The Digital & Identity Control Crisis: When Organisational Dysfunction Becomes Digitally Executable

The real risk is not just breach.

It is organisational dysfunction becoming digitally executable.

Weak governance becomes excessive access. Poor culture becomes hidden exceptions. Supplier dependency becomes uncontrolled exposure. Leadership assumptions become audit, practice gaps and an environment ripe for exploitation. Internal politics becomes suppressed evidence. AI adoption becomes unmanaged data leakage and identity exploitation. SaaS convenience becomes invisible exfiltration.

Cyber-risk is therefore no longer separate from operating risk. It is often the digital expression of operating risk. That is the new executive pain point.

Cybersecurity has entered a harder and more uncomfortable era because it no longer sits neatly inside the technology function. It now exposes whether the organisation can genuinely control the systems, identities, suppliers, platforms, data flows, automations, privileges, and exceptions through which it actually operates. This is not merely cyber-risk. It is executive, strategic and operating risk. When focused on Cyber alone, it is the risk that leadership cannot see, verify, govern, or honestly explain the digital environment on which the organisation depends.

And that is why the old framing is failing.

Cyber risk is still commonly described as something external: ransomware gangs, hostile states, phishing campaigns, malware, dark-web infrastructure, criminal syndicates, and AI-enabled adversaries. That is still true. But it is not enough.

The modern breach often does not begin with an attacker smashing through the front door. It begins with trusted access being misused, stolen, overextended, neglected, poorly governed, or deliberately concealed.

Sometimes the actor is external. Sometimes it is internal. Sometimes it is a supplier.

Sometimes it is a contractor. Sometimes it is an administrator.

Sometimes it is a staff member using unapproved AI tools. Sometimes it is a compromised identity. Sometimes it is a culture of exceptions that has finally become exploitable.

The point is stark - the attacker increasingly uses the organisation’s own trust fabric against it. And where that trust fabric is already weakened by poor governance, excessive privilege, weak audit discipline, unmanaged suppliers, shadow AI and generic accounts (deliberate or created outside of easy attention), SaaS sprawl, or internal politics, the organisation has effectively pre-built the attack path.

The numbers now define the crisis

The scale of the problem is no longer arguable. The FBI’s 2025 Internet Crime Report combined more than 1 million complaints of suspected internet crime and reported losses exceeding US$20 billion. IBM’s 2025 Cost of a Data Breach Report placed the global average cost of a breach at US$4.4 million.

But the more important executive point is this: the most expensive breach patterns are often trust failures.

Malicious insider attacks averaged US$4.92 million. Third-party vendor and supply-chain compromise averaged US$4.91 million. Shadow AI added an average US$670,000 to breach costs where it was heavily present. These are not marginal IT costs.

They are board-level operating losses caused by failures of visibility, discipline, access control, governance, and assurance.

CrowdStrike’s 2026 Global Threat Report makes the shift even clearer. In 2025, 82% of detections were malware-free. That statistic should stop leadership in its tracks.

It means most detected activity did not rely on obvious malware. Attackers used legitimate tools, valid credentials, trusted software, cloud platforms, SaaS applications, administrative pathways, remote support tools, identity flows, and supply-chain relationships.

In plain language - the breach increasingly looks like normal business activity. That is why the modern control question is no longer simply:

“Did malware get in?”

The better question is:

Who or what is using trusted systems in harmful, hidden, excessive, abnormal, unjustified, or unaudited ways?

That question applies to external attackers. It also applies to internal bad actors.

An external attacker with valid credentials can look like an employee.

A malicious insider already is an employee, contractor, administrator, supplier, or trusted party. A compromised supplier can look like an integration.

A rogue SaaS export can look like normal workflow. An excessive permission can look like convenience.

A disabled alert can look like housekeeping. A hidden forwarding rule can look like configuration.

A quiet change to privileged access can look like administration. This is the digital control crisis.

The attacker does not always need to break the system. They only need to behave like someone the system already trusts.

Speed has destroyed the old executive response model

CrowdStrike reports that average eCrime breakout time fell to 29 minutes in 2025. The fastest breakout was 27 seconds. In one case, data exfiltration began within four minutes.

That is not an IT incident timeline.

That is an executive failure window.

An attack can move from access to impact before leadership has assembled the right people, before legal has been briefed, before communications has prepared a position, before the insurer has been notified, and before the organisation even understands whether the activity is external compromise, internal misuse, supplier abuse, or all three.

This is fatal in organisations with slow escalation, unclear accountability, siloed teams, weak logging, over-trusted administrators, unmanaged vendors, and political reluctance to confront uncomfortable evidence.

If the same people who administer access also control logs, approve exceptions, suppress alerts, manage vendors, and brief leadership, then leadership does not have assurance.

It has dependency.

A fast external attacker is dangerous.

A fast external attacker operating through weak internal governance is worse.

A malicious insider operating inside a slow, trusting, poorly audited environment may be worse again — because they do not need to break in.

They are already inside the trust boundary.

Bad internal practice now resembles attacker tradecraft

This is the most uncomfortable truth.

Modern attacker behaviour increasingly resembles poor internal practice.

Attackers abuse valid accounts.

So do careless or malicious insiders.

Attackers exploit excessive permissions.

So do staff who accumulate access over years without review.

Attackers use SaaS exports to remove data.

So can employees, contractors, administrators, and suppliers.

Attackers hide inside administrative tools.

So can internal actors who understand the environment.

Attackers modify alerts, rules, and forwarding settings.

So can insiders trying to avoid oversight.

Attackers target unmanaged devices.

So do organisations that tolerate unmanaged devices for convenience.

Attackers use AI to accelerate discovery, scripting, impersonation, and concealment.

So can staff using unapproved AI tools with sensitive data.

This overlap is the core operating risk.

The organisation may think it is looking for hackers.

In reality, it should be looking for harmful patterns of trusted access.

That includes external compromise. It includes internal negligence. It includes administrative overreach. It includes supplier misuse. It includes poor culture. It includes data leakage. It includes deliberate concealment. It includes malicious insider conduct.

Trust is no longer a control.

Trust must be verified.

AI is now an executive control problem

CrowdStrike reports an 89% year-on-year increase in attacks by AI-enabled adversaries.

AI helps attackers write better phishing emails, generate fake personas, translate scams, create scripts, accelerate reconnaissance, troubleshoot malware, and scale operations.

Less capable attackers become more capable.

Capable attackers become faster.

But AI is not only an external weapon.

It is also an internal governance failure waiting to happen.

IBM found that 63% of organisations lacked AI governance policies to manage AI or prevent the spread of shadow AI. IBM also reported that 97% of organisations suffering an AI-related security incident lacked proper AI access controls.

That is not a tooling gap.

That is an executive control failure.

Staff can paste confidential documents into public AI tools.

Developers can generate insecure code.

Administrators can run AI-generated scripts they do not understand.

Teams can connect AI agents to business systems without approval.

Suppliers can embed AI features without meaningful disclosure.

Managers can use AI to process HR, legal, customer, or commercial data outside approved controls.

A malicious insider can use AI to accelerate document discovery, summarisation, impersonation, and concealment.

AI does not merely increase productivity.

Without governance, it increases the speed of misuse.

Identity is now organisational power

CrowdStrike reports that valid-account abuse accounted for 35% of cloud incidents. Cloud-conscious intrusions rose 37%. Cloud intrusions by named state-nexus actors rose 266%. Identity is no longer just a login system.

It is the control plane of the organisation.

Who has access?

Why do they have it?

Who approved it?

When was it last reviewed?

Who can export data?

Who can create users?

Who can change policy?

Who can disable alerts?

Who can approve devices?

Who can create OAuth applications?

Who can access SaaS platforms outside normal patterns?

Who keeps access after role change, conflict, resignation, or contract completion?

The external attacker wants valid identity because it creates legitimacy.

The internal bad actor already has legitimacy and only needs opportunity.

Weak identity governance is therefore not an IT weakness.

It is a power problem.

In poorly governed organisations, access becomes political. Privilege becomes inherited. Exceptions become permanent. Accountability becomes blurred. Audit becomes negotiable. That is exactly the terrain in which attackers, insiders, and negligent suppliers thrive.

SaaS convenience has become invisible exfiltration risk

SaaS has become the quiet data layer of the modern organisation.

Email, SharePoint, CRM, finance, HR, contracts, customer records, Board papers, legal files, strategy documents, intellectual property, and operational plans now live in SaaS environments. Attackers know this. Insiders know this too.

A compromised SaaS account, , copy, export, forward, delete, share, and automate.

So can a legitimate user or a convienient generic account that looks cosha, yet that no one actually pays attention too, can search with excessive access.

That is why SaaS must be audited through two lenses.

External threat - has an attacker gained access?

Internal operating risk: are legitimate users doing things they cannot justify?

Mass downloads.

Suspicious sharing.

Forwarding rules.

Deleted logs.

Unusual exports.

Dormant guest users.

Excessive admin rights.

Unapproved integrations.

Unexplained access to sensitive files.

Unmonitored OAuth tokens.

