Identity is the real perimeter

Every major breach report tells the same story. Attackers do not break through firewalls. They log in. They use stolen credentials, exploit overly broad service accounts, or escalate from a compromised standard user to domain admin through privilege pathways that nobody has reviewed in years.

We see this consistently in our assessment work. Organisations invest in network security, endpoint detection, and SIEM platforms, but leave identity controls as an afterthought. The result is environments where dozens of accounts have standing admin access, service accounts run with domain-level privileges and never rotate credentials, and nobody can say with confidence who accessed what last Tuesday.

The standing privilege problem

Standing privileged access - admin accounts that are always active, always powerful, and always available - is the single biggest enabler of lateral movement in a breach. An attacker who compromises one privileged account can often reach everything: Active Directory, cloud management consoles, backup infrastructure, and business-critical applications.

The fix is conceptually simple but operationally demanding: eliminate standing privileges. Move to just-in-time access where elevated permissions are granted for a specific task, for a limited time, and revoked automatically. Every privileged session should be monitored, logged, and subject to behavioural analysis.

We have delivered this for clients in financial services and asset management. It requires careful planning - you cannot simply remove admin access overnight without understanding what breaks. But the security improvement is dramatic. One client moved from over 200 standing privileged accounts to zero, with all elevated access now granted on demand and automatically revoked.

Machine identity is the blind spot

Most identity programmes focus on human users. That is necessary but incomplete. In a modern environment, the majority of identities are not human. They are service accounts, API keys, automation credentials, cloud workload identities, and increasingly, AI agents that interact with systems on behalf of users.

These machine identities are often created during deployment, given broad permissions to "make things work," and then forgotten. They do not have MFA. They do not have password rotation. They do not appear in most identity governance reviews. And they are increasingly targeted by attackers who know that a compromised service account is less likely to trigger an alert than a compromised user account.

Extending identity governance to cover machine identities is not optional any more. It needs the same lifecycle management, the same access reviews, and the same monitoring that human accounts receive.

Where to start

If you are not sure where your identity risk sits, start with three things. First, inventory every account with admin or elevated access - including service accounts - and ask whether each one genuinely needs those permissions today. Second, check whether you can detect and alert on unusual privileged activity in real time. Third, look at how credentials are managed for service accounts and automation - if the answer is "they were set up two years ago and nobody has touched them since," that is your biggest risk.

Identity is not a glamorous topic. It does not get the conference keynotes that AI and zero-day vulnerabilities get. But it is where most serious breaches start, and it is where the highest-impact improvements can be made.