Executive summary: Identity is now the primary attack surface in financial services. Weak identity controls played a defining role in roughly 90% of incidents analyzed in Palo Alto Networks' 2026 Global Incident Response Report, with 65% of attacks starting via identity-based vectors like stolen credentials or MFA bypass.1itpro.com Meanwhile, financial services faced about 2,500 data breaches in 2023-a 15% year-over-year increase-with total fines reaching $4.45 billion.2gitnux.org

This is not a perimeter problem-it's an identity governance problem: inconsistent access controls, partial automation, and critical gaps across long-tail apps and non-human identities. This article breaks down what recent breaches actually reveal, how regulators are responding, and what complete, continuous identity governance must look like for finance and professional services.

Identity Is the New Perimeter in Financial Services

Attackers target the weakest controls and biggest payoffs. In financial services, that's increasingly identities-not firewalls.

  • Palo Alto Networks' Unit 42 found weak identity controls impacted 90% of incidents they investigated between October 2024 and September 2025, with identity-based techniques used for initial access in 65% of cases.1itpro.com
  • Credential theft now triggers about one in five data breaches, with compromised credentials up 160% in 2025.3itpro.com
  • In financial services, insider threats from stolen credentials drove about 23% of breaches in 2023, and 71% of firms cited employee error (mainly password-related) as the main cause.4zipdo.co

The financial sector remains a prime target:

  • Financial firms saw ransomware attacks jump 28% year-over-year in 2023 with around 1,200 global incidents.2gitnux.org
  • 82% of surveyed financial services organizations reported at least one data breach in the past year.5paranoidcybersecurity.com

The trend is clear: if your identity governance is only partial, attackers will find the gaps before auditors do.

Lessons from Recent Access-Related Breaches

Breaches rarely hinge on a single zero-day. It's usually a chain of small, preventable identity and access failures compounding into a major incident.

Snowflake customer breaches (2024): MFA gaps at scale

In 2024, attackers went after Snowflake customer environments-including major finance and professional services brands-using infostealer-harvested credentials.

  • Forensics showed threat actors used stolen usernames and passwords to access Snowflake customer instances where MFA was not enabled, exposing "systemic gaps in MFA adoption."6en.wikipedia.org
  • Hundreds of Snowflake credentials showed up in underground markets; incident responders stressed the lack of enforced MFA-not a platform flaw-as the decisive weakness.7itpro.com

Identity governance failure:

  • MFA policies weren't enforced on high-value platforms.
  • No visibility into which accounts (including contractors and service accounts) lacked MFA.
  • Limited centralized oversight over app-level identities outside the primary IdP.

Key takeaway: Assume credentials will leak. Governance must ensure:

  • Universal MFA for critical systems-not team-by-team.
  • Non-human and third-party accounts governed with employee-level rigor.
  • The ability to answer "who can log into this system, with what factors, from where?" instantly.

Capital One (2019): Cloud IAM misconfigurations = governance gaps

The Capital One AWS breach remains a painful lesson for any bank or insurer building in the cloud.

  • In 2019, a former AWS engineer exploited a misconfigured web app firewall (WAF) to conduct SSRF, pull over-privileged IAM role credentials, and exfiltrate data on about 100 million Capital One customers.8medium.com
  • The incident cost Capital One about $270 million in remediation, fines, and settlements.9securiu.com

Identity governance failure:

  • IAM roles with excessive privileges.
  • No effective, continuous checks for risky roles tied to internet-facing services.
  • No correlation between "who should access what" and what identities could actually do at runtime.

Key takeaway: Cloud IAM configuration IS identity governance. If your JML (joiner-mover-leaver) and access reviews don't reach granular cloud roles and service accounts, you're only governing a small fraction of your attack surface.

MOVEit attacks (2023-2024): Third-party systems, first-order risk

MOVEit Transfer vulnerabilities exploited by Cl0p didn't start as an identity issue-but quickly became one.

  • A critical MOVEit flaw led to breaches of 2,700+ organizations and exposed about 93.3 million individuals' data, including finance and government.10en.wikipedia.org

Once attackers had access to a managed file transfer platform, it depended on:

  • How broad service/technical user permissions were.
  • Whether MOVEit and downstream systems had least-privilege, time-bound access.
  • Whether anyone was monitoring those identities for suspicious activity.

