Notifications
Clear all
Topic starter
27/06/2026 1:01 pm
TL;DR: OWASP Top 10 2025 still centres application flaws, but Nexis argues the real enterprise risk is often identity and governance drift across access, third parties, and configuration, with broken access control and misconfiguration remaining pervasive. The governing assumption that permissions, ownership, and configuration stay aligned over time is no longer valid.
NHIMG editorial — based on content published by Nexis: OWASP Top 10 2025 and the Identity Reality Gap
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when access control is not governed continuously across applications and third parties?
A: Permissions drift away from business intent, ownership becomes unclear, and access that should have expired remains effective.
Q: Why do misconfiguration and broken access control keep showing up together in enterprise risk?
A: Because configuration and authorization are increasingly the same thing in practice.
Q: What do security teams get wrong about third-party access in application ecosystems?
A: They often treat supplier access as a procurement issue instead of a revocable identity state.
Practitioner guidance
- Map OWASP findings to identity ownership: Assign every access path, role, and third-party entitlement to an accountable owner, then require that owner to sign off on effective permissions, not just documented intent.
- Treat IAM artefacts as security configurations: Include role definitions, attribute mappings, approval flows, and third-party access rules in the same change-control and validation process used for other security-critical settings.
- Run continuous access reviews on high-risk systems: Prioritise systems with external integrations, privileged roles, or broad function-level permissions, and verify whether access still matches the business relationship that justified it.
What's in the full article
Nexis' full article covers the operational detail this post intentionally leaves for the source:
- The category-by-category mapping from OWASP Top 10 2025 risks to Nexis Platform capabilities
- The vendor's explanation of structured access reviews, Segregation of Duties, and evidence collection workflows
- The discussion of IAM Governance Documentation, identity analytics, and Identity Security Posture Management in more implementation detail
- The article's references to specific compliance mappings such as ISO 27001, DORA, SOX, and HIPAA
👉 Read Nexis' analysis of OWASP Top 10 2025 and the identity reality gap →
OWASP Top 10 2025: where application security meets identity governance?
Explore further
27/06/2026 2:10 pm
Identity reality gap is the more useful framing than broken access control alone: the article shows that modern risk persists when governance intent and effective permissions diverge over time. Access reviews, ownership models, and third-party relationships all age faster than the controls built to manage them. That is why application security findings increasingly become identity governance failures in practice.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How should IAM and AppSec teams work together on OWASP Top 10 findings?
A: They should share evidence on effective permissions, ownership, and lifecycle state. AppSec can identify where controls fail, but IAM must confirm whether access is excessive, stale, or inherited from third parties. The useful outcome is a single view of intended access versus actual access.
👉 Read our full editorial: OWASP Top 10 2025 exposes an identity reality gap in enterprises
