If you want to know where a modern enterprise's security program is really maturing, don't look at the firewall. Look at the IAM org chart. More specifically, look at who runs it: if your identity program reports into HR or shares a manager with onboarding, your perimeter is a spreadsheet. The network boundary stopped being the boundary a decade ago. Identity is the perimeter now, and most programs haven't caught up.

PAM adoption is a decade behind

Privileged Access Management is the control that sits between "attacker compromised a user" and "attacker became domain admin." Every breach report from the last five years includes the phrase "lateral movement using legitimate credentials." That's the gap PAM exists to close.

And yet — PAM deployments in 2026 still look like 2016. CyberArk or BeyondTrust installed, a subset of admin accounts vaulted, a handful of servers with session recording, the rest left alone. The things that don't get vaulted:

  • Cloud IAM roles with broad privileges — AdministratorAccess assumed from a laptop over SSO, no session boundary.
  • Break-glass accounts stored in a password manager shared among six people.
  • Service accounts with admin-equivalent privileges in Active Directory — the same ones Mimikatz will harvest the moment a single endpoint is compromised.
  • Kubernetes cluster-admin on bastion hosts.
  • SaaS super-admin accounts — Okta, Entra, GitHub, Salesforce. These are the most sensitive identities you have, and they're usually the least governed.

A modern PAM program starts with "what can destroy us," not "what's easiest to vault."

Service accounts: the shadow identity population

Audit your directory. For every human user, how many service accounts exist? In most enterprises it's 3-10x. These accounts have passwords that don't rotate, MFA exemptions, group memberships nobody remembers granting, and owners who left the company in 2022.

The non-human identity population outnumbers the human one, is less governed, and holds more privilege. This is the attack surface.

What works:

  • Inventory everything — ServiceAccount objects in AD, IAM users and roles in cloud, OAuth apps in SaaS, Kubernetes ServiceAccounts, CI/CD secrets.
  • Assign an owner to each. No exceptions. An orphan service account is a ticking clock.
  • Rotate credentials on a schedule enforceable by tooling — HashiCorp Vault dynamic secrets, AWS IAM Roles Anywhere, workload identity federation. The goal is to eliminate long-lived credentials entirely.
  • Monitor for anomalous use. A service account that usually hits one API suddenly enumerating all users at 3am is a signal.

OAuth scopes: the quiet exposure

Users install SaaS apps that request OAuth access to their mailbox, calendar, Drive. IT finds out during an audit. The permission grants persist for years, outlive the apps themselves, and occasionally belong to apps that have since been breached or sold.

Microsoft Graph and Google Workspace both give you the APIs to enumerate and govern these. Entra ID App Governance and Google Workspace App Access Control make it a configuration problem, not a development project. Most orgs haven't turned them on because "we'll get to it."

A baseline:

  • Block user consent for high-privilege scopes. Require admin review.
  • Review granted OAuth apps quarterly. Revoke anything with no active use in 90 days.
  • Treat the OAuth grant list as a third-party inventory. It is.

Conditional Access is the real control plane

Conditional Access (Entra ID) or equivalent (Okta, Ping) is where identity becomes architecture. It's where you express:

  • This user, from this device, in this country, with this risk score, at this time, can access this app — and must prove it this way.
  • Privileged sign-ins require phishing-resistant MFA (FIDO2 / passkeys). SMS and TOTP are no longer acceptable for admins.
  • Sessions have bounded lifetimes. Re-authentication is required to touch anything sensitive.
  • Token theft is detected and responded to — Continuous Access Evaluation terminates sessions the moment risk signals change.

The failure mode: Conditional Access configured for end users but not for admins, because "it'll lock us out." That's the exact population where the strict controls matter most. Fix the escape hatches (break-glass accounts, emergency access procedures) and apply the controls universally.

The SSO-for-IT-only anti-pattern

A surprising number of enterprise apps sit outside SSO because the SAML license is extra, because the integration took a quarter, or because the app's SSO tier was priced punitively. The result: users have local passwords in 30 apps that IT thinks are SSO-covered. MFA doesn't exist on those local logins. The credentials are reused.

"SSO tax" is a real problem. The answer is vendor pressure, contractual requirements, and — for the apps where it's genuinely impossible — a password manager enforced at the endpoint and monitored. Not ignoring the problem because the procurement cycle was hard.

The takeaway: Identity is the perimeter, and most IAM programs are operating it like an HR workflow. Vault what can destroy you, govern non-human identities like they outnumber humans (because they do), close the OAuth exposure, and wire Conditional Access into every access decision — including your own admins'. The network team isn't coming to save you.