Key takeaway: Vendor platforms carrying regulated data need governance. If their identities and entitlements are outside your governance layer, you've outsourced a chunk of your attack surface to blind trust.

loanDepot (2024): Ransomware, exfiltration, operational paralysis

loanDepot is a case study in what happens when attackers reach the core financial stack.

  • In Jan 2024, loanDepot reported an unauthorized third party accessed phone and loan systems, impacting operations and exposing sensitive data for 16.6 million people.11investors.loandepot.com

  • Subsequent disclosures confirmed ransomware, major downtime, and widespread remediation. (cybernews.com12<a href="https://cybernews.com/news/loandepot-finally-reveals-what-data-exposed-in-jan-hack/?utm_source=opecord doesn’t detail every control failure, but we know that at scale ransomware campaigns in finance succeed when attackers can:

  • Compromise one identity (often via stolen credentials or phishing" target="_blank" rel="noopener">cybernews.com).

  • Attackers exploited:

    • Lateral movement across under-governed systems.
    • Privilege escalation without triggering real-time reviews or policy breaks.

Key takeaway: Ransomware in financial services is an identity and entitlement issue. How quickly can an attacker turn one access point into system-wide privileges?

Where Identity Governance Breaks in Financial & Professional Services

Finance and professional services teams don't start from zero. Most have SSO, some MFA, and a "modern IGA" covering a few core apps. The holes are in the fine print.

1. Coverage: The 20-40% automation trap

For most mid-market and lower-enterprise organizations:

  • SSO/lifecycle tools automate obvious systems (core HR, IdP, flagship SaaS).
  • 60-80% of the stack-niche SaaS, industry portals, legacy line-of-business, regional tools, OT/ICS-still relies on tickets and spreadsheets.

Iden's customer conversations in finance and professional services reveal:

  • Critical apps like Salesforce, DocuSign, NetSuite are often left outside end-to-end automation, despite being audit central.
  • SOC 2/ISO 27001 user access reviews for these apps consume ~120 hours/quarter of manual effort in many finance and professional services orgs.

This is where attackers get creative and auditors dig deepest.

2. Control: Coarse-grained access and rubber-stamp reviews

Even with SSO or provisioning, control is often shallow:

  • Blanket group entitlements undifferentiated by sensitive/routine actions.
  • Permissions like "view all client accounts" rolled into single roles, with no SoD (Segregation of Duties) checks.
  • Reviews happen via CSV exports and spreadsheets-rubber-stamped because no one has time to dig deep.

Our research put it bluntly: "Access reviews shouldn't be a spreadsheet the week before an audit." When reviewers are overloaded, least-privilege is theory-not practice.

3. Cost & Compliance: Paying more, governing less

Partial governance hits compliance and budgets:

  • Regulatory risk. Financial services breach fines hit about $4.45 billion globally in 2023, before remediation and legal costs.2gitnux.org
  • SCIM tax & SaaS bloat. Teams pay enterprise plan premiums purely to unlock SCIM for a few apps-then manage most of the stack manually. Iden customers routinely cut up to 30% of SaaS spend by avoiding SCIM-gated upgrades and reclaiming unused licenses.

The result: "modern" controls everywhere except where attackers and auditors pay attention-the unmanaged long tail.

Regulators: Identity Governance Is Now Non-Negotiable

Regulators in the US, UK, and EU are drawing a straight line: bad access controls create systemic financial risk.

How major frameworks treat identity and access

Framework / Regulation Scope for Finance & Professional Services Identity / Access Expectations
PCI DSS 4.0 Card processing, payment data Universal MFA for all access into cardholder environments by Mar 31, 2025; unique IDs per user; stronger password/auth controls (Req. 8).13hypr.com
DORA (EU 2022/2554) EU financial entities, key ICT Harmonized ICT risk management (from Jan 2025), explicit access and identity control requirements, MFA in risk frameworks.14en.wikipedia.org
NYDFS 23 NYCRR 500 NY-regulated financial firms Defines "access controls and identity management" as a separate domain.15dfs.ny.gov
GLBA Safeguards Rule (US) Financial institutions w/ consumer data Requires written security plans covering access controls/identity security as "reasonable safeguards."16en.wikipedia.org
SOX 404 (US) Public company financial reporting Mandates management and auditors assess internal control effectiveness-practically including user access governance for ledgers, ERP, reporting.17en.wikipedia.org

If your identity governance can't show who had which access, when, and why-across every system feeding financial reports or handling regulated data-you're gambling that:

  • Auditors will never look beyond your "main" apps.
  • Attackers will stick to your best-protected systems.

