Picture this. A mid-size logistics company. ISO 27001 certified. NIS2 readiness review completed six weeks prior. A clean report from an external auditor sitting in the CISO's inbox.
Then came the breach.
Attackers spent 11 days moving through internal systems before anyone noticed. The entry point? An Active Directory account belonging to a contractor who had left 14 months earlier. The account was never deactivated. The password hadn't changed in two years. No one owned it. No alert triggered.
The auditor had ticked the box: "Access management policy: documented and approved."
The policy was there. The accounts weren't managed.
The Compliance Illusion
Compliance frameworks are valuable. GDPR, NIS2, ISO 27001, SOC 2 — they establish accountability, force documentation, and set a baseline. But they have a fundamental blind spot: they audit what you wrote down, not what's actually running.
An ISO 27001 audit checks whether an access management policy exists. It does not enumerate your 1,200 user accounts and ask why 340 of them haven't logged in for over six months.
A NIS2 readiness review examines your incident response plan. It does not verify that your HR system is integrated with Active Directory — or that offboarding actually triggers account deactivation.
Compliance tells you the fire escape plan is posted on the wall. Zero Trust asks whether the door at the end of the corridor has been locked since 2022.
Three Silent Killers of Identity Governance
1. Orphan Accounts
When an employee, contractor, or vendor leaves, their account stays behind. It sits dormant in Active Directory. No owner. No monitoring. No expiry date. To an attacker, a dormant account is a gift.
- Credentials may be harvested from a historic data breach
- No owner means no one notices unusual login activity
- Dormant accounts frequently have residual access from projects long completed
2. Privilege Creep
A developer needs temporary admin rights. A finance manager needs access for an audit. The emergency ends. The access doesn't. Over three to five years, a normal user accumulates rights across six, eight, ten systems. One phishing email later, an attacker has the keys to half your infrastructure.
3. Broken Offboarding
HR processes the departure. IT is notified — on the last day, or not at all. The primary account is disabled. Access to cloud platforms, SaaS tools, VPNs, and shared inboxes is not reviewed. Three months later, the former employee's Microsoft 365 account is still syncing.
From Checking Boxes to Living Zero Trust
Enforce least-privilege access — in reality, not just in policy. Use role-based access control with quarterly reviews. Access expires unless renewed. Just-in-Time access for privileged operations via Microsoft Entra PIM.
Automate offboarding from day one. Connect HR systems to your identity provider. When an employee record closes, accounts deactivate automatically across AD, Entra ID, and downstream SaaS platforms.
Run an access rights review before your next audit. Not as audit preparation. As standard hygiene. Pull every account. Flag those inactive for 60+ days. Revoke what can't be justified.
Monitor identity behaviour, not just perimeter traffic. Anomalous login patterns, impossible travel, privilege escalation attempts — these signals exist in your logs today.
The Gap Between Audit and Reality Is Where Breaches Live
Compliance is not a security strategy. It is a floor — the minimum acceptable documentation of intent. Identity governance is not a one-time project. It's a continuous operational discipline.
If your last review of user access was during your certification audit, that review is already out of date.
ExColo conducts independent Identity & Access Security audits that go where compliance reviews don't. We look at your actual identity layer — active accounts, privilege assignments, offboarding gaps, third-party access — and deliver a prioritised remediation plan.
Contact ExColo for an independent Identity Security Assessment →