Why broken access control still tops the OWASP Top 10 and what it means for identity security in the era of hybrid cloud

The 8th version of the OWASP Top 10 highlights Broken Access Control as the most significant security risk, persisting due to complex identity and access management issues in multi-cloud and hybrid environments. Despite advancements in security technologies, unauthorized access remains prevalent because of over-permissioned identities, static permissions in dynamic settings, inconsistent enforcement across different cloud providers, and limited visibility into effective access. The challenge lies in governing what authenticated identities can do, shifting the focus from authentication to runtime entitlement governance. To address this, security teams must adopt just-in-time and just-enough access, maintain continuous visibility and analysis, and enforce automated least-privilege policies. The persistence of Broken Access Control underscores the need for continuous identity and entitlement governance to protect enterprises from unauthorized access across diverse systems.