When people picture a security incident, they picture an attacker on the outside. A phishing email. A zero-day. Someone clever, somewhere far away, breaking through the perimeter.
The reality, in the kind of companies we audit every week, is much more boring. The most common breach is caused by an internal user with more access than they ever needed.
Least privilege says one thing: each person should have access only to what they need to do their job. Not more, not less.
It's repeated in every security framework. NIS2, ISO 27001, ENS, CIS Controls. Everybody nods at it. Almost nobody enforces it.
What we actually find when we audit:
Nobody configured it that way out of malice. Nobody reviewed it either.
When an incident does occur — phishing, credential leak, compromised laptop, ransom — the question that determines the size of the impact isn't "how did they get in?". It's "what could they do once inside?".
An attacker who lands in a properly segmented environment hits a wall. An attacker who lands in an over-permissioned environment finds a highway.
The same compromised credential in two different companies produces two completely different stories — and two completely different remediation bills — depending on what that user was actually allowed to touch.
Don't think about it as a theoretical exercise. Think about it as a fire drill.
Do you know exactly what each user can do inside your systems?
If the answer takes more than a few seconds, you already have your next audit pending.
At AP Interactive we audit identity and access management as part of our security reviews — covering Active Directory, cloud IAM, application-level permissions and service accounts. We don't sell you a tool: we tell you exactly where the gaps are and what the cleanup plan looks like.
If you've never run a permissions audit, or if the last one was more than a year ago, get in touch. The first finding is usually surprising. The first ten are usually obvious in hindsight.
It means each person should have access only to what they need to do their job — not more, not less. It's a requirement in every major security framework, including NIS2, ISO 27001, the Spanish ENS and CIS Controls. In practice, most companies configure access broadly by default and rarely review it afterwards.
When an incident happens — phishing, a leaked credential, a compromised laptop — the size of the damage depends on what that account could reach, not on how the attacker got in. The same compromised credential produces very different outcomes in a properly segmented environment versus an over-permissioned one.
Role-based access mapped to actual job function rather than copied from a colleague, quarterly access reviews signed off by the data owner (not just IT), offboarding tied automatically to HR so accounts are disabled the same day a contract ends, separate accounts for privileged and daily tasks, and service accounts that are owned, documented and rotated like any other identity.