



























Praerit Garg, CEO, One Identity, trusted leader in identity security, helping enterprises protect and simplify access to digital identities.

getty
Most executives I’ve spoken with in recent months believe that access management is largely under control. Employees are given access to the systems they need when they join, with permissions typically granted based on their role, and then accounts are disabled when those employees move on to pastures new. On paper, the process appears orderly and well governed, and that inspires confidence.
However, that confidence is often misplaced and tends to fall apart when organizations are asked to take a closer look at how they manage identity and access. According to the Ponemon Institute, only 44% of organizations said they were “highly confident” in their ability to prevent identity-based security incidents, suggesting many companies still struggle to maintain comprehensive visibility when it comes to access management. In a 2025 report, Microsoft revealed that 66% of attack pathways involve compromised credentials or accounts, underscoring the importance of air-tight identity and access management (IAM).
When it comes to access management, the risk rarely sits at the beginning or end of the employee life cycle. It sits right in the middle, where day-to-day work actually happens. Modern organizations are fluid environments where people move between teams, take on new responsibilities, participate in temporary initiatives and interact with a mushrooming ecosystem of applications and services. Each change often requires new access, and those permissions tend to accumulate over time.
What happens far less frequently is the systematic removal of access that is no longer needed. As a result, many employees gradually carry far more privilege than their current role requires, often without even realizing it. So, at a time when identity has become the primary gateway to enterprise systems, the quiet accumulation of access can create an attack surface that few organizations are actively monitoring.
And that’s a breach waiting to happen.
It’s not like a business gets going one morning and realizes they have an identity sprawl problem. It develops gradually as employees move through the natural rhythm of their careers inside an organization. Someone joins a project team and receives access to a new application. Later, they transfer to another role but retain the permissions from the previous one. A new system is deployed, and access is granted broadly so teams can get started quickly. Months or years later, those same permissions remain, even though the work that required them has long since been completed.
It’s important to note that none of this typically happens because of negligence or bad intent. It happens because organizations are complex and fast-moving. Granting access is easy, but removing it requires time, coordination and visibility that many teams don’t have.
One of the reasons access sprawl is so difficult to fix is that it’s often a conscious trade-off rather than a simple oversight. I recently spoke with a CEO who described how access is rarely revoked cleanly when employees get promoted or switch roles. Managers frequently request extended permissions during “transition periods” to avoid disrupting work, but those temporary measures often become permanent.
This reflects our temptation in access management toward low friction, but in reality, some friction is essential. Without it, there is no reliable way to validate whether access is still needed. As AI agents begin to act on behalf of users, often at speeds and scales that humans can’t match, the situation becomes even more critical. There have already been instances where AI agents have deleted entire calendars, folders or batches of emails—not because of any maliciousness from a third party, but because too much leeway was given to the technology.
It’s easy to frame overprivileged access as “unused access,” and in that context it seems fairly harmless. If an employee is no longer interacting with a particular system or account, there doesn’t appear to be any urgent risk. But these “unused permissions” can actually be the biggest vulnerability inside an organization today.
When an account is compromised through phishing, credential theft or session hijacking, attackers inherit whatever access that identity already holds, and if privileges have accumulated over time, the attacker suddenly gains a much wider path through the environment than anybody realizes. In effect, every unnecessary permission increases the blast radius of a breach.
That risk is even more pronounced as cybersecurity has shifted away from defending a single network perimeter. With cloud platforms, SaaS applications, APIs, mobile devices and distributed workforces, the traditional concept of a corporate network with clearly defined boundaries has disappeared. Access is now governed through identity and credentials rather than physical or network location, so privileged accounts have become one of the most valuable entry points for attackers. When identities become the control plane for modern infrastructure, overprovisioned access translates to a direct security vulnerability.
One of the most effective ways to remedy this problem is to treat access as something that must be continuously validated rather than periodically checked. Organizations need visibility into who—or what—has access to services across their environment, and whether that access is actually being used.
While AI is contributing to this challenge, it’s also part of the solution. It can continuously monitor usage patterns, identify dormant permissions and flag access that no longer aligns with business needs. In many cases, simply identifying unused access can significantly reduce the potential impact of a compromised account.
The challenge, as the CEO referenced above confirmed to me, is that access is often left in place out of caution rather than necessity. Teams hesitate to remove permissions for fear of breaking workflows or disrupting productivity. But in practice, access that has not been used for an extended period of time is rarely critical, and revoking that access shouldn’t be seen as a risk.
If access is genuinely required, it can be requested again. That kind of “friction” isn’t a failure of the system, and with the right access management tools in place, it can feel like just another part of any seamless workflow.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。