A quarter-century of technical debt: Why identity security is now the enterprise’s weakest link

Identity is one of the most under-secured and over-exploited layers in cyber security.

---

Identity has been the backbone of enterprise IT for more than 25 years, yet it remains one of the most under-secured and over-exploited layers in cyber security. While networks, endpoints and cloud security have gone through cycles of reinvention, the identity layer has quietly accumulated massive technical debt. Today, this debt has become one of the most common and successful paths attackers use to compromise organisations.

At the ITWeb Security Summit 2026, Cyberrey – the event’s lead sponsor – together with Forestall, will shed light on how Active Directory, Entra ID and hybrid identity systems have evolved into some of the most dangerous blind spots in modern enterprises. The session will highlight decades of inherited weaknesses, real-world breach patterns and the strategic shift towards identity security posture management (ISPM) and identity visibility and intelligence platforms (IVIP). 

Identity and access management (IAM) frameworks such as Active Directory were never designed for today’s hybrid, cloud-first environments. Over the years, mergers, rapid expansion, restructuring and inconsistent administration have created sprawling identity estates filled with misconfigurations, privilege creep and unmanaged relationships.

While attackers have refined identity-based techniques, the enterprise identity layer has remained largely static – and largely unsecured.

Only in recent years have dedicated identity security disciplines finally emerged:

• Identity threat detection and response (ITDR) in 2022.
• Identity security posture management (ISPM) in 2024.
• Identity visibility and intelligence platforms (IVIP) in 2025.

This late shift in focus means organisations today are facing the consequences of decades of accumulated identity vulnerabilities.

Across global enterprises – including those assessed by Forestall – the same patterns appear repeatedly.

1. Legacy configurations and complexity

Active Directory environments grow over decades, leaving behind broken delegation models, misconfigured trust relationships and orphaned objects that quietly expand attack surfaces.

2. Privilege sprawl

User, admin and service accounts collect permissions far beyond what they need. Attackers exploit this “privilege creep” to escalate privileges and gain control of the domain.

3. Hybrid blind spots

As organisations adopt Entra ID and SaaS platforms, identity becomes fragmented. Attackers increasingly move laterally between on-premises AD and cloud environments through misconfigured synchronisation paths.

4. Lack of proactive defences

Traditional tools detect breaches after attackers obtain valid credentials. By then, adversaries often already control critical identity components.

5. Insufficient continuous assessment

Many identity risks go undetected for years until uncovered by a penetration test – or a real compromise.

These weaknesses are not theoretical. They form the backbone of some of the most damaging attacks seen in the last 24 months.

Hybrid AD Entra ID Ransomware

In 2025, Microsoft documented the Storm-0501 attack chain, where adversaries:

• Compromised on-premises AD.
• Gained access to Entra Connect Sync servers.
• Leveraged a synced global admin account without MFA.
• Registered their own MFA, escalated privileges and executed cloud-based ransomware.

This incident reflected a growing trend: attackers using legacy AD weaknesses to seize cloud environments at scale.

Another 2025 breach at Ascension Health stemmed from Microsoft continuing to ship Windows with RC4 still enabled by default. Attackers launched a Kerberoasting attack, cracked service tickets offline and escalated privileges into the organisation’s AD environment.

Following the incident, US lawmakers condemned the vendor for maintaining insecure configurations that enabled widespread identity compromise.

These examples show that identity security failures are not caused by exotic zero days – they come from decades-old defaults.

Global intelligence paints a consistent picture:

• 90% of incidents involve Active Directory (Mandiant).
• 80% of organisations have experienced an identity-related breach (Microsoft).
• 90% of attacks exploit poor access segmentation in IAM systems (Microsoft).

Forestall’s latest research – analysing 8.3 million identity objects and 400 million relationships across 150 organisations – reveals:

• 90% of AD environments can be compromised by an unprivileged account.
• 60% of hybrid environments contain privilege escalation paths.
• 10% of identity objects are stealth or shadow admins.
• 24% of relationships can be used for privilege escalation.
• At least 1% of identities are “high-value targets” for attackers.
• 15% of stale objects can compromise mission-critical accounts.

These findings will be explored in detail during the ITWeb Security Summit 2026.

Cyberrey and Forestall will jointly highlight why identity should now be considered a primary security layer, not a supporting component.

At the summit, they will demonstrate:

• How 25 years of technical debt shaped today’s hybrid identity threats.
• Why legacy AD remains one of the most targeted assets by threat actors.
• How hybrid identity pathways create stealthy lateral movement opportunities.
• Why ISPM and IVIP are becoming essential to zero trust architectures.
• Real-world industry cases showing how attackers exploit identity blind spots.

Their participation at the summit reinforces the growing recognition that identity security must evolve beyond MFA and basic privilege management.

Forestall specialises in ISPM and IVIP – solutions designed to give organisations continuous visibility and control over their identity layer.

The Forestall ISPM platform enables enterprises to:

• Continuously assess AD and Entra ID for misconfigurations, excessive privileges and risky relationships.
• Visualise hybrid attack paths to eliminate lateral movement opportunities.
• Identify exposed credentials and sensitive data in shares and GPOs.
• Automate compliance with CIS, STIG and Microsoft baselines.
• Integrate with ITSM systems for streamlined remediation.

By removing decades of identity technical debt, Forestall helps organisations build identity foundations that are resilient, auditable and cloud-ready.

ITWeb Security Summit 2026 will be held at Century City Conference Centre, Cape Town on 26 May 2026 and at Sandton Convention Centre in Sandton, Johannesburg on 3 and 4 June 2026.

Themed: ‘Redefining security in the face of AI-driven attacks, fragile supply chains and a global skills gap’, the 21st annual edition of Security Summit will continue in its tradition of bringing leading international and local industry experts, analysts and end-users together to delve into the specific threats and opportunities facing African CISOs, security specialists, GRC professionals and anyone else who is responsible for securing their organisation from cyber attacks.

Register today. Visit https://www.itweb.co.za/event/itweb-security-summit-cpt-2026/ for Cape Town or https://www.itweb.co.za/event/itweb-security-summit-2026/ for Johannesburg.

Forestall

Forestall is a global leader in ISPM and identity intelligence. Its platform secures identity infrastructures across banking, telecoms, government, defence, e-commerce and critical industries.

Cyberrey

Cyberrey, the lead sponsor of the ITWeb Security Summit 2026, is a leading African cyber security distributor focused on enabling the adoption of next-generation security technologies. Cyberrey’s presence at the summit underscores its commitment to strengthening Africa’s identity security maturity and promoting collaborative innovation across the continent.