That's not strategy. That's wishful thinking.

From Static Checks to Continuous, Complete Governance

Quarterly reviews and "role design" projects are no match for non-stop credential theft, social engineering, and cloud misconfigurations.

Modern identity governance for finance and professional services demands more.

1. Complete coverage: Every app, human and non-human

Complete means:

  • Every application that touches financial data, client records, or regulated info is governed-including:
    • Long-tail SaaS (e-signature, niche portfolio/claims tools)
    • Legacy/on-prem financial systems
    • Provider portals, OT/ICS when relevant
  • Every identity-employees, contractors, bots, service accounts, AI agents-is owned, life-cycled, and policy-managed.

Iden is built on this principle: universal connectors, governing any app-SCIM, API, or otherwise-at the true risk layer (projects, repositories, environments).

2. Fine-grained, policy-driven access

Stop asking "who has an account in System X?" Ask:

  • Who can approve payments above £10,000?
  • Who can see high-net-worth portfolios?
  • Which service accounts can touch production vs test data?

Requires:

  • Fine-grained entitlements (e.g., project, repo, dataset level)
  • Policy-as-code (SoD, least-privilege, time-bounded access)
  • Agentic workflows-AI-driven, autonomous:
    • Auto-approve low-risk requests
    • Flag high-risk combinations (e.g., trading + settlement)
    • Continuously right-size permissions as roles evolve

Iden calls this "SCIM++": deeper-than-group-sync connectors + policy-driven workflows for joiners, movers, leavers, and just-in-time access.

3. Continuous controls, not review-week theater

Attacks are continuous; governance must be too.

That means:

  • All onboarding, role changes, offboarding auto-trigger policy checks and provisioning across all systems.
  • Ongoing background access reviews-not just quarterly fire drills.
  • High-risk entitlements (payment, export rights) monitored nearly in real time.

Outcomes with Iden:

  • Up to 80% fewer manual access tickets as agentic workflows handle routine provisioning/approvals.
  • ~120 hours saved per quarter on access reviews, thanks to automated evidence and focused reviewer prompts.
  • Immutable audit logs to instantly answer "who had access to what, when, and why," without chasing screenshots.

4. Strong, consistent authentication-especially on data platforms

Snowflake incidents proved one thing: password-only access on high-value systems is a breach waiting to happen.

For financial/professional services, the baseline is now:

  • Default-on MFA (ideally phishing-resistant) for:
    • All admin access
    • All systems handling transaction/client data
  • Centralized MFA status visibility-even for apps outside the IdP
  • Governance for non-human identities (not MFA-able) via:
    • Short-lived credentials
    • Vaulted secrets with enforced rotation
    • Policy-controlled, auditable usage

PCI DSS 4.0 and DORA are codifying this trend; identity governance platforms must make it operational for lean teams, not just compliance teams.13hypr.com

Actionable Steps for IT & Security Leaders in Finance/Professional Services

You don't need a 300-page IAM roadmap. You need a staged plan that reduces risk and audit pain-fast.

1. Map your true identity surface-not just your IdP

  • Inventory every application touching financial, client, or regulated data.
  • Include:
    • SaaS (CRM, billing, DMS, analytics)
    • On-prem systems/databases
    • External portals (banks, regulators, partners)
    • OT/ICS as relevant
  • For each, capture:
    • Identity store type
    • Auth methods (password, SSO, MFA)
    • Admin/break-glass accounts

Your "identity surface map" is the compliance/security baseline.

2. Quantify your coverage and control gaps

Ask for each app/identity:

  • Is onboarding automated, partially, or manual?
  • Does offboarding remove access everywhere-or just from HR/IdP?
  • Are entitlements fine-grained/policy-driven, or default roles?
  • Rights reviewed how often, and can you see evidence?

Most teams discover:

  • Only 20-40% of apps are automated; 60-80% are not.
  • Contractor, vendor, and bot identities are mostly outside JML.
  • Access review evidence is scattered-exports, screenshots, emails.

