Why Organizations Need Better Understanding and Rethink Access, Least Privilege, and Zero Trust with AI in the Ecosystem

We sat down with Morey J. Haber, Chief Security Advisor at BeyondTrust, to find out about challenges in access control, from deciding where a program should truly begin to closing the gap between least-privilege goals and real-world enforcement, and managing insider risk without undermining trust.

Haber brings 25 years of experience in cybersecurity. As a founding member of Transparency in Cyber and an elected advisor to the IDSA, he offers a grounded perspective on how identity and access risks evolve.

He notes that nearly half of security alerts stem from overprivileged service accounts. This reflects the challenges of identity technical debt, highlighting the need for continuous discovery, without which least privilege remains aspirational rather than operational. 

Vishwa: When building a mature access control program, where should security teams focus first: credential design, monitoring, or operational guardrails? What do you typically recommend as the foundation layer?

Morey: The foundation of every successful access control program begins with mapping and securing all paths to privilege access. This is especially true in today's complex environments where identities can interact with multiple resources from on-premise technology, to the cloud, and even agentic AI. 

Credential design, monitoring, and guardrails are all important, but without visibility into access granted to both human and non-human identities, identity and access management teams are building models that can be fundamentally flawed and cause unnecessary stress for security teams attempting to secure environments.

This challenge is particularly acute for machine identities, from AI agents to automation scripts that are pervasive in almost every environment. These identities are often overprivileged and lack organizational visibility. Security teams should therefore:

• Discover machine identities and classify how each one is used from service accounts to credentials embedded in automation scripts.
• Model paths to privilege across their environment to determine what each identity can access and control.
• Implement least privilege for all entitlements, privileges, rights, and permissions granted for every machine identity.
• Establish strong lifecycle controls to ensure each identity follows best practices for human ownership and joiner, mover, leaver operations.

All in all, think of it as building trust infrastructure that enables innovation rather than inviting risk. Once that baseline is established using these steps, monitoring and guardrails become far more effective as the environment matures.

Vishwa: Many organizations claim to follow least privilege, but enforcement often lags. What is the biggest disconnect between principle and execution when rolling out access controls?

Morey: The biggest gap is visibility and a simple lack of understanding of how dangerous an over privileged account can actually be to the security of an organization. And now that we have introduced AI ecosystems into our environments, the risk is even higher and makes identifying weak points exponentially harder. 

Many organizations declare least privilege but don’t actually know what privileges any identities possess. BeyondTrust’s Phantom Labs found dormant privileged accounts in 70% of customer environments, while Google Cloud reports nearly half of security alerts stem from overprivileged service accounts.

These statistics reflect a massive challenge in the form of identity technical debt. This manifests in the form of abandoned credentials, hardcoded secrets, shadow IT, or default roles that accumulate over time and are never re-evaluated. 

Without continuous discovery and entitlement reviews, least privilege remains aspirational rather than operational. The organizations that are succeeding in this endeavor are the ones treating identity governance as a non-negotiable business process, not just a security control.

Vishwa: Zero Trust has become a buzzword. At the implementation level, what parts of the Zero Trust architecture do you think are most commonly skipped or misapplied?

Morey: Zero Trust is too often reduced to a buzzword and sold as a product instead of prioritized as an organization-wide mandate applied to workloads and workflows. The most common misstep security teams make is focusing only on network segmentation or multifactor authentication while skipping the entire process that relies on authentication or access. 

This is especially problematic when only part of a workflow is enabled for zero trust (for example contractor remote access) and only authentication follows a zero trust model but none of the downstream resources are compliant. 

When you add the complexity of AI, all connections, integrations, and communications must follow the tenets of zero trust too. A zero trust architecture for AI becomes more of a peer-to-peer network design rather than the hierarchical control plane and data plane recommended by NIST whitepapers.

Unfortunately, we see this every day. Threat actors increasingly log in rather than hack in and exploit legitimate credentials and trusted relationships. If organizations do not enforce least privilege, monitor constantly for anomalous identity behavior, and close hidden paths to privilege, Zero Trust becomes a piecemeal implementation in lieu of the principles protecting entire workloads, workflows, and processes end to end.

