puts identity-based attacks at 87% of breaches. Legacy IAM is failing because access control now has to follow identity context, not just validate login events.

NHIMG editorial — based on content published by Zluri: Access Management Why Legacy IAM Fails Against Modern Identity-Centric Attacks

By the numbers:

• A 2025 Forbes Technology report shows that 87% of breaches now stem from identity-based attacks.

Questions worth separating out

Q: How should security teams reduce risk from identity-centric attacks in legacy IAM environments?

A: Start by treating identity as the enforcement boundary, not the login event.

Q: Why do legacy IAM systems struggle with modern cloud access patterns?

A: They were designed for stable users and static perimeters, so they often miss contractors, service accounts, bots, and fragmented entitlements.

Q: What breaks when access is assigned through broad group-based provisioning?

A: Broad groups over-assign privilege, which means users receive access that exceeds their job need and attackers inherit that excess after compromise.

Practitioner guidance

• Rebuild identity visibility across the full estate Inventory users, contractors, service accounts, bots, and APIs in one reconciled view so stale or duplicate records do not hide active access paths.
• Add contextual authorisation to login events Do not stop at successful authentication.
• Remove broad group-based entitlement defaults Replace static departmental access with role- and context-aware provisioning.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• A breakdown of the vendor’s identity visibility methods across employees, contractors, service accounts, and SaaS apps.
• A walkthrough of its authentication and authorisation workflow, including rule-based access assignment examples.
• A closer look at how it reconciles fragmented identity records into a single source of truth.
• Implementation detail on replacing static group provisioning with context-aware access controls.

👉 Read Zluri's analysis of why legacy IAM fails against identity-centric attacks →

Legacy IAM and identity attacks: where access control breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →