When a business gets breached, the conversation almost always turns to the same question: how did they get in? In 2026, the answer is rarely a sophisticated zero-day exploit or an advanced persistent threat that took months to develop. More often than not, the answer is simpler and more uncomfortable: they used a legitimate credential. Someone’s username and password, obtained through phishing, purchased on a dark web marketplace, or extracted from a previous breach at another company, opened the door. And once inside, they moved quietly through the environment using access that was never properly controlled.
This is why identity has become the defining security challenge of the current era. Not endpoints. Not networks. Not even cloud infrastructure. Identity, who has access to what, how that access was granted, and whether it’s still appropriate, is the layer that determines whether a breach becomes a brief containable incident or a catastrophic, months-long intrusion.
Two controls sit at the centre of an identity-first security strategy: Identity and Access Management (IAM) and Privileged Access Management (PAM). Understanding how they work, where they differ, and why most organisations have significant gaps in both is the starting point for any meaningful security improvement in 2026. At Armour Cybersecurity, our identity and access management services are often one of the first areas we examine during a posture review because it’s consistently where the most serious exposures are hiding.
What Is Identity and Access Management, and Why Does It Matter?
Identity and Access Management is the framework that governs who can log into your systems, what they can access once they’re in, and under what conditions that access is granted. At its simplest, IAM answers the question: does this person have the right to be here?
In practice, a mature IAM implementation covers several interconnected areas. Authentication, verifying that users are who they claim to be, is the most visible layer, and multi-factor authentication (MFA) is now the baseline expectation. But MFA alone is not IAM. Equally important is authorisation: what can an authenticated user actually do? Can they read files, modify data, approve transactions, or access systems outside their role? Most organisations have invested in authentication without investing equivalently in authorisation, which creates environments where a successfully authenticated user has far more access than their job requires.
Conditional access policies add another layer of intelligence. Rather than simply asking ‘is this the right password?’, conditional access asks ‘is this the right password, from the right device, at the right time, from the right location?’ A login attempt at 3am from an unfamiliar country, even with a valid credential, can be flagged or blocked. These policies dramatically narrow the window attackers can use even when they have legitimate credentials.
The third dimension of IAM is lifecycle management, ensuring that access is granted appropriately when someone joins, adjusted when their role changes, and revoked promptly when they leave. This sounds obvious. In practice, it’s where most organisations have their most significant exposure. Access that was granted for a specific project and never removed. An employee who changed departments three years ago and still has access to the systems from their previous role. A contractor whose engagement ended six months ago but whose account remains active. These are the gaps that attackers find and exploit, not because of sophisticated reconnaissance, but because they’re simply there.
What Is Privileged Access Management, and Why Is It a Separate Priority?
Privileged Access Management addresses a specific and elevated risk within the broader identity landscape: the accounts that have elevated or administrative access to critical systems. Administrator accounts, service accounts, database credentials, shared IT logins, root access in cloud environments, these are the accounts that, if compromised, give an attacker the ability to do almost anything in your environment.
The risk profile of privileged accounts is categorically different from standard user accounts. A standard user account, if compromised, gives an attacker access to whatever that user can access, which may be significant, but is bounded. A privileged account, particularly one with domain administrator rights or cloud account root access, gives an attacker the ability to create new accounts, modify or delete data, disable security controls, install software, and exfiltrate anything they choose. It’s the difference between a burglar getting into one room and a burglar getting the master key to the entire building.
Despite this, privileged account management is one of the most poorly governed areas in most environments. In our assessments, we consistently find privileged credentials stored in spreadsheets or shared password managers with no session recording. Service accounts with passwords that haven’t been rotated in years, and in some cases have never been rotated since the account was created. Admin accounts that are excluded from MFA requirements because ‘they were set up before the policy existed.’ Shared IT logins used by multiple team members with no accountability for individual actions.
A properly implemented privileged access management solution changes this fundamentally. All privileged sessions are brokered — users request access, which is approved and time-limited, rather than holding standing credentials. Privileged account passwords are vaulted and rotated automatically, so no individual ever knows the actual credential. Every privileged session is recorded in full, creating an immutable audit trail. And just-in-time access models mean that elevated permissions exist only for the duration of a specific task, eliminating the persistent privileged attack surface that most environments currently maintain.
How IAM and PAM Work Together: The Identity Security Stack
IAM and PAM are complementary controls that address different layers of the identity problem. IAM governs the broad population of users, ensuring that everyone who accesses your environment is authenticated appropriately, authorised for the right resources, and managed throughout their lifecycle. PAM governs the small, high-risk population of accounts with elevated access, ensuring that the most powerful credentials in your environment are controlled, monitored, and never exposed unnecessarily.
