Gartner‘s framing of where this is heading is relevant context. The firm projects that by 2028, 70% of CISOs will be using identity visibility and intelligence capabilities specifically to shrink the IAM attack surface and reduce credential compromise risk. That projection reflects a recognition that identity has become the primary attack surface in hybrid cloud environments, and that managing it effectively requires more than policy documentation.

Boaz Gorodissky, CTO and Co-Founder at XM Cyber, described where the difficulty actually lives: “Least privilege access is a well-established principle for maintaining an effective security posture, but many organizations still struggle to achieve it due to the complexity of managing identities and access at enterprise scale. We’re adding granular visibility into access permissions and their actual usage so teams can quickly see whether elevated permissions across Active Directory, Entra, and cloud platforms are actually being used. If they aren’t, that’s a clear opportunity to remove permissions to reduce the attack surface and improve risk posture without disrupting operations.”

The last part of that statement carries weight. Revoking permissions that are actively in use creates operational disruption and generates pushback from the teams affected. Revoking permissions that nobody has used in six months is a straightforward risk reduction exercise with no operational cost. The problem has always been knowing which situation you are in.

Two New Capabilities, One Underlying Logic

Active Directory Excessive Permissions

The Active Directory component assesses how frequently entities are making use of their permissions, giving identity security practitioners the usage evidence they need to make defensible decisions about whether a specific permission level is still warranted. That evidence component is not trivial. Getting a permission revoked in a large organization typically requires justification, and “we think this might be excessive” is a weaker argument than “this permission has not been used in 90 days and sits on an attack path we have mapped.”

By connecting permission usage data to attack path context already available in XM Cyber‘s platform, teams can prioritize which excessive permissions represent genuine exposure versus which ones are low-risk cleanup candidates.

Cloud Infrastructure Entitlement Management

The CIEM capability applies similar logic to cloud environments, evaluating entitlement usage patterns across multi-cloud deployments to give cloud security and DevSecOps teams a coherent view of overly permissive roles at scale. Multi-cloud environments are where permission sprawl tends to be worst, partly because each platform has its own entitlement model and partly because the pace of cloud infrastructure change makes manual hygiene impractical.

The output here is not just an inventory of what exists. It is a continuously updated picture of what is being used, what is sitting idle, and where the overlap with active attack paths makes cleanup urgent versus routine.

Connecting Identity Risk to the Broader Exposure Picture

What separates this from a standalone identity governance tool is where these capabilities sit within XM Cyber’s existing platform. Identity risk does not exist in isolation inside a real environment. Excessive permissions become meaningful attack vectors when they connect to misconfigured services, exposed credentials, vulnerable systems, or other exposures that form the links in an attack chain.

XM Cyber’s Continuous Exposure Management platform already maps those chains across hybrid environments. Embedding permission usage intelligence into that same context means security teams can see not just that a permission is excessive, but how it fits into the attack paths that represent the highest actual risk. An unused permission on an account that sits nowhere near a critical asset is a different priority than an unused permission on an account that connects directly to a path leading to domain controller access.

That prioritization context is what has historically been missing from identity hygiene programs. Teams know they have too many excessive permissions. They do not always know which ones to fix first.

Remediation Across Teams That Do Not Always Coordinate Well

One friction point the new capabilities are designed to address is the handoff between security teams and the IT or DevOps teams who actually implement permission changes. Security identifies the risk. Someone else owns the fix. Without clear evidence and documented context, the handoff produces delays, pushback, and permissions that stay excessively long after they were flagged.

By surfacing usage data alongside attack path context inside the same platform, XM Cyber is attempting to give security teams the documentation they need to move remediation workflows faster across organizational boundaries. The evidence is built into the finding rather than requiring a separate investigation to produce.

Why the Timing Makes Sense

AI-enabled attackers are changing the economics of credential-based attacks. Reconnaissance that previously required significant manual effort, mapping permission relationships across an Active Directory environment, identifying which accounts have lateral movement potential, and finding entitlements that connect cloud workloads to sensitive data, is increasingly automatable. The window between initial access and meaningful damage is compressing.

In that environment, the organizations that have done the work to right-size permissions proactively are in a materially different position than those carrying years of accumulated access sprawl. The attack surface that excessive permissions represent is not new, but the speed at which attackers can find and exploit it is.

Research and Intelligence Sources: XM Cyber, Gartner

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com