Frustrations Shared By The Cyber Security Community

The five major concerns are:

  1. Identity Sprawl Has Outpaced Visibility
  2. Access Reviews Are Manual, Infrequent, and Incomplete
  3. Non-Human Identities Are Poorly Governed
  4. IAM Tools Are Complex but Still Fragmented
  5. Access Risk Moves Faster Than IAM Can Respond

Over the past decade, Identity and Access Management has evolved from a backend IT function into a frontline security control. As breaches increasingly trace back to compromised credentials or abused access, IAM has become central to how organizations manage risk.

To understand where practitioners are struggling most, we reviewed discussions across cybersecurity forums and community threads, including Reddit, where engineers, architects, and CISOs openly share their day-to-day challenges.

What emerges is not a lack of understanding of IAM principles, but frustration with how difficult those principles are to enforce consistently at scale.

Below are the five themes that surface most often, explained through the lens of professionals responsible for securing identities in modern environments.

IAM Cyber Security

1. Identity Sprawl Has Outgrown Visibility

The most fundamental frustration in IAM is simple: organizations no longer have a complete view of who—or what—has access to their systems.

Human users, contractors, service accounts, APIs, cloud roles, and application identities proliferate faster than inventories can keep up. Mergers, SaaS adoption, and cloud migration accelerate this sprawl, leaving teams with partial or outdated identity maps.

Practitioners frequently describe environments where accounts exist without clear owners, documentation, or business justification. These blind spots quietly accumulate risk and are often only discovered during audits or incidents.

Without reliable visibility, access governance becomes reactive rather than preventative.

2. Access Reviews Are Manual and Incomplete

Access reviews are widely recognized as necessary—but rarely seen as effective.

In practice, reviews are often periodic, spreadsheet-driven exercises that rely on managers approving access they don’t fully understand. The process becomes a compliance checkbox rather than a meaningful risk reduction effort.

Security teams are frustrated because they know access accumulates continuously, while reviews happen quarterly or annually. By the time access is reviewed, it may already be outdated or abused.

The gap between real-time access risk and review cycles leaves organizations exposed despite “passing” audits.

IAM Cyber Security

3. Non-Human Identities Lack Proper Governance

One of the fastest-growing IAM challenges is the explosion of non-human identities.

Service accounts, cloud roles, automation scripts, CI/CD pipelines, and AI agents often have broad, persistent access with little oversight. These identities rarely expire, are seldom reviewed, and frequently bypass the controls applied to human users.

Practitioners recognize this as a classic least-privilege problem—but at a scale and speed that existing IAM processes were never designed to handle.

When non-human identities are compromised, detection is harder and impact is often broader, amplifying frustration across security teams.

4. IAM Tools Are Complex and Fragmented

Despite years of investment, IAM tooling remains fragmented.

Identity governance, authentication, privileged access, cloud entitlements, and directory services often live in separate platforms with inconsistent policies and limited integration. Managing them requires deep expertise and significant operational overhead.

Practitioners express fatigue at being responsible for identity outcomes without a unified control plane. Each tool solves part of the problem, but stitching them together introduces complexity, cost, and failure points.

Instead of simplifying security, IAM programs can become brittle and difficult to adapt.

IAM Cyber Security

5. Access Risk Moves Faster Than IAM

The pace of access change has outstripped traditional IAM workflows.

New users onboard instantly. Permissions are granted on demand. Cloud roles are assumed dynamically. Yet access approvals, revocations, and investigations often rely on ticketing systems and manual intervention.

By the time a risky permission is identified, it may have already been exploited—or no longer exists, leaving teams chasing ghosts rather than preventing abuse.

This mismatch between speed and control creates constant pressure on IAM teams and erodes confidence in the effectiveness of access governance.

A Question Back to the Community

Taken together, these frustrations highlight a core challenge: IAM principles are well understood, but modern environments have made them harder to enforce than ever.

Visibility, least privilege, governance, and lifecycle management all still apply—but they must operate at cloud speed and scale.

So the question is this: do these frustrations reflect your experience?

Are these the right five—or are there IAM challenges the community should be discussing more openly?

As identity continues to define the security perimeter, how organizations address these frustrations will determine whether access remains a control—or becomes the weakest link.