Identity: The Least Resolved Control Plane in Enterprise Security

Credential-based attacks continue to drive a significant share of data breaches, yet identity remains unevenly governed across most organizations. Over time, these gaps accumulate into long-lived, legitimate pathways attackers can quietly inherit.

Identity: The Least Resolved Control Plane in Enterprise Security

Identity: The Least Resolved Control Plane in Enterprise Security

The 2025 Verizon Data Breach Investigations Report found that credential-based attacks were involved in roughly 22 percent of confirmed data breaches, with credential abuse and theft remaining a consistent and impactful initial access pattern across many sectors.

Identity systems now sit at the center of enterprise security, yet they remain unevenly implemented across most organizations, not because teams underestimate their importance, but because identity rarely maps cleanly onto how work actually happens across tools, teams, and time.

Even in environments with mature identity providers and well-configured single sign-on, there are persistent gaps between what is federated and what is not, which means that identity governance tends to be strongest where it is easiest to implement rather than where it is most necessary. Over time, those gaps accumulate quietly, particularly as teams adopt new applications, automate workflows, and create service accounts that fall outside central ownership.

The result is a structural limitation in how identity systems are applied in practice.

How employee transitions create long-lived access that is difficult to see

When an employee leaves a company or moves into a new role, the offboarding process usually begins with a predictable sequence of actions, including disabling the primary identity, revoking access to core systems, and working through a checklist of known applications that are assumed to represent the employee’s footprint.

What this process often misses is how people actually work over time. Employees accumulate tools organically, create accounts for convenience, store credentials in places that made sense at the time, and interact with systems that were never formally registered as part of their role. These patterns are rarely malicious, but they are rarely documented either.

As a result, accounts and credentials can persist outside centralized authentication, continuing to function long after the original owner has departed. Non-human identities, automation tokens, API keys, and department-owned accounts are particularly easy to overlook because they are not tied to a single person in an obvious way, even though they often inherit that person’s access patterns and privileges.

Why many systems remain outside centralized identity governance

The presence of orphaned access is not limited to immature environments. It appears consistently across organizations with very different levels of security investment because many systems fall outside identity governance for reasons that are operational rather than ideological.

Some applications lack modern identity integration or rely on legacy authentication protocols that do not support federation. Others are excluded due to licensing models that penalize per-user identity integration, which leads teams to rely on shared or local accounts. In some cases, systems are intentionally isolated due to operational technology constraints, air-gapped environments, or regulatory requirements that limit connectivity.

There are also organizational drivers. Department-owned tools, shadow IT, and internally developed services often move faster than central identity teams can integrate them, particularly when teams prioritize delivery over governance. Over time, these exceptions become normal, and the identity surface expands beyond what any single team can easily inventory.

What security monitoring sees when orphaned identities are abused

When attackers gain access to one of these unmanaged or forgotten identities, they do not need to bypass authentication or exploit software vulnerabilities. The access already exists, and from the system’s perspective, it remains valid.

From the viewpoint of security monitoring tools, the activity often appears legitimate. The login succeeds, the session is authenticated, and the behavior may closely resemble historical usage patterns associated with the account. Because these identities were created to perform real work, their access does not immediately stand out as anomalous.

This is how long-lived backdoors emerge without triggering alerts. The issue is not that monitoring systems are ineffective, but that they are observing activity that conforms to expectations established when the identity was first created.

Why identity exposure has reached measurable scale

The scale of identity-related exposure is no longer theoretical. In the first half of 2025, researchers identified approximately 1.8 billion stolen credentials circulating in criminal marketplaces, representing an increase of more than eight hundred percent compared to prior years, according to Flashpoint. At the same time, the Verizon Data Breach Investigations Report attributes credential misuse to roughly twenty-two percent of confirmed data breaches.

These figures matter because they reflect how often attackers rely on valid access rather than technical exploitation. As organizations continue to expand their identity surfaces without achieving full visibility, the likelihood that dormant or forgotten access will be abused increases proportionally.

Treating identity integration as optional effectively ensures that this exposure compounds over time rather than stabilizing.

What changes when offboarding is treated as an identity lifecycle problem

Improving this situation begin with a shift in how offboarding is understood. Rather than viewing it as a checklist of systems to disable, it becomes a lifecycle exercise that asks whether the organization can fully account for how an identity existed across its environment.

This starts with regular cleanup of accumulated accounts: Joiner, mover, and leaver workflows need to account for both human and non-human identities, including the credentials and secrets created in the course of everyday work.

Visibility must extend beyond federated systems to include standalone accounts, service identities, and third-party platforms. Tools such as CASB and secure web gateways can help reconstruct how staff interact with applications over time, which provides context that static inventories often miss.

How to test whether identity governance works in practice

A practical way to assess maturity is to select a small number of recent leavers and attempt to reconstruct their full access footprint. This exercise should answer whether every account can be enumerated, every active session revoked, every secret rotated, and every piece of owned data transferred appropriately.

The goal is not to achieve perfection, but to identify where visibility breaks down and where assumptions replace evidence. These gaps are rarely dramatic on their own, but they are precisely where durable access tends to persist.

What this implies for identity as an operational discipline

Identity exposure does not typically result from a single misconfiguration or oversight. It emerges gradually as organizations scale, tools proliferate, and exceptions accumulate faster than governance models adapt.

Addressing it requires accepting that identity is not a static control plane, but a living system that reflects how work evolves over time. When organizations align their identity practices with that reality, offboarding becomes less about removing access reactively and more about understanding where access exists in the first place.

That shift does not eliminate risk, but it does replace blind spots with clarity, which is ultimately the foundation on which durable security decisions are made.

Stay informed

Get The DZD Signal

Get cutting-edge insights and actionable analysis sent directly to your inbox.

Find me on LinkedIn for conversations and partnerships.