With breaches showing how quickly attackers can take advantage of forgotten credentials, having a true understanding of what’s inside your environment matters more than ever. Many organisations overlook the scope of non-human identities: API keys, OAuth apps, and automation scripts quietly operating behind the scenes.
Here are five critical questions I encourage teams to reflect on:
-
Do you have a precise count of your non-human identities?
-
Are you confident that recently deprovisioned employees no longer have access? (Try verifying this manually on one case across your top five critical systems).
-
How quickly can you revoke access for a compromised privileged account? (If it takes more than 15 minutes, it’s time to automate further).
-
Can you produce an access report for sensitive data repositories in under 30 minutes, covering the last 30 days?
-
Are your highest-privilege users secured with phishing-resistant authentication? (Aim for at least 80% of your top 10 admins using passkeys or FIDO2.)
Don’t feel pressured to fix everything at once. Start by answering these questions honestly and identify your largest gap.
If you’re tackling any of these challenges and want to exchange ideas, I’m happy to connect.