Attackers Aren’t Breaking In. They’re Logging In With Access You Forgot to Review.
Access reviews close the open front door attackers use to log in with valid credentials

For most of the last two decades, keeping a company safe meant guarding its edges. You bought a firewall, set up a VPN, locked the office network, and assumed the threat was outside trying to get in. That model quietly stopped working. Today the most common way into a business is not a broken lock but a valid login, which is exactly why access reviews have become one of the most important controls a company can run. A 2026 study of 5,000 IT and security leaders found that 71 percent of organizations were hit by at least one identity-related breach in the past year, and the average affected company faced three separate identity attacks. The attacker did not smash a window. They walked in through the front door with a key that still worked.

So what is an access review, in plain terms? It is the simple, repeated act of checking who and what can get into your systems, confirming they still need that access, and removing anything that no longer belongs. That includes current staff whose roles have changed, people who have left, contractors whose projects ended, and the automated accounts and app connections most owners never think about. A firewall decides whether traffic is allowed in. An access review decides whether a permission that was once reasonable is still reasonable today. It is the difference between locking the door once and actually checking, on a schedule, who still holds a key.

Why the front door moved

The perimeter did not disappear. It relocated. Work moved out of the office and onto laptops and phones. Software moved into the browser, where a new app can be signed up for in minutes without anyone in charge knowing. Contractors, partners, and freelancers come and go by project. And a growing share of the accounts inside any business are not people at all, but service accounts, API keys, and automated connections that link one tool to another.

The old question security asked was blunt: are you on the network? The new question is harder and more useful: who or what are you, what are you trying to do, and should that permission still exist? That last part is the whole game. Access that was perfectly reasonable when it was granted becomes a liability the moment the reason for it ends and nobody notices. Put simply, stale access is exploitable access. A 2026 global incident response report covering more than 750 investigations found that identity-based techniques drove initial access in 65 percent of intrusions. Attackers are not defeating security tools. They are using the credentials those tools were built to trust.

This is also why turning on multi-factor authentication, while essential, is no longer a finish line. Attackers increasingly steal the session token created after a successful login, the digital wristband that keeps a user signed in, and reuse it without ever touching the password or the second factor again. Once that access is live inside your systems, the only thing that catches it is someone periodically asking whether it should still be there.

How access quietly piles up

How stale user access and dormant accounts accumulate without regular access reviews

No single decision creates the problem. It accumulates. Someone gets promoted and keeps the permissions from their old role on top of the new ones. A finance temp is given broad access to hit a deadline, and the access outlives the deadline. An employee leaves, their email is switched off, but the logins to the cloud storage, the accounting tool, and three other apps are never touched. Each of these is small. Together they form a pile of open doors that no one is watching.

Switching off a password is not the same as closing an account, either. A login that has already been used can stay active through its existing session long after the password changes, which is why real removal means ending the sessions and the connected app access, not just resetting a single field.

The scale of this is easy to underestimate. A review of more than 680,000 cloud identities in that same 2026 report found that 99 percent of them had more permissions than they actually used, including access that had gone unused for 60 days or longer. It is worth understanding the new math of internal data breaches, because the cost usually lands long after the mistake was made. The uncomfortable truth is that most businesses cannot answer a basic question: who, right now, can reach our most sensitive data, and do they all still need to? An access review exists to answer exactly that.

Why being small makes you a bigger target, not a smaller one

Owners of smaller companies often assume attackers are only interested in big names. The data says the opposite is the real danger. The same 2026 identity security research found that smaller organizations, those with roughly 100 to 250 employees, were nearly twice as likely to fail to detect an identity attack as companies with more than 1,000 staff. Attackers know this. A stolen login used against a company with no one watching the logs can sit active for months. If you have ever assumed your business is too small to be hacked, that assumption is precisely what makes you an efficient target.

The cost of getting this wrong is no longer abstract. In one of 2026’s most expensive cases, the e-commerce company Coupang saw the personal records of roughly 33.7 million customers exposed. The cause was not a sophisticated new weapon. Investigators traced it to the credentials of a departed engineer that were never revoked, access that stayed live and undetected for months. The result was a fine of around 409 million dollars, the largest in its country’s history. No malware, no zero-day, just a key that should have been taken away and was not.

It is worth sitting with why this keeps happening. A departed employee’s access is invisible in daily operations. It generates no complaints, breaks nothing, and appears on no one’s to-do list. It only becomes visible the day an attacker finds it. That is the defining trait of identity risk: it stays silent right up until it is catastrophic, which is why it has to be looked for on purpose rather than waited for.

What an access review looks like when you don’t have a security team

You do not need an expensive governance platform or a dedicated analyst to start. You need a rhythm and an owner. Begin with the accounts that would hurt most if they were misused: administrator logins, anything touching money or customer data, shared accounts, external guests, and the automated service accounts that connect your tools. Review those first and most often. General staff access can follow on a slower cycle.

Tie the review to the moments that actually change access. Every time someone changes roles, revalidate what they had before instead of simply adding more. Every time someone leaves, treat full removal, not just an email shutoff, as the default, and write down that it was done. This is the joiner, mover, leaver discipline, and it prevents most of the accumulation described earlier. Pay special attention to the non-human accounts, because these are easy to forget and often hold broad, standing access. Deciding how you will keep governing what your AI agents and automated connections can do is now part of the job, not a future concern. Only about a third of organizations in the 2026 research regularly audit these machine identities, which is precisely why they are a favorite path in.

You also do not have to guess your way through it. Most business tools already record when an account was last used and what it can reach. Those signals turn a review from a wall of names into a short list of obvious problems: the admin login no one has touched in ninety days, the former contractor still marked active, the app connection granted for a trial that ended a year ago. Start there.

One caution: a review only counts if it leads to removal. A meeting where everyone nods and nothing is revoked is theater. Measure your reviews by what you actually took away, not by how many boxes were ticked.

The door is already there

The front door of your business is already open to more people and more machines than you realize. That is not a failure of character or effort. It is the natural result of how modern work grows: quickly, in every direction, with access handed out faster than anyone can track. The mistake is treating that as a one-time cleanup or an annual audit chore. The companies breached through stale access are rarely the ones that were careless once. They are the ones who never built the habit of looking.

Access reviews are that habit. They are less a project than a discipline, closer to checking the locks each night than to installing a new alarm. You will not remove every risk, and you do not need to. You need to make sure that a permission granted last year, to a person or a system you may have forgotten, cannot quietly become the way everything you have built is taken from you. The key is already cut. The only question is who is checking who still holds it.

More
articles