Blog

From Cybersecurity to Compliance: Risk-Driven Approach to IAM

Written by Chiel from Elimity | Jul 9, 2025 1:34:36 PM

Identity is the new control layer in modern IT environments. To stay secure and compliant, organisations need a risk-driven approach to Identity and Access Management (IAM). This guide outlines the most critical IAM risks—based on best practices from leading European organisations—and groups them into four categories: security, compliance, operational efficiency, and data quality.

The Four Categories of IAM Risk

Identity and Access Management (IAM) risks impact multiple domains making it essential to structure them into clear, actionable categories.

🔐 Security Risks 

Security risks refer to identity-related exposures that can be exploited to gain unauthorized access, escalate privileges, or compromise systems and data. These risks expand the attack surface and are often targeted in both external breaches and insider threats.

  • Orphaned Accounts – Dormant accounts from ex-employees or systems

  • Privileged Accounts – High-risk access with elevated permissions

  • Excessive User Accounts – Standard users with more access than needed

 

📋 Compliance Risk

Compliance risks arise when IAM processes fail to meet regulatory, legal, or internal policy requirements. These risks affect audit readiness, increase legal exposure, and can lead to sanctions under standards such as NIS 2, ISO 27001, or GDPR.

  • Segregation of Duties (SoD) – Toxic combinations of entitlements

  • Business-Specific Policies – Unenforced access-linked requirements

  • Incomplete Access Reviews – Outdated or missing certifications

  • Lack of JML Enforcement – Delayed access updates on joiner-mover-leaver

  • No Ownership of Roles – Missing accountability for access governance

🔄  Operational Efficiency Risks

These risks affect the effectiveness and scalability of IAM operations. They result in delays, administrative burden, and increased potential for human error—hindering the ability to manage access efficiently at scale.

  • Identity Hygiene – Unused or unstructured identity data

  • Role Hygiene – Redundant, unused, or poorly defined roles

  • Inefficient Offboarding – Delays in deactivation and cleanup

✅  Data Quality Risks

Data quality risks occur when identity data is inaccurate, incomplete, or inconsistent across systems. Poor data leads to flawed access decisions, failed automation, and unreliable reporting—undermining IAM governance.


  • Data Quality Issues – Incomplete or inconsistent identity attributes

The IAM Risks Matrix

The IAM Risk Matrix visualizes identity risks by likelihood (x-axis) and impact (y-axis). It helps IT and security leaders quickly spot high-priority threats — such as privileged accounts and SoD violations — and align remediation efforts with business risk.

When plotted “before and after” using a solution like Elimity, it becomes clear how governance, automation, and monitoring shift risks from red zones into safer territory.

 

Security Risks 🔐


1. Orphaned Accounts

Definition

Orphaned accounts form an interesting path for hackers to gain access to organization resources, applications or systems. Organizations that fail to take the necessary steps to close these entry points leave the door on a jar for attackers, and expose themselves to unnecessary risk. By identifying and cleaning up these accounts, security risk is reduced significantly.

The Risks

These accounts pose a significant security risk as they can become unnoticed entry points for attackers. Key indicators include accounts that haven’t been used for a long time (e.g., 90+ days), accounts that have never been logged into, and uncorrelated or "ghost" accounts—accounts that no longer map to an active employee.

Eliminating leftover accounts tied to people who have already left the organisation is a critical objective for reducing exposure.

Metrics

  1. Accounts for which the user has not logged in for quite some time. Accounts that have not been used for a certain period of time are also known as dormant accounts. What that time period should be exactly can vary for different types of accounts and between organisations. Often, 90 days is considered for standard accounts.

  2. Accounts for which the user has not logged in since they got the account, also called ignored accounts.

  3. Uncorrelated accounts, also known as ghost accounts. These are accounts that do not belong to any employee or accounts that belong to an employee that is not active anymore. So in other words, accounts without an active owner. 

  4. Accounts with a status indicating inactivity. Think for example about an employment status ‘retired’ or an activity status ‘inactive’. The clue is to look at the user characteristics in the identity system that could indicate inactivity of a user.

2. Privileged Accounts

Definition

Privileged accounts give significant access to organization resources and sensitive data, or can change or disable (security) systems. When not properly managed and monitored, privileged accounts pose significant security risks. These risks could come from all sides: malicious ‘outsiders’ such as hackers, or careless or disgruntled ‘insiders’. It’s impossible to eliminate all privileged accounts. You need them. But it’s good practice to keep an eye on them and keep them to a minimum.

The Risk

Privileged accounts pose a high security risk if unmanaged, as they can provide broad access to systems and sensitive data. These include admin accounts, hidden privileged users, service accounts, and non-personal accounts that are hard to monitor. The goal is to reduce their number and ensure full visibility and control.

