Your access controls are labels, not boundaries
In 2020, elevated access aligned with identity inactivity, then exfiltration attempts. The root failure: access decisions never bound to identity state.
In 2020, monitored systems produced documented discontinuities. The observable record holds one pattern: elevated access requests coincided with periods of identity inactivity, and those requests were followed by data exfiltration attempts. That is the fact set. The actor is not confirmed. The motive is noise. The behavior is the briefing.
State the position plainly. Identity was treated as a boundary on paper and was not one in practice. An access request carrying elevated privilege has to be evaluated against the state of the identity making it. In the documented pattern, elevation was reachable while the identity showed no activity. A boundary that grants the same access to an active identity and a dormant one is not a boundary. It is a label.
Nothing here depends on knowing who issued the requests or how they obtained the position to issue them. Those details are not confirmed and are not required. The discontinuities are the signal. Elevated access aligned with inactivity, then exfiltration was attempted. Whether the exfiltration succeeded is not confirmed. The exposure stands regardless of outcome, because the path to attempt it was open.
What failed is observable without reference to intent. The system accepted elevated access requests that coincided with periods of identity inactivity. It did not condition the grant on whether the identity was active. The request was processed. The access was available. The exfiltration attempts followed.
Read that sequence as recorded, not as inferred. Inactivity and elevated access requests occupied the same window. The facts state coincidence, so coincidence is what is claimed. They do not state how long the inactivity lasted, how many identities were involved, or how many requests were issued. Those values are not confirmed. The pattern does not need them. One elevated grant against one dormant identity is sufficient to define the failure.
The exfiltration attempts are the second observable. They followed the access, in that order, per the stated facts. Sequence beyond “followed” is not confirmed. Persistence is not confirmed. Whether the same identity, session, or execution context carried through every stage is not confirmed. What is confirmed is that the elevated access existed and that exfiltration was attempted from a position the system had granted.
It failed because the access decision was not bound to identity state. Boundary controls, by the stated facts, were not enforced. An enforced boundary would have made identity state part of the access decision. The observable behavior shows it was not. Elevation processed against inactivity. The control that should have stopped that did not act on it, which on this record means it did not act at all.
A control that does not change the outcome is not a control. The facts describe a lack of enforced boundary controls, not a misconfigured one, and the distinction holds. Misconfiguration implies a control was present and set wrong. The record here states absence of enforcement. Where enforcement is absent, every request is trusted by default, and trust by default is the condition under which dormant identities obtain elevated access.
This is an identity and access boundary failure, located at the point where the request meets the grant. The execution context that issued the elevated request was not validated against the state of the identity behind it. The trust relationship that allowed the request to proceed was static. It was granted once and not re-checked at the moment of elevation. Static trust does not hold across state changes. When an identity goes dormant and the trust does not, the boundary is already gone. What replaced it after that point is not confirmed and does not need to be. The opening was structural.
The mechanism is narrow and it is exact. The grant was computed from the request and nothing else. The state of the identity behind the request was available to read and was not read. An access decision that does not take identity state as an input cannot condition its output on identity state. That is the whole of it. The system processed elevation the same way for an identity in use and an identity at rest, because to the decision they were the same thing: a request carrying the right claim. The claim was sufficient. Nothing checked what stood behind it.
Trust here was assigned once and treated as durable. The position from which elevation was reachable was settled at the point trust was granted and was not recomputed at the moment the elevated request was made. The execution context that issued the request inherited that grant. Dormancy did not revoke it. Dormancy did not trigger a re-check. The trust relationship was static, and a static trust relationship does not notice that the identity it points to has gone quiet. It keeps pointing.
This is why the failure is structural and not incidental. The dormant identity was not a special case the system mishandled. It was the ordinary path every request used, walked by an identity that happened to be inactive. Absence of enforcement means trust is granted by default at the point of elevation, and a default grant does not discriminate by state because it does not measure state. The exfiltration attempts followed from a position the system had already conceded. By the time the attempts appear in the record, the decision that mattered had been made and remained available. The boundary was not crossed at exfiltration. It was crossed at the grant, and the grant was never the boundary it was labeled as.
The pattern is not about dormant identities. Dormancy is the observable that exposed it. The failure is the decoupling of the access decision from identity state at the moment of elevation, and that decoupling does not care which state the identity is in. Inactivity is one state the decision failed to read. Any state change between the moment trust was established and the moment it was used would have produced the same result, because the decision reads none of them. The system did not fail to handle dormancy. It failed to handle state at all.
Hold that against the mechanism and it generalizes on its own terms. A grant that is correct when issued is correct only when issued. Every moment after, it is assumed correct, and assumption is not validation. The wider the gap between establishment and use, the more the identity behind the grant can diverge from the identity the grant was written for, while the grant itself stays fixed. A system that validates once and trusts thereafter has a boundary at exactly one instant and no boundary at any other. The elevated request in 2020 arrived at one of those other instants.
What this exposes about trust relationships is direct. Static trust is a liability in proportion to the privilege it carries. When the privilege is elevation, the highest-impact action in the system rides on the least-validated assumption in the system. That is the inversion the record describes. The most powerful grant was bound to the weakest check, a check that ran once and then stopped running. Privilege without continuous validation is privilege handed to whatever state the identity later enters, including states the system was never watching for.
State the position without softening it. Identity is the boundary or there is no boundary. On this record it was not enforced, which means for the duration of the documented behavior it did not function as a control. Calling it a boundary did not make it one. The label held. The enforcement did not.
What must now be true is not complicated, and its absence is the entire finding. Identity state must be an input to every elevated access decision, evaluated at the moment of the grant and not before it. Trust must be re-validated continuously, not assigned once and inherited. An identity that is inactive and reaches for elevation must fail closed at the request, not be discovered at exfiltration. None of these are upgrades. They are the conditions under which the word boundary is accurate. Without them the system is open by default, and the documented behavior is the predictable result of leaving it open.
The actor stays unconfirmed and the motive stays noise. Neither changes the conclusion, because the conclusion is about the path and not the traveler. The path was open. A system that permits elevation from a dormant identity will, at some point, be used to do exactly that. If a system allows it, it will happen, and on this record it happened. Until the access decision reads identity state at the point of elevation, those discontinuities are not an anomaly to explain. They are the system operating as built, and what was built was a boundary that only ever existed as a name.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.
Keep Reading
systems driftIn 2026 the memory discount quietly expired
Memory lifecycle plans keep resolving a price the market no longer charges. The gap is structural drift, not a failure of hardware or planning.
lateral movementThe breach was the network working as intended
The 2015 Polish S incident: lateral movement from inherited permissions and automated escalation, where access was granted by position not verified at use.
ransomwareRansomware spreading through trusted accounts
A novel ransomware variant spread through compromised accounts, exposing identity - not the perimeter - as the boundary that must be enforced at runtime.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.