Service accounts nobody owns.

If SaaS activity is not monitored, leadership cannot know whether sensitive information is being used, misused, copied, stolen, leaked, or quietly prepared for external leverage.

SaaS convenience without governance becomes invisible exfiltration.

Supplier dependency has become uncontrolled exposure

Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled from 15% to 30%. That is not just a cyber statistic. It is an operating-model warning.

Organisations have outsourced so much of their infrastructure, software, support, hosting, identity integration, data processing, analytics, and operational tooling that the boundary of control has become blurred.

A supplier can become an attack path.

A SaaS provider can become a data-extraction layer.

A software update can become a delivery mechanism.

A managed service provider can become a privileged bridge.

A contractor account can become persistent access.

A developer credential can become a supply-chain incident.

A support integration can become administrative reach.

This expands the insider-risk problem beyond the payroll.

A person does not need to be employed by the organisation to create insider-style risk. Suppliers, consultants, vendors, outsourced IT providers, SaaS administrators, implementation partners, and support desks may all hold trusted access or operational influence.

The risk is not simply “third party.”

The risk is uncontrolled trust beyond the organisation’s direct field of vision.

Edge devices reveal whether governance is real

CrowdStrike reports that edge devices were targeted in 40% of cases where China-nexus adversaries exploited vulnerabilities during intrusions.

VPNs, firewalls, gateways, remote-access systems, and internet-facing appliances are attractive because they are exposed, powerful, and often poorly monitored.

The external-risk story is obvious: attackers exploit vulnerable devices.

The executive operating-risk story is more uncomfortable: neglected edge devices reveal weak governance.

Who owns them?

Who patches them?

Who monitors them?

Who checks vendor access?

Who validates logging?

Who confirms segmentation?

Who reviews administrator access?

Who proves old accounts are gone?

Who is accountable when nothing happens?

An unpatched edge device is not merely a technical weakness.

It may be evidence of unclear ownership, vendor dependency, weak accountability, budget avoidance, or internal complacency.

External attackers often do not create the weakness.

They simply harvest what internal governance has allowed to exist.

Case studies show the real meaning

Change Healthcare showed how one trusted digital dependency can become national operational disruption. The 2024 attack affected approximately 190 million people and caused major disruption across claims, payments, provider cash flow, and healthcare administration.

MGM Resorts showed how social engineering and identity compromise can become visible business interruption. Hotel systems, casino operations, booking services, payment systems, and customer-facing services were disrupted, with reported costs around US$100 million.

MOVEit showed how one software flaw can become a mass third-party breach event, affecting large numbers of organisations and tens of millions of people.

SolarWinds showed how trusted software updates can become the attack vehicle. Around 18,000 customers downloaded compromised Orion updates.

These cases carry the same message.

The breach does not always arrive through the front door.

It arrives through trust.

A supplier.

An update.

A credential.

A help desk.

A SaaS export.

A privileged account.

A remote access process.

A dependency nobody mapped.

A platform nobody challenged.

An assumption nobody tested.

This is why executive operating risk must now include digital control risk.

The issue is not whether the organisation has tools.

The issue is whether the organisation understands what it trusts — and whether that trust is still deserved.

Outside discovery is now executive protection

Internal assurance matters. But it is not enough. Internal teams may be competent and honest, yet still too close to the environment. They may be constrained by workload, hierarchy, politics, legacy decisions, supplier relationships, undocumented exceptions, or fear of exposing historical weakness.

In some cases, internal teams may also own the very controls that require independent scrutiny.

That is why outside discovery is essential.

Not as blame.

As protection.

Outside discovery should test:

Which privileged accounts exist?

Which users can export sensitive data?

Which suppliers retain access?

Which SaaS integrations persist?

Which logs are missing?

Which alerts are suppressed?

Which AI tools are being used?

Which devices are unmanaged?

Which edge systems are exposed?

Which admin actions lack independent review?

Which accounts remain active after role change or exit?

Which exceptions have become permanent?

Which internal behaviours resemble attacker tradecraft?

Which leadership assurances are supported by evidence?

Trustworthy organisations verify themselves.

Weak organisations ask people to accept comfort statements.

The audit agenda must change

The audit agenda can no longer stop at cyber hygiene. It must examine executive operating risk. Identity must be audited: privileged accounts, MFA, conditional access, password resets, service accounts, OAuth grants, guest users, dormant users, administrator roles, and hybrid identity.

SaaS must be audited: sensitive data locations, sharing settings, export rights, forwarding rules, deletion rules, integrations, API access, administrator behaviour, and anomalous activity.

