Why broken access control still tops the OWASP Top 10 and what it means for identity security in the era of hybrid cloud

This week the latest and 8th version of the OWASP Top 10 was released, with a few changes worth checking out. However, few security leaders will be surprised to see Broken Access Control once again claims the number-one spot. Despite major advances in authentication, encryption, and cloud-native security tooling, unauthorized access remains the single most exploited weakness in modern infrastructure. 

Why Broken Access Control Persists

At first glance, this seems like a purely developer-owned issue allowing users or processes to act outside their intended permissions (as per the OWASP definition). But the reality is broader; in multi-cloud and hybrid environments, access control failures usually stem from the complex web of identities, roles, and permissions that govern infrastructure-level access across CSP and on-prem systems. With consistent enforcement challenging within and across these heterogeneous environments, it’s worth exploring why broken access control persists:‍

‍‍

1. Over-permissioned identities

Cloud service providers each have their own identity and access management (IAM) model: AWS IAM policies, Azure AD roles, custom RBAC systems for Kubernetes clusters, and on-prem directories for legacy workloads. As identities span these boundaries, permissions multiply. “Temporary” elevated access often becomes permanent, and the concept of least privilege erodes over time.

‍

2. Static permissions in dynamic environments

Cloud infrastructure is ephemeral. Compute instances spin up and down, containers redeploy hourly, and workloads migrate between data centers and clouds. Yet access policies are often static: long-lived roles or group memberships that were designed for fixed servers. This mismatch between dynamic infrastructure and static entitlements leaves wide gaps for abuse.

‍

3. Inconsistent enforcement across clouds

Each provider interprets access policies differently. An Azure AD conditional-access policy may not translate cleanly into AWS IAM conditions or an on-prem LDAP group. The result is fragmented enforcement. A principle of least privilege in one environment becomes a loose approximation in another.

‍

4. Limited visibility into effective access

Ask any security leader a deceptively simple question: who can access what, right now? And you’ll likely find that few can answer confidently. Without continuous visibility into existing entitlements, drift and misconfigurations remain hidden until an attacker exploits them.

‍

Identity has become the connective tissue between environments. Each user, service account, workload identity, or API key can bridge clouds, linking production systems, CI/CD pipelines, and on-prem management planes. Compromise one of those identities, and lateral movement across environments becomes trivial. These are not authentication failures. They occur after login, when authorization and entitlement enforcement fail. In other words, Broken Access Control in a multi-cloud world is the failure to govern what authenticated identities can actually do.

From Authentication to Authorization Governance

Identity security has traditionally focused on authentication, verifying who someone is. But the persistence of Broken Access Control as a risk factor shows that the real challenge is authorization: continuously verifying what that identity can do across systems.

To address this, security teams must evolve from identity verification to runtime entitlement governance. That shift involves three key changes:

‍Just-in-time and just-enough access

Replace long-lived admin roles with ephemeral privileges granted only when needed. Access should be time-bounded, scope-limited, and automatically revoked.

‍Continuous visibility and analysis

Quarterly reviews aren’t enough. Entitlements must be continuously discovered and analyzed across AWS IAM, Azure AD, Kubernetes RBAC, and on-prem directories to detect drift, privilege creep, and toxic combinations while accelerating critical audits.

‍Automated least-privilege enforcement

Use automation, policies and native workflows to accelerate approval and access processes. Manual approvals and spreadsheets can’t keep up with the pace of change and developer needs in these cloud-native and hybrid environments.

Summary

For organizations operating in cloud and hybrid estates, Broken Access Control remains the most significant security risk. This isn’t because teams ignore it, but because traditional IAM tools were never built for this modern cloud landscape.

OWASP’s 2025 list reinforces a truth every security leader now faces: protecting the enterprise means protecting access at runtime, not just credentials at login. Until identity and entitlement governance operate continuously across AWS, Azure, and on-prem systems, Broken Access Control will stay at the top and adversaries will keep exploiting the gap between authorization and access.