Vishwa: As insider threats evolve, both malicious and accidental, how should organizations rethink trust models and employee monitoring without creating a surveillance culture?

Morey: The answer should never be surveillance in order to build trust. Trust should be verified through intelligent access controls. Regardless of whether the activity is malicious or a user makes a mistake, the damage is often proportional to the privileges they hold. 

This principle applies equally to human employees, machine identities, and even Agentic AI making autonomous decisions. By removing standing privileges, enforcing just-in-time access, and monitoring for anomalous activity, organizations can mitigate risk without creating a culture of distrust. 

The focus should be on securing identities and behavior, not watching an employee’s every mouse click. This approach also enables organizations to optimize their workflows through training, thus eliminating mistakes and providing repeatable processes that could lead to malicious or accidental cybersecurity incidents.

Vishwa: From your perspective, what is your message to security teams regarding what they should prioritize in the coming year – what threats and technologies will be the most important to consider?

Morey: Identity is the new perimeter. For organizations relying on castle and moat architectures for cybersecurity, consider tearing them down or simply blowing them up. In an AI-driven world, the perimeter is no longer a source of protection, and data sovereignty needs to become a top priority. 

My advice is simple: do not solely focus on endpoint security. Focus on identity security and hygiene across your entire ecosystem, including the cloud, AI agents, contractors, vendors, and automated systems.

Threat actors today exploit overprivileged accounts, rely on lateral movement to navigate within an environment, weak multifactor authentication, and unmonitored identities to infiltrate organizations. Security teams should prioritize reducing standing privilege, enforcing phishing-resistant MFA, and gaining visibility into the behavior of all identities. 

Awareness is important, but resilience comes from hardening the identity layer that enables the digital plumbing of your business and not just having the latest and greatest MDR solution on your endpoints.

Vishwa: Credential theft and lateral movement are still common in breaches. Where do you see organizations most vulnerable in terms of identity or session exposure across hybrid infrastructure?

Morey: Organizations are most vulnerable where forgotten or non-human service accounts bridge on-premise and cloud applications. These accounts often carry high privileges and are poorly monitored, creating superhighways for lateral movement by threat actors.

The lack of logging and visibility around non-human identities makes this especially dangerous, particularly since machine identities now outnumber human ones 10 to 1, yet most organizations have no idea what entitlements they hold or how they are being used.

Now consider AI. With AI agents increasingly taking actions across hybrid environments, the potential for abuse can initiate a chain reaction across networks even when trusted identities are performing functions seemingly within their roles. Problems like a “confused deputy” become a real concern even though the behavior of the AI agent appears perfectly normal.

Vishwa: For security executives and CISOs trying to improve security posture quickly, what control layers do you consider absolutely essential to implement or revisit right now?

Morey: In my humble opinion, there are three control layers and business recommendations that are essential for security leaders looking to rapidly build a trust architecture that enables innovation:

1. Phishing-resistant MFA across all systems and used by every employee, contractor, and vendor. Single-factor authentication should be the exception, and when needed, passwords and secrets managed by a privileged access management solution to ensure randomization, obfuscation, and behavioral monitoring.
2. Least privilege enforcement for both human and non-human identities, ideally with just-in-time access that scales with AI automation, regardless of whether the technology is on-premise or in the cloud.
3. Endpoint privilege management to remove local administrative rights and control application execution alongside your favorite MDR solution

And for my peer CISO’s, learn how to say, “yes”. When a new idea or project is presented, learn how to be a business enabler by saying “yes, with these security controls and considerations.” 

CISOs who can secure the business and move forward with new ideas securely will do better in organizations than making excuses and saying, “no”. 

There is always a way to say, “yes”. The cost and the acceptable risk are different discussions.

Ultimately, these recommendations will reduce the identity attack surface and limit the blast radius while enabling teams to innovate with confidence.