Metrics

  1. Administrator accounts. 

  2. Stealthy accounts. These accounts are granted administrative privileges on one or more systems but often exist below the radar as they are not labeled ‘Admin’. 
     
  3. Privileged service accounts.

  4. Privileged data accounts. Even though these accounts are not typical privileged accounts, they should be considered privileged anyway, because of the sensitive data they can access. 

  5. Privileged role-based accounts. Depending on the role model, certain roles can be considered privileged. Therefore, we should consider accounts assigned to one or more of these roles as privileged accounts.

  6. Accounts assigned with a high number of roles or permissions. What is considered as ‘high’ depends on the role model and organisational context.

3. Excessive User Accounts (Access Accumulation)

Definition

The cumulated access rights and permissions of all your users together determine the attack surface size of your organization. Unfortunately, there’s often a gap between the granted access rights and the required access rights. This indicates that users have too many access rights, unnecessarily enlarging the identity attack surface. 

The Risk

These accounts represent a major risk if not properly governed. Examples include standard administrator accounts, stealthy accounts that have administrative rights but aren’t labelled as such, privileged service accounts, and non-personal accounts (NPAs) that are difficult to trace to individual users.

Some accounts may not be traditionally privileged but still access highly sensitive data, such as HR or financial systems. A fundamental principle here is: You can’t protect what you can’t see. The objective is to minimise the number of privileged accounts and maintain strict control over them.

Metrics

Reporting on access accumulation often boils down to finding and reporting on outliers.

  1. Peer outliers: accounts that have more access rights (i.e. are assigned more roles or have more permissions) than their peers.

  2. Accounts that deviate from the ideal profile. Depending on the job function a certain employee has, a certain set of roles might be appropriate. How effective this is depends on the correctness of the ideal profiles (i.e. the role model blueprint)

  3. Accounts that have more than twice the amount of roles or entitlements than average accounts.

Compliance Risks 📋

1. Segregations of Duties (SoD)

Definition

Separation of duties is a crucial control for avoiding fraud by disseminating sensitive tasks and the required roles, entitlements or permissions. These combinations of permissions are often modelled as "toxic combinations". In addition to fraud, SoD is also implemented for security reasons or for sake of regulation.

The Risk

Conflicting roles allow users to bypass critical controls, increasing the risk of fraud and regulatory non-compliance. Undetected toxic combinations and incomplete SoD coverage weaken auditability and governance.

Metrics

  1. Accounts with toxic pairs of roles or entitlements within a certain application.

  2. Accounts with toxic pairs of roles or entitlements across applications.

  3. Employees with toxic pairs of roles or entitlements across accounts and applications.

  4. Combinations of roles or entitlements for which no decision has yet been made about whether it’s a toxic combination or not.

  5. Operational Efficiency Risks

2. Unmonitored Business-Specific Policy Controls 

Definition

Organizations often define internal IAM policies—such as mandatory training, certification, or background checks—linked to access rights for specific systems or roles.

The Risk

Failure to enforce these internal policies results in access being granted without proper validation, increasing compliance exposure and audit risk.

Metrics

  • Number of users with access to critical systems without required training or certifications

  • Number of accounts violating internal IAM access policies

3. Incomplete or Infrequent Access Reviews

Definition

Access reviews are periodic evaluations of who has access to what, and whether that access is still appropriate. Most frameworks (e.g. NIS 2, ISO 27001) require this for regulated environments.

The Risk

Failure to regularly review and certify user access can result in outdated or unauthorized access going unnoticed. Most compliance frameworks require periodic access reviews for critical systems.

Example

Users retaining access to sensitive systems months after changing roles or leaving the organization.

4. Lack of Joiner-Mover-Leaver (JML) Enforcement

Definition

JML processes manage user access throughout their lifecycle—from onboarding (joiner), role changes (mover), to offboarding (leaver).

The Risk

If access is not updated or removed during lifecycle events, organizations face increased risks of unauthorized access and non-compliance.

Example

A former contractor still having active credentials after their engagement ends.

5. No Defined Ownership of Roles, Applications, or Entitlements

Definition

Each role, entitlement, or application should have a clearly assigned owner responsible for reviewing and managing its access.

The Risk

Without ownership, access rights become outdated and unreviewed, leading to audit gaps and ineffective governance.

Example

A business-critical application with no assigned owner results in access reviews being skipped or neglected.

Operational Efficiency Risks 🔄

IAM inefficiencies can significantly increase administrative overhead, delay access provisioning, and complicate governance. These risks typically arise from unmanaged identity data, broken processes, or overly complex access models.

