
Researchers at Pathlock recently found that nearly half (48 percent) of manufacturers fail to revoke access within 24 hours of a role change or departure. This can include temporary workers, contractors or third-party system integrators.
Beyond any compliance issues, these dormant accounts rarely trigger behavioral alerts, making them a low-friction entry point for credential stuffing, password spraying and phishing. Additional findings show that 46 percent of reported security incidents were suspected or confirmed to be linked to governance gaps created during digital transformation.
The report also found that 51 percent of manufacturers don't use automated elevated access management, and 14 percent have minimal or no governance over privileged access. Additionally, 61 percent skipped comprehensive Separation of Duty (SOD) risk simulations before deploying new roles during cloud migrations.
A copy of the research can be found here, with additional stakeholder commentary below.
Vincenzo Iozzo, CEO and Co-founder at SlashID: "Industry threat intelligence reports of the last several years show that more than 50 percent of intrusions are now identity-based and malware-free. Often, attackers exploit stale credentials from past employees or contractors and overprovisioned accounts to breach customers.
"In fact, the combination of the two is what generally leads to significant damages similar to what we have recently observed with Stryker.
"The Pathlock report shows that one in five manufacturers has already suffered a security incident, and nearly half of those incidents trace back to governance gaps introduced during digital transformation. This once again demonstrates that identity deprovisioning and governance can no longer be treated simply as a GRC task."
James Maude, Field CTO at BeyondTrust: "Pathlock’s findings highlight a structural identity problem in manufacturing: attackers increasingly log in rather than break in, and dormant or over‑privileged accounts give them a frictionless path. During seasonal ramp‑ups, access is created quickly, but rarely removed with the same urgency, leaving behind a shadow layer of identities that don’t trigger behavioral alerts.
"That expands the blast radius for everything from credential stuffing to insider misuse.
"Security teams should focus on shrinking standing privilege, ideally taking a just-in-time approach for privilege and access especially for contractors and integrators. When you reduce the amount of privilege in the system, you reduce the impact of inevitable mistakes."
Surya Kollimarla, Director, Identity Security Products at ColorTokens: "The Pathlock data doesn't reveal a new threat — it measures the one you're already carrying, quietly compounding inside your own systems.
"With 74 percent of manufacturers lacking fully automated provisioning, 61 percent skipping SoD simulations before cloud migrations, and dormant accounts evading behavioral alerts entirely, the attack surface isn't a gap — it's a design flaw. What security teams should know: faster offboarding and periodic access reviews are necessary but insufficient — the structural fix is removing credentials from the authentication chain altogether.
"Security teams should seriously evaluate two foundational shifts:
Go passwordless by design, not by patch. Solutions that layer passwordless capabilities on top of password-based infrastructure don't eliminate the attack surface — they obscure it. True passwordless architecture, integrated with automated SoD enforcement across your existing ERP and IAM systems, removes the credential risk at the source.
Authenticate based on context, not just identity. Risk-based authentication that continuously evaluates the user, device, and application at the moment of access is the only model that raises the security bar without adding friction — because friction doesn't get tolerated, it gets bypassed."
Darren Guccione, CEO and Co-Founder at Keeper Security: "Stale credentials remain one of the most predictable and dangerous weaknesses in enterprise security. When access persists after an employee changes roles, leaves or a contractor’s engagement ends, organizations effectively leave trusted identities active inside critical systems.
"Attackers understand this and routinely look for dormant accounts that will allow them to blend in as legitimate users to avoid triggering traditional security alerts. This is why identity governance must be treated as a security priority, not just a compliance process.
"Access should be automated, time-bound and continuously verified, privileged access must follow the principle of least privilege and standing administrative rights should be eliminated wherever possible. In today’s threat landscape, identity has become the primary attack surface. Organizations that fail to maintain strict control over who has access to what systems – and for how long – are effectively leaving the front door open to attackers."




















