Industry-First Report from Veza Showcases the Challenge of Managing Access Permissions for Identity and Security Teams

Veza, the identity security company, today unveiled its inaugural State of Access report, a detailed analysis that assesses the current state of access permissions across hundreds of organizations. This first-of-its-kind report establishes benchmarks for IT, security, and identity professionals to better understand their own identity security posture and areas to consider for reducing the risk of breaches.

Proprietary data shows scale of enterprise permissions and excess privilege that could leave organizations vulnerable

Modern technologies like software as a service (SaaS), infrastructure as a service (IaaS), cloud data lakes, databases, and GenAI models all depend on identity to access and protect the sensitive data within. Yet, industry research shows that 80% of cyberattacks involve identity and compromised credentials, demonstrating that traditional methods for governing access have fallen short.

“Permissions are the treasure map, and hackers have figured this out,” said Tarun Thakur, co-founder and CEO, Veza. “Traditional identity tools, with directory services and listing users and groups, do not represent access. The true picture of access is rooted in permissions. Digital transformation has increased the complexity of access permissions, making it more important than ever for organizations to enforce the principle of least privilege. The numbers in this report are a wakeup call for security and identity teams, many of which struggle to see who can take what action on enterprise data.”

Veza’s dataset reveals that the average organization has roughly 1,400 permissions for every employee, an alarmingly high ratio when considering that traditional identity tools were not built to visualize or manage permissions at this scale. The findings also show that identity teams face a daunting number of groups and roles to manage. With organizations averaging nearly 700 groups for every 1,000 users, it is difficult for admins to choose the least-privilege groups and roles that will meet the needs of any given employee, contractor, or service account.

Other findings highlighted in the report include:

  • This is the multi-identity era, with fragmented and duplicated identities. Organizations use an average of 1.75 identity platforms, with the most prominent being Microsoft’s Entra ID, Microsoft’s Active Directory (AD), and Okta.
  • Cloud and GenAI adoption have increased the number of non-human identities (e.g. service accounts and service principals). Veza sees a ratio of 17-to-1 for non-human identities to human workers. This is especially prevalent in AWS, Azure, and Google Cloud.
  • Dormant permissions are pervasive. Deactivated users account for 16.5% of all permissions assigned to users in identity platforms, especially those in Microsoft’s Active Directory and Entra ID. 14.7% of users are considered dormant.
  • Excessive permissions need to be cleaned. Though just 0.1% of users in identity platforms are explicitly labeled as privileged accounts, implicit privilege is pervasive. 34% of all effective permissions tracked by Veza include the ability to delete data. For example, 17% of Snowflake roles have permissions to delete, as do 30% of AWS IAM roles. In addition, nearly all users of Snowflake and AWS IAM are using less than 20% of the resources to which they have access.
  • Multi-factor authentication (MFA) is not a given. Across the millions of identities analyzed by Veza, 13% of users still have not enabled MFA.

“This data from Veza validates the urgent need for organizations to create a culture of access removal,” said Adam Fletcher, Chief Security Officer, Blackstone. “Removing users who are inactive or permissions that aren’t being used mitigates risks. More than anything, I think these numbers will inspire the reader to ask questions about access in their own organization. Once an organization can see its identity posture, it can begin to manage it.”

Learn more about the State of Access report:

Learn more about Veza:

About Veza

Veza is the Identity Security company, helping organizations secure access across the enterprise. Veza’s Access Platform goes beyond identity governance and administration (IGA) tools to visualize, monitor, and control entitlements so that organizations can stay compliant, achieve least privilege, and de-risk the breach. Global enterprises like Wynn Resorts, Expedia, and Blackstone trust Veza to manage identity security posture, with use cases in privileged access management (PAM), non-human identities (NHI), cloud entitlements (CIEM), data system entitlements, SaaS entitlements, and IGA. Founded in 2020, Veza is headquartered in Los Gatos, California, and is funded by Accel, Bain Capital, Ballistic Ventures, Google Ventures (GV), Norwest Venture Partners, and True Ventures. Visit us at and follow us on LinkedInTwitter, and YouTube.


Justin McCann
R1 Communications for Veza