Identity, IAM Technologies, Decentralized identity and verifiable credentials

Identity debt: What is it, how to spot it

bunch of old brass and bronze keys for sale at flea market

Identity debt is eating away at enterprise security defenses. It grows in the background, often unnoticed, until it’s too late. And when breaches occur, the cause is seldom identified as “debt”. It’s usually blamed on something closer to a zero-day exploit.

Debt is the real culprit here said Dr. Dustin Sachs, chief technologist at CyberRisk Collaborative.

[Editor's Note: This is the first of a three part series highlighting Identity and Credentials. Read Part Two: The MFA mirage: Why attackers are bypassing passwords and targeting your people; Part Three: IAM Best Practices: Rebuilding IAM from the outside in]

IAM debt is years of unaddressed access sprawl, legacy entitlements, and account mismanagement, he said the SC Media webcast titled From fragmented to unified: Rethinking network security operations in the AI era.

Identity debt: The diagnosis

More than 77% of security leaders said their organizations suffered a breach or cyberattack in the past year due to overprivileged or poorly managed user access, according to ConductorOne’s 2024 Identity Security Outlook Report (PDF).

The root cause, in many cases, wasn’t sophisticated malware or new exploit techniques. It was the residue of past inaction.

Experts warn that every orphaned SaaS account, lingering admin credential, and failed deprovisioning step adds to a quiet, growing burden. By the time attackers arrive, they often don’t need to force their way in — they already have a working key.

“Attackers aren’t exploiting software vulnerabilities,” said Sachs. “They’re exploiting our operational complacency. Identity debt is real and it’s compounding.”

Sachs, who leads security programming at the Collaborative, said most organizations accumulate this debt gradually and without realizing it. IAM tools are adopted without governance. Shadow IT grows unchecked. Users who left months ago still have access to production systems.

“It all adds up,” Sachs said. “And that’s what attackers count on.”

The consequences are visible in breach trends. During the webcast Sachs and Saviynt Field CIO Simon Gooch said many organizations with seemingly mature identity programs are still vulnerable because their architecture is siloed, brittle, and outdated.

Five IAM frameworks and no map

“Most companies don’t have one IAM system — they have five,” said Gooch, who previously led global identity transformation at Accenture.

Each business unit, he explained, tends to build its own policies and enforcement methods. Visibility is fragmented. Entitlements are inconsistent. And in that kind of environment, attackers aren’t just enabled — they’re invited.

Gooch compared identity sprawl with managing a critical utility through a collection of disconnected generators. When identity governs everything from workload orchestration to data access, fragmentation doesn’t just hinder performance. It introduces risk.

Mergers and acquisitions are a major driver, he added. Every acquisition brings with it a new stack, and unless there’s a defined integration plan, organizations inherit conflicting entitlements, legacy credentials, and sometimes entire identity systems left to drift.

From startups to scale-ups: Identity debt starts early

Carlota Sage, a virtual CISO and founder of Pocket CISO, said identity debt isn’t confined to large, complex organizations. It often begins in startups, where access control is treated as an afterthought.

“I’ve walked into five-person teams where no one knew who had access to what,” Sage said during a webcast on Innovative IAM Strategies: New Tools and Guidance for Modern Identity Security.

Founders frequently share credentials. Developers use personal email accounts to register for production tools. By the time a security hire is made, the identity environment is already compromised.

“For small businesses, identity gets treated like setting up a Wi-Fi password,” she said. “No one’s thinking about lifecycle management or revocation. But that former contractor who left six months ago might still have access to your customer database.”

The attacker’s dream: misconfigured MFA and forgotten sessions

Even when identity controls exist, attackers are increasingly finding ways around them. In a third SC Media webcast, Stolen credentials: The New Front Door to Your Network, BleepingComputer editor-in-chief Lawrence Abrams warned that MFA isn’t effective in an environment already cluttered with poor hygiene.

“We’re seeing breaches where attackers use stolen session cookies to bypass MFA entirely,” Abrams said. “They don’t need to reset a password if the session is still live.”

Adrian Sanabria, host of Enterprise Security Weekly and a veteran penetration tester, noted that many threat actors now rely on techniques that were once exclusive to nation-state groups. Now they’re commoditized.

“The attackers aren’t breaking in,” Sanabria said. “They’re logging in — with credentials we left lying around.”

Cleaning up before the breach hits

So what’s the fix? While the panelists offered different perspectives, they agreed on one thing: remediation starts with visibility.

Sage recommended starting with a comprehensive identity inventory. That includes mapping all tools in use, identifying who has access, and reviewing deprovisioning procedures. Without that foundational work, Sage said, every other effort risks being performative.

Gooch emphasized modernization over spreadsheets. Spreadsheets, he said, don’t scale. What’s needed are platforms that enforce policy uniformly, automate user provisioning and revocation, and deliver telemetry on how access is actually being used.

Sachs added that IAM cannot remain siloed inside the security function. It must become a shared responsibility across IT, HR, and compliance.

“If HR, IT, and security aren’t aligned on identity,” Sachs said, “then no amount of MFA or Zero Trust marketing is going to save you.”

The cost of inaction is rising

Identity debt is no longer just an operational nuisance. It’s a measurable security liability. The longer it’s ignored, the easier it becomes for attackers to find shortcuts.

And like any form of debt, its cost compounds over time.

“You don’t need ransomware when the front door’s already open,” Sachs said.
“And in most organizations, that door is held open by years of unmanaged identity.”

[Editor's Note: This is the first of a three part series highlighting Identity and Credentials. Read Part Two: The MFA mirage: Why attackers are bypassing passwords and targeting your people; Part Three: IAM Best Practices: Rebuilding IAM from the outside in]

-Edited by Tom Spring

(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)

Tom Spring, Editorial Director

Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds