Identity & Access
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Identity & Access Decisions
The decisions that define who can access what, for how long, and under whose authority
The Silent Evolution of Access Risk
Identity and access decisions rarely fail immediately. Instead, they age, interact with other exceptions, and surface later as privilege sprawl, audit findings, or breach impact amplification. These decisions create a unique category of organizational risk because they propagate silently across systems, outlive their original business context, and prove difficult to reverse without operational disruption.
What makes these decisions particularly dangerous is their tendency to be justified by urgency rather than threat awareness. An access grant made under time pressure today becomes tomorrow's unquestioned entitlement, and next year's attack pathway. The risk compounds not through dramatic failures, but through steady accumulation.
Time Decay
Access decisions lose context and accountability as they age
Transitive Risk
One access enables many others through system interconnection
Three Properties That Amplify Risk Over Time
Identity decisions combine unique characteristics that transform reasonable approvals into material security exposures. Understanding these properties is essential for evaluating the long-term impact of access grants.
Persistence
Access granted once tends to remain indefinitely, even when the original business need disappears. Systems and processes optimize for granting access, not removing it. The default state is accumulation.
Transitivity
Identity access enables access to other systems, roles, data sources, and decision points. A single approval cascades across the environment, creating exposure far beyond the original scope.
Opacity
Over time, the ownership, justification, and accountability for access decisions become unclear. Documentation degrades, approvers leave, and the original threat context is lost to institutional memory.

This domain focuses specifically on decisions where these three properties are systematically ignored or underestimated during the approval process.
Core Decision Pattern: Risk Acceptance Without Threat Context
Access or privilege is approved based on business need alone, without evaluating how that access could be exploited, chained with other privileges, or abused by malicious actors. The approval process validates legitimacy but ignores threat modeling.
Typical Signals
  • Approvals justified exclusively by role title or organizational seniority
  • No attacker perspective applied during review
  • Risk documented in generic terms or not documented at all
  • Business justification substitutes for security analysis
Common Outcomes
Exposure systematically underestimated across the organization
Control Assumption
Compensating controls assumed to exist but never verified or tested
Context Loss
Future access reviews lack the threat context needed for informed decisions
Core Decision Pattern: Exception Becomes Baseline
1
Initial Exception
Temporary access or control bypass approved with explicit expectation of later removal
2
First Extension
Time-boxed access extended due to ongoing need, still treated as temporary
3
Normalization
Exception referenced in other approval requests as precedent
4
Baseline Shift
Exception now functions as permanent entitlement, controls permanently eroded
This pattern emerges when temporary access, control bypasses, or policy deviations are approved with the explicit expectation of later removal, but no concrete removal trigger, owner accountability, or review cadence is established. The exception becomes a permanent fixture through institutional inertia rather than deliberate decision.
Typical Warning Signals
  • Time-boxed access repeatedly extended without escalation or additional scrutiny
  • No individual owner clearly accountable for revocation or review
  • The exception begins appearing as justification in subsequent approval requests
  • Documentation describes access as "temporary" long after original timeframe expired
Core Decision Pattern: Temporary Access With No End State
Privileged or sensitive access is granted to solve an immediate operational problem or project need, without defining what "complete" looks like, establishing success criteria for removal, or identifying who will make the revocation decision.
The access remains because no one knows when it should end. Unlike pattern DP-02 where exceptions normalize, here the original purpose is achieved but the access persists because the end state was never defined.
Typical Signals
  • Emergency or break-glass access repeatedly reused for routine operations
  • Project-based access with no defined project closure event or milestone
  • Heavy reliance on manual calendar reminders rather than automated reviews
  • Approval documentation focuses entirely on granting, not on removal criteria
Privilege Accumulation
Users acquire layers of access across multiple projects and initiatives, none of which are ever formally concluded or revoked
Unclear Intent
Six months later, no one can definitively state whether the access is still needed or what it was originally meant to accomplish
Blast Radius Expansion
During security incidents, the scope of potential compromise is far larger than expected due to accumulated temporary access
Core Decision Pattern: Approval by Authority, Not Evidence
Senior Request
High-ranking individual requests access
Bypassed Scrutiny
Normal review process abbreviated or skipped
Invisible Risk
Elevated privileges concentrate without visibility
Access is approved based on who makes the request rather than evaluated necessity, documented business justification, or assessed risk exposure. The requester's organizational authority or relationship with the approver substitutes for evidence-based decision-making. Approvers defer responsibility upward, reasoning that if someone senior enough is asking, the access must be appropriate.
Invisible Risk Concentration
High-privilege access accumulates among senior leaders without corresponding visibility in risk reporting or security monitoring
Review Fatigue
Access reviewers learn that challenging senior access is futile, leading to rubber-stamp behavior across all reviews
Audit Discomfort
Auditors identify concerns but struggle to articulate findings when access is technically approved and documented
How These Decisions Fail Over Time
Individually, each identity and access decision appears reasonable, defensible, and properly documented. The risk emerges not from dramatic control failures, but from the cumulative effect of reasonable decisions made without consideration for their long-term interaction and compound impact.
Access Reviews Validate Exposure
Periodic reviews confirm existing access rather than challenging appropriateness
Tooling Signals Control
PIM and governance platforms show green metrics while masking privilege accumulation
Audits Pass
Compliance verification succeeds despite material identity risk
Attackers Benefit
Adversaries exploit long-standing, fully approved access paths

Critical Insight: The most dangerous access in your environment is likely fully approved, properly documented, and passes all compliance checks. The risk lies in the decision logic that created it, not in the controls that govern it.
Executive Interpretation
For CISOs and Chief Security Officers
Identity risk is rarely caused by a single flawed approval decision or compromised account. Instead, it emerges from decision repetition without decay awareness-the systematic approval of reasonable access requests without accounting for how those decisions accumulate, interact, and persist over time.
The most dangerous access in your organization is often fully approved, properly documented, and supported by legitimate business justification. The risk is invisible to traditional security metrics because it exists in the decision logic layer, not in the technical control layer.
Focus your attention on the patterns that generate risk, not just the instances of risk that surface during incidents. Ask not "was this access properly approved?" but "what decision pattern made this approval seem reasonable?"
For Audit and Assurance Functions
Traditional audit findings tend to focus on control gaps, missing documentation, or policy violations. These are important but often miss the deeper issue: the logic and assumptions embedded in approved decisions.
When identity-related incidents occur, the audit trail typically shows proper approvals, documented justifications, and functioning review processes. Evidence completeness does not equal access appropriateness.
Consider expanding audit scope to examine decision patterns rather than individual decisions. Evaluate whether the organization's approval processes systematically account for persistence, transitivity, and opacity. Test whether risk acceptance documentation includes genuine threat modeling or merely business justification.
Cross-References
Identity and access decisions do not fail in isolation. They interact with other decision domains and often surface later as seemingly unrelated security findings, governance failures, or incident response challenges.
Governance Failures (SGFA)
Identity decisions that violate governance principles often appear first as SGFA findings before their security impact is understood
Attack Paths (ITIF)
Post-incident analysis documented in ITIF frequently traces back to identity decisions made months or years earlier
Control Illusions (ESL)
The gap between reported control effectiveness and actual security posture highlighted in ESL often originates in identity decision patterns
Use this domain to trace backward from security incidents, audit findings, or governance concerns to identify the decision patterns that enabled them. Understanding these patterns allows organizations to prevent similar decisions in the future rather than simply remediating their consequences.
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.