AI must be audited: approved tools, unapproved tools, data leakage, AI agents, plugins, prompts, vendor AI features, model-connected workflows, and human approval points.

Suppliers must be audited: managed service providers, SaaS vendors, software platforms, outsourced IT, support accounts, third-party access, integration rights, and contract-to-access alignment.

Edge devices must be audited: VPNs, firewalls, gateways, exposed services, patching, logging, ownership, vendor access, and segmentation.

Internal misuse must be audited: unusual data movement, excessive privilege, administrator actions, log suppression, security exceptions, role conflicts, access after departure, and unexplained access to sensitive material.

Incident readiness must be audited: response speed, escalation rights, decision authority, legal readiness, communications readiness, evidence preservation, and independence of investigation.

This is not paranoia.

This is executive control.

The risk statement executives need to hear

The greatest risk is not only that an external attacker will break in.

It is that an external attacker, malicious insider, negligent user, compromised supplier, over-privileged administrator, unmanaged SaaS integration, or uncontrolled AI workflow will use trusted systems in harmful ways — while the organisation lacks the visibility, independence, and courage to tell the difference.

That is the digital control crisis.

The breach may not begin with malware.

It may begin with a password reset.

A help-desk call.

A SaaS export.

A dormant account.

A privileged exception.

A contractor login.

A supplier integration.

An OAuth token.

An unpatched VPN.

A hidden forwarding rule.

An AI tool.

A disabled alert.

A quiet access change.

A trusted person doing something untrustworthy.

Cybersecurity is no longer only about defending against enemies outside the wall.

It is about proving that the wall, the gatekeepers, the keys, the logs, the guards, the suppliers, the administrators, the workflows, and the internal culture can actually be trusted.

Role of IAM - the strategic currency

A fully managed IAM lifecycle approach is now essential because identity has become the operating control plane and strategic currency of the or any organisation — covering every employee, contractor, supplier, administrator, service account, AI agent, SaaS integration, API token, and non-human identity from creation to change to removal.

However, the problem is that most organisations do not have this under disciplined lifecycle control: recent identity-governance research indicates only 6% have achieved full IGA automation, meaning 94% remain partly manual, fragmented, or immature, while separate IAM maturity research found only half of organisations rate their IAM tools as highly effective and fewer than half have high confidence in preventing identity-based incidents. That fragmentation is now dangerous because machine identities alone can outnumber human identities by more than 80 to 1, with many holding sensitive or privileged access. Then, there are those who have a mixed assortment of personal subscriptions for platforms, tools and services, often created in a rush or to fuel the Shadow ICT paradigm, that are ran by the organisation, not owned and operated by the same.

Without end-to-end IAM lifecycle management, weak onboarding becomes excessive access, role changes leave privilege behind, contractors retain ghost accounts, suppliers keep unmanaged pathways, service accounts become invisible backdoors, AI agents inherit unclear authority, and leavers remain latent breach risks. In a threat environment where valid-account abuse is a major cloud attack vector and most detections can be malware-free, organisations cannot rely on trust, memory, spreadsheets, or annual access reviews; they need automated joiner-mover-leaver controls, role-based and attribute-based access, privileged access management, phishing-resistant MFA, periodic recertification, service-account ownership, SaaS and OAuth governance, non-human identity control, identity threat detection, and immediate deprovisioning.

The executive risk the executive carry, in all compliance and privacy and even bottom-line-terms - is blunt: if identity is not continuously governed, the organisation simply does not truly know who or what can access what, why that access exists, whether it is still justified, or whether it is already being misused - and what can occurr if not.

Conclusion - unchecked trust is now exposure

The digital control crisis is not simply a technology crisis. It is the point at which organisational malaise becomes operationally dangerous. Weak governance becomes excessive access. Poor culture becomes hidden exceptions. Supplier dependency becomes uncontrolled exposure. Leadership assumptions become audit gaps.

Internal politics becomes suppressed evidence.

AI adoption becomes unmanaged data leakage.

SaaS convenience becomes invisible exfiltration.

Cyber-risk is not separate from operating risk.

It is often the digital expression of operating risk.

The central executive task, therefore, is no longer simply to “keep attackers out.”

The central task is to verify trust continuously.

Verify users ; Verify administrators ; Verify suppliers ;

Verify SaaS behaviour; Verify AI use; Verify edge security ; Verify privileged access.

Verify logging; Verify exceptions.

Verify internal claims of control

In this Ai era, unchecked trust is now amplified and broader exposure.

And in this era, the organisations most at risk will not always be those with no security tools. They will be the organisations that trust their own assumptions more than they test their own reality.