Why Security Controls Are Collapsing Under Their Own Weight

by Michael Ansaldo on January 20, 2026
CyberArk privileged access security controls

A new report from CyberArk paints a stark picture: while organizations say they’re modernizing, their security models haven’t kept up. According to The Privilege Reality Gap, the divide between perception and reality in privileged access management (PAM) is widening and risk is quietly accumulating beneath the surface.

The Illusion of Control

CyberArk found that 91% of organizations still rely on standing privileged access — always-on credentials with broad permissions, often far beyond what’s needed. At the same time, 75% consider themselves “future ready.” Those two facts don’t align.

Part of the disconnect stems from technical debt, but a deeper issue is misplaced confidence. Security leaders often equate tool deployment or policy rollout with progress. Yet less than half of organizations consistently apply privilege controls to DevOps pipelines, contractors, or AI and machine identities. Controls may exist, but they’re not exerting real control.

Meanwhile, more than half of organizations report discovering unmanaged privileged accounts every week. These shadow privileges — forgotten credentials, leftover permissions, overly broad roles — offer low-friction entry points for attackers.

When Complexity Breeds Circumvention

Even well-designed controls fail if they’re too complex to follow. Today’s security environments are overloaded — not just with alerts, but with portals, approvals, tickets, and identity platforms. CyberArk reports that 88% of organizations now manage multiple identity systems, fragmenting policy enforcement and stretching teams thin.

The result is fatigue. Security teams are overwhelmed. Developers and business users, juggling tools and logins, quietly sidestep controls. They copy secrets locally, hard-code credentials, or grant access “just for now” and never revoke it. Over time, these shortcuts become standard practice, expanding privilege with no audit trail.

The JIT Gap

Zero Standing Privileges is the widely accepted ideal — no persistent access, no dormant credentials, just-in-time access that appears when needed and disappears when it’s not. But almost no one is fully there.

Real-world implementation of JIT is messy. It requires automation, updated workflows, tight identity integration, and organizational buy-in. Without these, JIT becomes a bottleneck. People revert to workarounds such as shared logins, stale credentials, and shadow accounts.

These operational shortcuts often reflect deeper, structural roadblocks. “Organizations face three main barriers to modernization: lack of support for modern authentication methods within legacy applications, user resistance rooted in workflow disruption, and upfront costs,” said Fletcher Davis, Senior Security Research Manager at BeyondTrust. “These challenges often compound one another, creating organizational paralysis and keeping teams locked into outdated password-based systems — not because they’re secure, but because change requires coordination across technology, budget, and culture.”

Misaligned Risk Perceptions

CyberArk also highlights a growing disconnect between teams on what constitutes acceptable risk. Developers and ops teams prioritize speed; if a workaround saves time, it becomes the preferred path. For security teams, friction is a safeguard, not a flaw.

Generational attitudes deepen the divide. Younger workers expect seamless access and view clunky controls as dysfunction. Older employees, shaped by past incidents, may be more tolerant of friction. When security policies don’t align with how people work — or expect to work — they get bypassed.

Underlying this disconnect is a leadership gap — a failure to prioritize the fundamentals that support secure behavior. “Improving authentication hygiene is low-hanging fruit for most businesses,” said Matt Dunham, Vice President of Platform Security at Pax8. “Organizations that haven’t addressed this often struggle to engage executive leadership on broader cyber risk. The real work begins by grounding the business in cybersecurity fundamentals — and strong authentication is one of them.”

Making JIT Work in the Real World

JIT access is a tactic, not a silver bullet. It only works when systems are automated, context-aware, and operationally aligned. Many JIT rollouts fail because they introduce friction without compensating for it. What works better are systems that elevate access based on real behavior, streamline approvals, and default to least privilege with fast, flexible escalation.

A Shift in Mindset

CyberArk’s data underscores a hard truth: if controls are too rigid or slow, people will route around them. And once that becomes the norm, privilege management collapses, no matter how many tools are in place.

To fix this, security programs must treat privilege as dynamic, not static. Start with visibility. Build automation. Align controls with operations. Design systems for how people actually work. Because in the end, security isn’t just about infrastructure. It’s about behavior.

Author
  • Contributing Writer, Security Buzz
    Michael Ansaldo is a veteran technology and business journalist with experience covering cybersecurity and a range of IT topics. His work has appeared in numerous publications including Wired, Enterprise.nxt, PCWorld, Computerworld, TechHive, GreenBiz, Mac|Life, and Executive Travel.