3. Close highest-risk identity gaps first

Prioritize:

  1. High-value data/payment systems (Snowflake, core banking):
    • Enforce MFA, least-privilege everywhere
    • Govern all admin/service accounts
  2. Offboarding and contractor lifecycle:
    • Single trigger (HR/IdP) = revocation everywhere
    • Wire in local/external accounts to the same flow
  3. Access reviews for financial/client data systems:
    • Automate evidence
    • Ask targeted (not blanket) review questions

4. Shift from tickets/scripts to agentic workflows

If automation depends on brittle scripts/connectors, every new app or audit = another project.

A scalable model:

  • Define central policies (birthright, SoD, time-bound)
  • Execute with agentic workflows:
    • Read HR/IdP changes
    • Provision/deprovision at app/entitlement level
    • Only escalate for human judgment when needed

This is Iden's approach: lean teams get universal coverage, fine-grained control, and no code/config overhead.

5. Make audit readiness automatic, not a quarterly scramble

When identity governance is continuous and complete, compliance is a reporting task-not a fire drill.

Aim for:

  • Immutable, centralized logs of all access changes
  • Controls mapped to PCI DSS, SOC 2, ISO 27001, DORA, etc.
  • Dashboards for immediate "who had access when" answers

When auditors can self-serve this data, the conversation shifts: from gap-hunting to "how do we roll this out for new regs?"

Frequently Asked Questions

How is identity governance different from SSO or "just using MFA everywhere"?

SSO and MFA are essentials-but not enough.

  • SSO standardizes login.
  • MFA makes credential theft harder.

Identity governance sits above-defining and enforcing "who should access what, when, under which policies?" across all onboarding, offboarding, entitlements, including unmanaged apps and service accounts.

You can have SSO+MFA and still be exposed through:

  • Orphaned accounts in unintegrated SaaS
  • Over-privileged bots/service accounts
  • Blanket permissions in finance systems

We already pass audits. Why invest more in identity governance?

Passing an audit means you met a baseline-nothing more.

  • It doesn't mean day-to-day least-privilege is enforced.
  • It doesn't mean high-risk entitlements are right-sized or monitored.
  • It doesn't prevent attacks between audits.

Regulators are moving to continuous assurance: DORA, PCI DSS 4.0, and NYDFS demand ongoing-not annual-control. Complete, continuous governance makes audit readiness a built-in feature, not a last-minute ordeal.

Do firms with 50-200 people really need this?

Yes-for three hard reasons:

  1. Attackers use mid-market firms as stepping stones-finance, law, and consulting are common targets.
  2. Same regulations apply: PCI DSS, GLBA, SOC 2, DORA, client security reviews don't exempt small teams.
  3. Lean teams have no extra headcount; automation and agentic workflows are the only viable path.

Iden is built for this: complete coverage, fine-grained control, no IAM team needed.

How does universal app coverage help with standards like PCI DSS and DORA?

Frameworks don't care about SCIM/APIs-they want to know:

  • Is access least-privilege, justified, logged?
  • Is authentication strong?
  • Can you show effective rights at any time-across ALL systems?

Universal coverage means:

  • Cardholder data isn't exposed through "minor" reconciliation tools
  • DORA-scoped systems (including vendor-hosted) have the same policies and logs
  • Auditors see controls over the whole digital estate-not just primary apps

What about bots, service accounts, and AI agents-the "new species of identities"?

These identities:

  • Move money (payment bots)
  • Reconcile accounts (RPAs)
  • Touch sensitive data/models (AI agents)

Treating them as an afterthought is over. Good governance means:

  • Inventory/ownership like human accounts
  • Least-privilege, time-bound entitlements
  • Rotated, monitored, revocable credentials-through the same workflows

Iden's unified model puts all identities-people, bots, AI-under one dashboard, which is exactly what regulators and incident responders want to see.

Bottom line: Recent financial services breaches spotlight basic governance failures-not just exotic malware. They're gaps in MFA, excessive privileges, untracked portals, and long-tail apps outside policy. Closing these gaps doesn't require a massive platform or endless project. It requires mapping your identity surface, shifting from static checks to continuous agentic controls, and using a platform built to cover every app and identity your operation relies on-not just the minority supporting SCIM.