Many companies know they need strong identity and access management (IAM) to stay secure, but they still struggle to get it right. Despite frequent warnings and news about cyberattacks, employees often bypass security measures to work faster. New research shows that this pattern is common across many organizations, putting sensitive data and systems at risk.

Security Controls Are Being Bypassed

According to a recent survey by CyberArk, nearly two-thirds of cybersecurity leaders say their employees regularly sidestep security controls. The main reason is to speed up their work, even if it means risking security. Companies also find it hard to manage access for new AI tools and other automated agents, which complicates security policies. This highlights how important identity and privilege controls are for operational safety.

Charles Chu, a CyberArk executive, points out that many organizations prioritize quick productivity over long-term security. He notes that security often feels like a slowdown, leading workers to find ways around it. This cultural attitude makes it harder for companies to fully implement strong IAM practices and keep their systems safe.

Privileged Access Management Still Has Gaps

CyberArk surveyed 500 leaders involved in privileged access management (PAM), including DevOps engineers, security managers, and IT support staff. The results paint a concerning picture: only 1% have fully adopted a modern, just-in-time (JIT) approach to privileged access. Most organizations, 91%, still have half or more of their privileged accounts always-on, giving unrestricted access to sensitive systems.

Almost half of the organizations apply the same access rules to human users and AI identities, which can pose new security risks. Plus, about a third lack clear policies for AI access. Another troubling issue is “shadow privilege”—accounts and secrets that are unmanaged or unknown to security teams. Over half of organizations find these unmanaged accounts every week, showing how access rights tend to accumulate without oversight.

Many companies also struggle with managing multiple identity tools, leading to confusion about who has authority and which system is the true source of identity data. This diffuse ownership makes it harder to enforce consistent security controls and increases the risk of breaches.

Human Behaviors That Increase Risks

CyberArk identified several risky behaviors that employees often engage in to bypass security controls. These include copying credentials into personal password managers or chat apps because official processes are too slow. Some spin up cloud resources or test environments with privileged access outside central controls, creating gaps in security.

Shared admin accounts and recycling passwords are common, making it easier for attackers to compromise systems. Leaving always-on access enabled—even when it’s only needed occasionally—is another frequent mistake. Chu explains that these behaviors happen because employees are under pressure to work fast, and security tools often don’t align with their workflows. This leads to ad-hoc creation of local admin accounts and other shortcuts that weaken overall security.

Addressing these issues requires a shift in how security is integrated into daily work. Companies need more user-friendly tools and clearer policies to help employees follow best practices without feeling slowed down. Only then can organizations close the gaps in their IAM strategies and better protect their digital assets.

Inspired by

• https://www.computerworld.com/article/4114749/enterprises-still-arent-getting-iam-right.html

Sources

• csoonline.com
• cyberark.com
• csoonline.com
• csoonline.com