Top identity and access management risks
Identity is long past the days of logging into systems. Security teams must now manage SaaS apps, AI agents and machine-to-machine interactions across distributed environments.
Identity and access management has evolved from a supporting IT function into the foundation of enterprise security. In modern organizations, identity governs access not only for employees, but also for contractors, cloud workloads, SaaS platforms, APIs, automation pipelines and, increasingly, AI-driven systems and agents. It's common to hear identity described as the new perimeter.
Attackers no longer need to break in through traditional technical exploits if they can simply log in with stolen credentials, hijacked sessions, abused API tokens or compromised nonhuman identities (NHIs). At the same time, organizations struggle to manage sprawling SaaS ecosystems, cloud-native infrastructure, decentralized identity stores and autonomous AI systems.
All this means security teams face a mix of traditional IAM risks and newer identity challenges.
Overprivileged access remains one of the biggest risks
Users, administrators, service accounts and cloud roles often accumulate permissions over time that far exceed what they require. Organizations frequently grant broad access in the name of productivity; they rarely revisit or remove those privileges later.
In cloud environments, this problem is especially dangerous. A single overprivileged IAM role in AWS or Azure could provide access to sensitive data stores, administrative APIs, infrastructure provisioning or continuous delivery systems. Similarly, excessive permissions in SaaS platforms such as Microsoft 365, Salesforce, ServiceNow, GitHub or Slack can expose sensitive business data and operational workflows.
The risk is amplified because attackers increasingly target identities instead of infrastructure. Once an attacker compromises a privileged identity, they can often operate within the environment using legitimate APIs and trusted workflows, making detection significantly more difficult.
Organizations should prioritize least-privilege access, role reviews, entitlement governance and periodic access recertification processes. Modern IAM programs must extend these controls beyond traditional directory systems to include cloud-native and SaaS environments as well.
NHIs have become a major attack surface
A significant IAM development in recent years is the substantial rise in the number of NHIs. These include service accounts, API keys, OAuth tokens, cloud workload identities, containers, serverless functions, certificates, robotic process automation accounts and AI agents. In many organizations, NHIs dramatically outnumber human identities.
The challenge is that most IAM programs were originally designed around employees and contractors, not autonomous workloads operating continuously across cloud and SaaS environments. As a result, many NHIs are poorly governed, overprivileged, unmonitored or use long-lived credentials that are rarely rotated.
This creates significant risk. A compromised API token or cloud service role might provide direct access to production systems, sensitive data or deployment pipelines. Attackers increasingly target these identities because they often bypass traditional MFA and user-focused monitoring controls.
To secure NHIs, modern IAM programs should include:
- Full inventory and ownership tracking of NHIs.
- Automated credential rotation and short-lived tokens.
- Workload identity federation where possible.
- Least privilege access for service accounts and APIs.
- Monitoring for anomalous workload identity behavior.
- Separate governance models for human and machine identities.
NHI security is rapidly becoming one of the most important areas of IAM, particularly as organizations expand their use of cloud and AI services.
SaaS identity sprawl creates governance challenges
Most enterprises now operate hundreds or even thousands of SaaS applications. Many of these platforms maintain their own identity stores, roles, permissions and authentication methods.
Over time, organizations lose visibility into who has access to what, especially when individual business units adopt applications without centralized oversight.
This SaaS identity sprawl creates several risks:
- Former employees retaining access to applications.
- Excessive third-party OAuth integrations.
- Shadow IT and unmanaged SaaS usage.
- Weak MFA enforcement across platforms.
- Inconsistent logging and monitoring.
- Excessive administrative privileges in SaaS tools.
Attackers understand that SaaS applications often contain valuable business data, including intellectual property, financial information, customer records, collaboration data and source code. AI-powered attacks increasingly target SaaS platforms because identities and sessions are now easier to exploit at scale.
To address this, organizations should prioritize SaaS security posture management, centralized identity federation, conditional access enforcement, and continuous monitoring of SaaS privilege changes and OAuth grants.
AI-driven deepfakes and identity impersonation are rising threats
One of the newest IAM risks is the use of GenAI and deepfake technologies to impersonate employees, executives, help desk admins or business partners. With relatively little effort, attackers can generate convincing voice, video and text-based impersonations to:
- Trick the help desk into resetting a password for a privileged employee or executive account.
- Illegitimately request MFA resets by impersonating employees who claim to have lost or replaced devices.
- Impersonate executives in urgent financial, legal or operational communications.
- Bypass voice-authentication systems used in banking, customer service or internal verification workflows.
- Conduct business email compromise campaigns using synthetic voice or video to reinforce legitimacy.
- Infiltrate vendor-payment workflows involving fraudulent invoice approvals or wire-transfer requests.
Deepfake-enabled social engineering and phishing are particularly dangerous because it targets the human trust layer of IAM processes rather than technical systems. Organizations that rely heavily on voice recognition or weak verification procedures could find these attacks increasingly difficult to detect.
Security teams should revisit all high-risk identity recovery and reset workflows. Stronger identity proofing, phishing-resistant MFA, callback verification procedures, privileged-access approvals and risk-based authentication controls are becoming essential.
The help desk itself is increasingly becoming a security-sensitive function and should be treated as part of the organization's identity attack surface.
Identity-centric attacks provide efficient entry points
Identity-based attacks remain one of the most common initial access vectors for breaches. Stolen credentials, session hijacking, token theft, MFA bypassing and compromised federated identities continue to drive major incidents across industries.
Attackers prefer these methods because they are efficient and often bypass traditional perimeter defenses. In cloud environments especially, valid credentials could provide direct access to sensitive resources without requiring malware or exploit chains.
This trend reinforces the need for phishing-resistant MFA, conditional access policies, continuous session validation, identity threat detection and response, device trust validation, impossible travel and anomalous behavior monitoring, and session-token protection.
Modern IAM increasingly requires continuous evaluation of identity risk throughout a session, not just at login, in line with zero-trust practices.
Weak identity governance still causes major problems
Despite advances in IAM technology, organizations still struggle with governance fundamentals, such as orphaned accounts, delayed deprovisioning, role explosion, excessive administrative access, inconsistent approval workflows and lack of ownership for identities and entitlements.
These issues become even more difficult in hybrid environments, where identities span on-premises systems, cloud infrastructure, SaaS platforms, contractors and machine identities. AI and automation can improve governance processes, but they increase complexity if organizations deploy them without strong oversight. Autonomous systems and AI agents might request or inherit permissions dynamically, creating new governance challenges around delegation, accountability and auditability.
CISOs and their organizations should focus on building identity governance programs that emphasize more progressive controls, such as just-in-time privileged access, continuous access reviews and automated deprovisioning. Even with these controls, many modern IAM programs will fail without strong lifecycle management and policies, enterprise-wide identity ownership and accountability, and a commitment to risk-based entitlement governance across all platforms and systems.
While least privilege, strong authentication, lifecycle management, governance and monitoring still matter, those fundamentals are not enough. IAM programs must evolve from static authentication systems into continuous trust and verification platforms. Organizations that continue to treat IAM as a directory management problem will struggle to keep pace with modern threats.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.
