Identity is the new (and exploding) perimeter

Once upon a time, “perimeter security” meant building higher walls. Now, the wall has dissolved into a cloud of logins, devices, and digital agents. Industry forecasts predict 50 to 100 agentic identities for every human identity. Each AI assistant, automation bot, or API key will need its own governance, credentials, and entitlements. It’s easy to think of agents as just “helpers,” but they’re accounts with access. And attackers know it. If one becomes over-privileged or orphaned, hackers can abuse them like any compromised user account.

Real-world example: The 2019 Codecov breach began with an attacker compromising a Docker image that contained a hardcoded credential, allowing access to sensitive environments.

The Fix: The fix isn’t glamorous, but it’s essential.
• Treat every identity, human, or machine, as equal risk.
• Automate provisioning and deprovisioning.
• Apply least privilege and time-bound access.
• Audit entitlements frequently.

Identity governance is the scaffolding of Zero Trust. Without it, everything else is decoration.

Misconfigured cloud applications

Cloud services have democratized infrastructure and democratized mistakes. A single misconfigured storage bucket or permissive IAM role can open a backdoor to sensitive data. Attackers don’t need custom exploits; they just need Google Dorking and a Shodan scan.

Real-world example: In 2019, Capital One suffered a breach when an attacker exploited a misconfigured AWS firewall to access sensitive customer data.

The Fix: Mitigate with Cloud Security Posture Management (CSPM) and make “public by default” an outlawed setting. Automate guardrails in CI/CD, enforce least privilege on every SaaS integration, and inventory OAuth connections. Every misconfiguration is an accident waiting to become an incident. In 2025, nearly 70 percent of reported cloud breaches started that way.

Vulnerabilities and the incentive gap

Every year we log more CVEs than the year before. That isn’t just because software is growing. It’s because the incentive economy around vulnerabilities is broken. A researcher who finds a remote-execution bug in Chrome might earn $200 K from Google’s bounty program. But they can earn $1 million on the dark market, or $10 million from a state buyer. Until the industry closes that reward gap, zero days will keep leaking into offensive stockpiles.

Meanwhile, defenders are still struggling with basics. This includes knowing what software they actually run, understanding which version they have exposed, and patching fast enough to matter.

Real-world example: The Log4Shell (Log4j) vulnerability in 2021 showed how a single open-source library could ripple across the entire internet. Many companies failed to identify where it was used in their environments.

The Fix: The solution is visibility. Maintain a Software Bill of Materials (SBOM) for every app. When the next Log4Shell appears, you should know in minutes, not weeks, where it lives. Think of an SBOM as a nutrition label for code. You can’t make healthy security choices if you don’t know the ingredients.

Phishing, deepfakes, and the new face of deception

Phishing has always been the easiest way in. The difference today? It now has a face and sometimes your CFO’s voice. With generative AI, all phishing is spear phishing. Attackers can scrape a target’s social presence, craft flawless messages in any language, and even clone their voice or likeness.

Real-world example: Recent fraud cases show just how convincing it’s become. One multinational manufacturer was duped out of $25 million after employees joined what looked like a legitimate video call with the “finance chief.” It was a deepfake.

The Fix: Technology will need to evolve, including voice authentication, watermarking, content provenance, but defenders can act now:
• Implement phishing-resistant MFA.
• Establish “safe words” or verification steps for financial or account-change requests.
• Educate continuously.

There’s no malware or zero-day in these attacks—just manipulation. It’s the human brain versus the human brain, supercharged by AI.

Zero Trust and cybersecurity vegetables

A mentor once told me, “You have to eat your cybersecurity vegetables.” That means staying disciplined about the fundamentals: MFA everywhere, least privilege, patching, and continuous monitoring. Zero Trust isn’t a product: it’s a posture. It assumes breach and validates every request, human or machine, based on identity, device, and context.

Real-world example: The 2017 Equifax breach happened because the company failed to patch a known flaw in Apache Struts, even though a fix had been available for two months. Attackers exploited the unpatched system to steal sensitive data from over 145 million people, making it one of the most damaging examples of poor patch management.

The Fix: Simple practices go a long way:
• Enforce MFA for all access—internal and external.
• Segment networks; treat east-west traffic as hostile.
• Implement automated patch management

Zero Trust is just another way of saying: trust no one, verify everything. Including your code, your agents, and yourself.

The future: from perimeter to persona

As we hand more work to digital agents, the attack surface grows in ways policy alone can’t contain. Each new AI model, automation script, or third-party integration becomes a potential accomplice. Tomorrow’s breaches won’t come from a faceless hacker exploiting a firewall. They’ll come from a friendly agent doing exactly what it was told, for the wrong person.

So, yes, the future will belong to those who govern identities as rigorously as they secure data. That means knowing who (or what) can access what, for how long, and under whose authority. It means building guardrails before agents drive themselves off the road.

Closing thoughts

When I started out, defense was about keeping the bad guys out. Now it’s about keeping the good code honest. Attack paths haven’t changed much. They’re still focused on remote access, misconfiguration, exploited vulnerabilities, weak credentials, human error. What’s changed is their scale, speed, and sophistication. Add a million machine identities and an army of generative forgers, and the margin for error disappears.

Cybersecurity today is less about heroics and more about hygiene. Eat your vegetables. Audit your identities. Trust nothing you can’t verify. Because in a world where every face, voice, and login could be synthetic, the only real perimeter left is vigilance.

See how OpenText helps protect your enterprise.

The post Letters from a White Hat: The 5 security gaps every organization must address now appeared first on OpenText Blogs.