We asked our pentesting team: What are your most common findings?
The answer:
- Misassigned groups with administrative privileges
- Active Directory misconfigurations
- Identical local administrator passwords
- Orphaned or never-cleaned-up accounts
- Uncontrolled service accounts
Technically, these issues may appear different. In practice, however, they usually share the same root cause: organizations gradually lose visibility into who has access to what and why.
At the same time, a fundamental shift is reshaping security strategies. Employees work remotely, systems run in the cloud, external partners access applications, and an increasing number of processes are automated or AI-driven. This creates a new reality: the traditional network perimeter is losing relevance. Today, an organization's true security boundary is increasingly the identity itself. This creates tangible risks: limited traceability of access rights, unnecessary attack surfaces, and significant security and liability challenges when incidents occur.
External Requirements Are Changing the View on Identity Management
Traditionally, many organizations still regard Identity Management primarily as an operational IT topic. Regulatory requirements such as NIS2 are fundamentally changing this perspective. It is no longer sufficient to simply provision permissions from a technical standpoint. Organizations must be able to demonstrate why access exists, who is accountable for it, and how misuse is prevented. This is where Identity Governance begins.
At the same time, the number of technical identities is now growing significantly faster than the number of human users. Service accounts, API credentials, and automated processes are often created in a decentralized manner during day-to-day operations. In many cases, these accounts have extensive permissions without clearly defined ownership.
As a result, organizations are losing visibility not only into user permissions, but increasingly into the digital systems that independently access data and applications.
The Most Common Mistake: Tool-First Instead of Architecture-First
Many organizations start by searching for the right tool and invest early in platforms and integrations. However, the underlying permission structures remain unchanged. As a result, the system merely digitizes existing disorder.
Identity & Access Management (IAM) and Identity Governance & Administration (IGA) are not traditional IT infrastructure projects. They fundamentally change how organizations assign access, govern responsibilities, and manage identities throughout their lifecycle. And this is exactly where many projects fail. A system cannot compensate for missing governance. It merely makes those gaps visible.
A meaningful starting point therefore begins not with technology, but with transparency. Organizations should first identify their most critical access paths:
- Who has administrative privileges?
- Which accounts have not been used for months?
- Which technical accounts automatically access sensitive data?
- Which external service providers have access to production environments?
Only once this level of transparency exists can automation and system integration be implemented effectively.
The Zero Trust Complexity Trap
The impact of missing Identity Governance is particularly evident in many Zero Trust initiatives. The core idea is straightforward: every access request should be verifiable and controlled. However, historically grown IT environments often lack the necessary foundation. Permissions have evolved over years, role models are inconsistent, and responsibilities remain unclear. Legacy systems, technical accounts without clear owners, and permanent exception approvals further increase complexity. Without transparency into existing identities and access rights, Zero Trust often increases operational complexity before it actually reduces security risks.
Especially for mid-sized organizations, a pragmatic approach is advisable. Not every company needs a fully implemented Zero Trust model from day one. It is often more effective to prioritize clearly defined and high-risk areas:
- Privileged administrator access
- Orphaned accounts without ownership
- Approval processes for new permissions
- Technical accounts with extensive privileges
This creates a Zero Trust foundation step by step, one that remains manageable from an organizational perspective while immediately reducing risk.
Learn more about permissions and Identity Management in our next article: >>Permissions Are the Real Attack Vector<<