There’s something uncomfortable about the fact that the most common way attackers get into systems isn’t through highly sophisticated technical exploits or cutting-edge techniques. It’s through access that should never have been there in the first place.
Broken access control has held the top spot in the OWASP Top 10 for a reason. It shows up again and again in breach investigations, across industries, regardless of how much organisations invest in security tooling.
In fact, OWASP found that 94% of applications tested showed some form of broken access control, which highlights just how widespread the issue really is.
What makes it more concerning is that this isn’t a new problem. Access control has been a known challenge for years, yet it continues to be one of the most exploited weaknesses. Not because it’s invisible, but because it sits in that difficult space between technology, process, and human behaviour.
The Slow Build of Risk
Access control rarely fails in one dramatic moment. It tends to unravel gradually, shaped by everyday decisions that feel reasonable at the time.
Maybe someone joins a team and is given broad access so they can get started quickly. Or perhaps a colleague moves roles but keeps access to their previous systems “just in case.” It could even be when a project ends, but no one revisits who still has permissions tied to it. Over time, these small decisions layer on top of each other until access no longer reflects reality.
This is how over-permissioning becomes normal. It doesn’t happen because people are careless, but because speed, convenience, and business continuity often take priority in the moment.
The problem is that attackers don’t see those decisions as harmless – they see opportunity.
When Too Much Access Becomes the Default
In many organisations, access is granted far more easily than it’s removed. There’s a natural bias towards enabling people to do their jobs without friction, which makes sense from a productivity perspective.
The challenge is that access tends to accumulate. The longer someone is with an organisation, the more systems, files, and data they can reach. This is often referred to as privilege creep, although it rarely feels like a problem while it’s happening.
From a security perspective, though, it creates a very different picture. A single compromised account can open far more doors than expected. What starts as a phishing email or a stolen credential can quickly escalate into something far more serious if that account has excessive permissions.
This becomes even more significant when you consider that stolen credentials are involved in nearly half of all breaches, according to Verizon’s Data Breach Investigations Report.
This is one of the reasons broken access control is so frequently exploited. Attackers don’t need to break through multiple layers of defence if the access already exists.
The Visibility Problem
One of the biggest challenges organisations face is simply understanding who has access to what.
Access control isn’t always managed in one place. It spans identity systems, applications, cloud platforms, shared drives, and third-party tools. Each of these environments may have its own way of assigning and tracking permissions, which makes it difficult to build a clear, consistent view.
Without that visibility, it becomes almost impossible to spot risks early. At the same time, identity-based attacks continue to rise, with Microsoft reporting over 600 million identity attacks every day, showing just how heavily attackers rely on compromised access.
This lack of clarity doesn’t just affect security teams, it creates uncertainty at every level of the organisation, from IT to leadership, about whether access is being managed effectively.
Insider and External Threats Blur Together
There’s often a tendency to separate insider threats from external attacks, but broken access control shows how closely connected they really are.
An external attacker who gains access to a legitimate account is effectively operating as an insider. They’re using real credentials, moving through systems in ways that look normal, and taking advantage of permissions that already exist.
At the same time, genuine insiders can unintentionally create risk through everyday actions. Sharing access to meet a deadline, using personal accounts for convenience, or failing to log out of shared systems can all expose sensitive information.
The line between internal and external risk becomes less meaningful when access is the common factor. What matters is how that access is granted, managed, and monitored over time.
Why Fixing It Feels So Difficult
If broken access control is so well understood, it raises an obvious question. Why is it still such a persistent issue?
Part of the answer lies in scale. Large organisations may have thousands of users, hundreds of applications, and constantly changing roles and responsibilities. Keeping access aligned with reality requires continuous effort, not a one-off fix.
There’s also the complexity of modern environments. Cloud services, remote working, and third-party integrations have expanded the number of access points significantly. Each new system introduces another layer to manage.
Responsibility is another factor that often gets overlooked. Access control doesn’t always have a clear owner. IT teams may manage identity systems, security teams focus on risk, and business leaders approve access based on operational needs. Without clear accountability, gaps are almost inevitable.
All of this makes access control feel like a moving target. It’s easier to prioritise visible, immediate threats than to tackle something that requires ongoing coordination across teams.
The Human Element Behind Access
At its core, access control is shaped by human decisions. Technology enforces permissions, but people decide who gets access, when, and why.
Those decisions are often made under pressure. A new starter needs access urgently. A senior stakeholder requests additional permissions. A project deadline is looming, and there’s no time to question whether access is strictly necessary.
In those moments, the secure choice isn’t always the easiest one. Without clear guidance and consistent processes, people default to what helps them move forward quickly.
This is why awareness alone isn’t enough: telling people to follow best practice doesn’t address the underlying pressures that drive behaviour.
Moving Towards Control That Reflects Reality
Improving access control starts with recognising that it’s not a static problem. It requires ongoing attention and a willingness to adapt as the organisation changes.
That means regularly reviewing who has access and whether it still makes sense. It means building processes that make it easier to remove access as roles evolve, not just grant it. It also means creating a clearer picture of access across the organisation, so decisions are based on real insight rather than assumptions.
Equally important is establishing clear ownership. When responsibility for access control is shared but not defined, it becomes difficult to drive meaningful change. Assigning accountability helps to make sure that access is actively managed rather than passively inherited.
Technology has a role to play here, particularly in automating parts of the process and improving visibility. However, it needs to be supported by a culture that recognises access as a critical part of security, not just an administrative task.
Why This Risk Continues to Be Overlooked
Broken access control doesn’t always feel urgent until something goes wrong. It doesn’t generate the same immediate alerts as other types of threats, and it often sits in the background.
That makes it easy to deprioritise, even though the potential impact is significant.
The reality is that many security incidents don’t start with sophisticated attacks. They start with access that was never reviewed, never removed, or never fully understood.
Addressing this requires a shift in how organisations think about access. This is an ongoing process that reflects how people work, how systems are used, and how risk evolves over time.
How MetaCompliance Can Help
At MetaCompliance, we approach access control through the lens of human risk.
Understanding who has access is only part of the picture. What matters just as much is how decisions around access are made, how behaviours develop over time, and where gaps are likely to emerge.
Our approach combines targeted security awareness training with behavioural insights, helping organisations move beyond generic guidance and focus on the areas where risk is actually building. By measuring how people interact with systems and identifying patterns in behaviour, we help teams understand where access control is breaking down and why.
As part of this, we support organisations with training aligned to real-world risks, including OWASP Top 10 vulnerabilities like broken access control. This helps teams go beyond theory and understand how these issues show up in day-to-day decisions, from over-permissioning through to missed access reviews.
We also work with organisations to build programmes that support better decision-making around access throughout the employee lifecycle, from onboarding and role changes through to ongoing access reviews. The focus is on helping people recognise where risk can develop and giving them practical ways to reduce it without slowing the business down.
If access control feels like a challenge that’s constantly evolving, that’s because it is. The key is having the visibility, insight, and support needed to manage it with confidence.