The network perimeter is gone. Identity is now your first line of defense.
But deploying tools isn’t enough. How you manage them defines your security posture.
Here are four common pitfalls that leave organizations vulnerable.
1. Ignoring your “machine” workforce
When you think identity, you think human. Wrong.
Non-Human Identities (NHIs)—bots, service accounts, API keys—now outnumber human identities eight to one. These accounts are often over-privileged and under-monitored. They become prime targets for attackers seeking persistence or lateral movement.
If your governance strategy doesn’t audit machines as rigorously as humans, you’re ignoring the majority of your attack surface.
2. Neglecting the “Join, Move, Leave” process
Identity governance can’t be static. A critical error: Failing to automate access revocation when employees leave or change roles.
The risk: Privilege creep. Users retain old rights while gaining new ones. Exposure grows unnecessarily.
The solution: The NSA confirms it—the most impactful preventive measure is the ability to immediately revoke access when high-risk events are detected or employees depart.
3. Trusting “phishable” MFA
Not all Multi-Factor Authentication is equal. Simple push notifications or SMS are becoming a liability. Prompt bombing (spamming users until they approve) and token theft are exploding.
The data: The 2025 Data Breach Investigations Report notes that prompt bombing appeared in 14% of social engineering breaches.
The solution: Transition to phishing-resistant MFA (like FIDO2/WebAuthn hardware keys) that prevents attackers from replaying credentials or intercepting codes.
4. Overlooking third-party and shadow IT access
The 2025 DBIR reveals a massive shift: 30% of breaches now involve a third party. That figure has doubled in one year.
The error: Assuming your internal identity policies automatically protect data hosted by vendors. High-profile campaigns targeting Snowflake customer accounts succeeded because third-party environments often lacked mandatory MFA or federated SSO. Attackers simply used stolen credentials to log in directly.
Shadow IT: Additionally, 15% of employees routinely access GenAI systems on corporate devices, often using personal, non-integrated accounts that bypass corporate security monitoring entirely.
Planning to review your Identity Management strategy?
Review your Identity Management process with the help of our specialists, guiding you to optimize and strengthen every step from start to finish.
Securing the new identity perimeter
A password isn’t enough anymore. You need a holistic strategy that governs human and machine identities, enforces phishing-resistant authentication, and rigorously extends security standards to third-party vendors.
By avoiding these four errors, you close the “front doors” that adversaries are currently finding wide open.
Sources:
- Identity Defined Security Alliance (IDSA). (2025). 2025 Trends in Identity Security: A Survey of IT Security and Identity Professionals.
- National Security Agency (NSA) & Cybersecurity and Infrastructure Security Agency (CISA). (2023). Identity and Access Management: Recommended Best Practices for Administrators.
- Verizon. (2025). 2025 Data Breach Investigations Report.
- World Economic Forum. (2023, June). Reimagining Digital ID: Insight Report.