1. Identity Hygiene

Definition

Identity clutter. Accounts that are not orphaned, but are just as unnecessary and make identity management less manageable.

The Risk

A well-maintained IT environment is better protected against information security risks. Applying good practice to users not only helps to prevent risks, but it also contributes to operational efficiency as it leads to a more structured environment and needs considerably less effort compared to a situation where you periodically have to clean up the mess. In other words: prevention is better than the cure.

Metrics

  • The number of accounts compared to the number of employees.

  • Accounts that have no roles or entitlements assigned, also known as empty accounts

  • Accounts that have no access to any applications.

  • Accounts that have not been changed for a certain period of time. What that time period should be exactly can vary for different types of accounts and between organizations.

  • Accounts for testing purposes (i.e. test accounts).

  • Duplicate accounts. 

  • Shared accounts.

2. Role Hygiene

Definition

Role clutter. Roles that are no longer necessary and only make role management more cumbersome.

The Risk

Using roles to control access can greatly increase efficiency. However, if the role model is no longer manageable because of role proliferation for example, operational efficiency declines. Moreover, people might be assigned an outdated or wrong role and thus wrong access rights.

Metrics

  • The number of roles relative to the number of accounts.

  • Roles that do not consist of other roles or entitlements, also known as empty roles.

  • Roles that are not assigned to any account, also known as unassigned roles.

  • Roles that are assigned to only one account.

  • Entitlements that are (not) assigned via a role. In other words, directly assigned entitlements.

  • Similarity scores, or also called group homogeneity. This indicator measures for a group of people that are assigned the same role, how similar they are in terms of their access patterns.

  • Overlapping roles: roles for which the users that have those roles are similar in terms of their characteristics (e.g. job function), or roles for which the access rights are similar.

 

3. Inefficient Offboarding (e.g. Orphaned Accounts)

Definition

Offboarding refers to the deactivation and removal of user accounts when an employee or contractor leaves the organization. It should be an automated and well-integrated part of the identity lifecycle.

The Risk

If offboarding is delayed or incomplete, former users may retain access to systems, increasing the risk of security breaches and complicating access reviews. It also leads to unnecessary license costs and compliance issues.

Example

An employee who left the company three months ago still has an active VPN account due to a missed offboarding task between HR and IT.


Data Quality Risks ✅

Definition

Garbage in is garbage out. Simple as that. In order to get accurate results - for any of the indicators or your governance processes -, data quality is crucial. The indicators will only reflect the actual state if the identity data is accurate and complete. Basing your decisions on incorrect indicators can have negative consequences.

Moreover, in some organizations many of the processes, such as joiner-mover-leaver processes, are automated with the help of governance systems. If they rely on wrong data, the outcome will be wrong, often leading to unnecessary security risks.

Risk

Inaccurate or incomplete identity data undermines every aspect of IAM. It leads to incorrect access rights, missed policy violations, failed automation, and unreliable audit reporting. Governance becomes inefficient and error-prone, and organizations lose confidence in their access controls.

Example

An employee changes departments but the HR system is not updated. As a result, their access is never reviewed, and they continue to hold permissions irrelevant to their new role—violating internal policies and increasing risk.

Metric

The most easy to measure is incomplete information.

  1. Employees without a manager, department, or email. 

  2. Roles without a (proper and clear) description or owner.

  3. Entitlements without a (proper and clear) description and owner.

  4. Applications without a (proper and clear) description and owner.

Inconsistencies across multiple applications such as employees with different account names (often typos), and inaccuracies such as employees that have changed functions while this is not indicated by the data yet, are harder to spot and measure. Nevertheless, when reporting to for example management make sure to mention this as well so it can be included when focus areas are discussed.   

 

 

Overview of the most crucial IAM Risks

Risk Why It Matters Category
Orphaned Accounts Ex-employees retaining access; prime targets for attackers Security, Operational
Privileged Accounts High-impact breach risk from insiders or malware Security
Access Accumulation Increases the attack surface and chances of misuse Security
Toxic Combinations / SoD Violations Enables fraud or policy breaches Compliance, Risk
Poor Identity Hygiene Cluttered, unmanaged accounts reduce visibility and control Operational
Role Clutter (Poor Role Hygiene) Misaligned roles lead to wrong entitlements and inefficiency Operational
Data Quality Issues Inaccurate identity data undermines all IAM processes Data Quality
Unmonitored Business-Specific Requirements Gaps in internal policy enforcement (e.g. training, certifications) Compliance, Business

 

Interested to Take Control of Your Identity Risks? 

Elimity enables organizations to identify, monitor, and reduce IAM risks through a structured, risk-driven approach, supporting compliance with frameworks like NIS 2, DORA, and ISO 27001.

Contact us to learn how your team can apply these practices in your environment.