OWASP CI/CD Top 10: Inadequate IAM

In the race to ship software faster, many teams have turned to automation, decentralized tools, and powerful pipelines, but this has introduced a growing Identity and Access Management (IAM) threat vector in modern CI/CD security. This vulnerability arises from managing numerous identities across interconnected systems, including source control, build agents, artifact repositories, and deployment targets, often leading to inconsistent, outdated, or overly permissive IAM policies. Several recurring IAM security issues emerge, including overly permissive identities, stale accounts, local identities, shared credentials, and external users, which can lead to compromise of a single identity holding excessive permissions, lateral movement potential, credential sprawl, orphaned accounts, compliance gaps, and unauthorised activities. To mitigate these risks, organisations must adopt IAM best practices, such as mapping all identities, auditing external users, enforcing least privilege access, eliminating stale access, federating identity management, disabling self-registration, and prioritising IAM as a security priority in CI/CD.