The principle that underlies both controls is least privilege: every user, every service, every system should have exactly the access it needs to do its job, and nothing more. Least privilege sounds straightforward in principle. Implementing it in a real environment that has been running for years, where access has been granted reactively to solve immediate problems and never reviewed, is the hard work that an identity assessment surfaces and prioritises.
An effective identity security programme typically begins with visibility, a comprehensive audit of who has what access, including dormant accounts, over-privileged accounts, and service accounts with excessive permissions. From that baseline, a remediation priority is established: which accounts represent the most significant risk if compromised, and what controls need to be in place before any other security investment is made. For most organisations, this work surfaces more critical findings than any other area of a cybersecurity posture assessment.
What Does an Identity Breach Actually Look Like?
Understanding the real-world attack path that IAM and PAM controls interrupt is important context for any leader evaluating their identity security investment and broader incident response plan readiness.
A typical identity-based attack follows a predictable sequence. Initial access is gained through a compromised credential, either phished directly from a user, purchased from a criminal marketplace, or obtained through credential stuffing against a system with weak password policies. Once inside, the attacker spends time in what security teams call ‘dwell time’, quietly mapping the environment, identifying high-value targets, and looking for paths to escalate their access.
Privilege escalation is the next critical phase. The attacker looks for service accounts with excessive permissions, misconfigured Active Directory entries, or accounts that were granted admin rights and forgotten. In environments without PAM, finding a shared admin credential in a shared drive or an unrotated service account password is not unusual. With that elevated access, the attacker moves laterally across the environment, accessing the systems that contain whatever they’re looking for: financial data, customer records, intellectual property, or the infrastructure they need to deploy ransomware.
The average dwell time between initial access and detection in a breach is measured in days to weeks. In that window, with proper IAM and PAM controls in place, the attack surface is dramatically narrowed: MFA blocks credential-only authentication, conditional access policies flag anomalous login behaviour, while managed SOC services provide continuous monitoring for suspicious account activity. least privilege limits what a compromised standard account can reach, and PAM controls ensure that privileged credentials are not accessible to the attacker even if they are present in the environment.
Common IAM and PAM Gaps We Find in SMB Environments
Across our assessments, the findings in identity security are remarkably consistent. The most common gaps include:
• MFA not enforced across all account types; particularly service accounts, older admin accounts, and accounts created before the current policy was established.
• Legacy authentication protocols still enabled; these bypass modern authentication controls entirely and represent a persistent vulnerability in M365 and on-premises environments.
• Stale access not cleaned up; former employees, contractors, and vendors whose accounts remain active long after their engagement ended.
• Over-privileged standard user accounts; employees whose current role requires far less access than they have been granted, often the result of role changes that were never reflected in their access profile.
• No PAM solution in place; privileged credentials stored in shared documents or password managers, with no session recording and no rotation schedule.
• Service accounts excluded from security policy; long-running service accounts with passwords that have never been rotated and excessive permissions that were granted during initial deployment.
Each of these is individually fixable. The challenge for most organisations is that they don’t know the extent of the problem until they look, and looking requires an identity assessment that maps the full access landscape, not just the accounts that are front-of-mind.
Is Identity Security a Regulatory Requirement?
Increasingly, yes. For Canadian organisations, PIPEDA and its successor framework under Bill C-26 establish accountability for the protection of personal information, and inadequate access controls are among the most common findings in regulatory investigations following a breach. The question regulators ask is not ‘did you have a firewall?’ It is ‘did you have reasonable controls to limit who could access sensitive personal data, and did you maintain those controls over time?’
For organisations in regulated sectors, banking, insurance, legal, healthcare, the expectation is more explicit. OSFI’s B-10 guideline for financial institutions, the LSO’s cybersecurity guidance for law firms, and sector-specific frameworks across North America all reference access controls and identity governance as baseline requirements. For businesses operating in Latin America, regulations including Colombia’s Ley 1581, Peru’s Ley 29733, and Chile’s new Ley 21.719 similarly establish data access governance obligations.
Beyond regulatory compliance, cyber insurers are increasingly scrutinising identity controls as a condition of coverage. Failure to demonstrate MFA across critical systems and privileged account management is now a common basis for coverage limitations or claim denials following a breach.
Getting Started: What an Identity Assessment Covers
An identity assessment with Armour Cybersecurity covers the full landscape of your current identity security posture: the population of active accounts and their permission levels, the MFA and conditional access policies in place, the state of privileged account management, and the service account inventory. What you receive at the end is not a compliance checklist, it’s a prioritised picture of where your identity risk actually sits, and a remediation roadmap that addresses the highest-impact findings first.
For most organisations, this work is the single most impactful security investment available, not because it’s complex, but because the gaps it closes are the ones that attackers are actively targeting. Identity is where most breaches begin. It is also where most of them can be stopped.
To find out where your identity exposure sits, visit armourcyber.io or contact the Armour Cybersecurity team to discuss an identity assessment and explore modern identity security solutions.
