SHARED INTEL Q&A: Inside the access mess no one sees — and the identity risk no one owns

For decades, identity and access management (IAM) and privileged access management (PAM) sat on the sidelines of cybersecurity strategy—viewed more as IT maintenance than frontline defense.

Related: The hidden threat of rogue access

But that’s changing. Fast.

Historically, security investments prioritized the visible: firewalls, antivirus software, endpoint monitoring. IAM and PAM—meant to control who gets access to what—were often bolted on late, constrained by static roles and siloed governance. Even as high-profile breaches routinely traced back to credential abuse or privilege misconfigurations, identity-centric controls remained underfunded and underutilized.

Now, thanks to the rise of cloud-native infrastructure, AI-driven automation, and the mainstreaming of Zero Trust, identity is emerging as the new control plane. Gartner has gone so far as to declare: “Identity is the new perimeter.” This marks a fundamental shift in how and where control must be enforced.

The evidence is mounting:

•62% of interactive intrusions involved valid account abuse, according to CrowdStrike’s 2023 threat report.

•The same report shows Kerberoasting attacks surged 583% year-over-year.

•Just 43% of SMBs have PAM programs in place, industry surveys show.

•2024 academic study documented widespread failures in cloud IAM configurations, driven by default permissions and excessive privilege creep.

One company that’s been ahead of this curve is SPHERE, a Newark, N.J.–based identity hygiene platform founded in 2010 by cybersecurity entrepreneur Rita Gurevich. SPHERE began as a services company and, through automation, evolved into a platform that helps mid-market and enterprise organizations—especially in highly regulated sectors like finance and healthcare—continuously discover, remediate, and govern identity-related risk.

The company’s flagship product, SPHEREboard, is designed to shrink the attack surface by automatically cleaning up open, orphaned, or excessive access across foundational systems. It extends across PAM and IGA systems, as well as unstructured data environments. With regulatory frameworks like GDPR and HIPAA intensifying scrutiny—and cyber insurers demanding tighter access controls—SPHERE’s platform-based approach is gaining traction.

We spoke with Rita Gurevich about the evolution of identity hygiene—and why it has quietly become one of the most critical, and least understood, pillars of modern cybersecurity.

LW: Why were identity and access controls historically sidelined, and what’s driving their prioritization now?

Gurevich: For a long time, identity and access controls were considered someone else’s problem—spread across IT, HR, and security, but truly owned by no one. They didn’t feel urgent… until something broke.

But the world has changed. Today’s biggest risks stem from identity: over-permissioned users, stale service accounts, blind spots in privilege. It’s no longer just about keeping the bad guys out—it’s about understanding who already has access, and where important accounts can be compromised from the inside.

That’s why identity is finally getting the attention it deserves.

LW: What is “identity hygiene”—and how does it reinforce both Zero Trust and compliance?

Gurevich: Identity hygiene means knowing what accounts exist, what they can do, and whether they should still exist at all. It’s about removing orphaned accounts, enforcing least privilege, validating ownership, and ensuring identities follow the right controls—continuously.

Without that clean foundation, Zero Trust becomes a slogan, not a strategy. And when it comes to compliance—whether it’s SOX, HIPAA, or GLBA—you can’t demonstrate control without clarity. Identity hygiene is what makes trust and control measurable.

LW: How does SPHERE’s approach differ from traditional IGA or PAM tools? Where do you see the biggest gaps today?

Gurevich: IGA and PAM are essential—but they’re only as effective as the data that feeds them.

SPHERE sits in the same ecosystem and actually strengthens both. We accelerate the discovery of all accounts, classify their risk, and tie them to owners. We go deep into unstructured environments—file systems, database platforms—and help organizations ensure those identities are properly governed or vaulted.

The biggest gap we see is visibility. Most organizations simply don’t know what they have. And once risk is identified, they have no way to actually fix the problems.

That’s where SPHEREboard comes in.

LW: How do you build trust around sensitive identity data?

Gurevich: We take a lot of pride in finding the accounts others miss—those hidden or forgotten identities attackers love to exploit. That depth of discovery speaks for itself. But once we have the data, the real question is: how do we protect it?

The answer is: we treat it like our own.

Our customers include some of the most security-conscious organizations in the world. They’ve done their due diligence. They’ve validated our platform, our processes, and our people.

We’re not outsiders to their world—we came from it. We built SPHERE inside large enterprises, and we’ve grown alongside them. Earning and keeping our customers’ trust isn’t optional—it’s central to everything we do.

LW: What identity-related blind spot are security teams still missing?

Gurevich: There’s a lot of noise right now—Agentic AI, non-human identities, autonomous remediation. All exciting stuff.

But the reality is that most organizations are still drowning in the messy, risky foundation they already have. Legacy systems, deeply embedded access models, sprawling account sprawl—this is where attackers go first, and where visibility is weakest.

Most companies still have accounts that haven’t been reviewed in years. Passwords that haven’t been rotated. Privileged access that was never properly managed by PAM.

These aren’t theoretical risks. These are real, live credentials attackers can exploit to move laterally and escalate quickly.

Before we automate everything or chase the next AI trend, we need to clean up what’s already inside. The mess in the middle—that’s the risk that’s still being ignored.

LW: As a woman-led cybersecurity company, what progress have you seen—and what still needs to happen?

Gurevich: There’s more visibility and support for women in cybersecurity today, which is great—but we still need more decision-makers who look and think differently.

Diverse perspectives aren’t just a nice-to-have. They lead to better outcomes. In my early days, it was rare to walk into a room and see someone who looked like me. That’s starting to change.

But we’re not there yet. We still need to normalize nontraditional leadership.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

(LW provides consulting services to the vendors we cover.)

The post SHARED INTEL Q&A: Inside the access mess no one sees — and the identity risk no one owns first appeared on The Last Watchdog.