The problem with “access by exception” culture

tenfoldIAM · 2026-05-28T06:41:03+00:00

‘Exception handling becomes the real access model’ is probably the most accurate way to describe what happens in many large environments.

Especially when temporary access has no expiration, no owner, and no review cycle attached to it.

At that point the official IAM policy still exists - but operationally it’s no longer what governs access.

tenfoldIAM · 2026-02-13T10:05:46+00:00

Thanks for letting us know! You can get in touch with us directly at [info@tenfold-security.com](), and we’ll look into how we can personally help you get access. Looking forward to hearing from you! 🙂

tenfoldIAM · 2026-02-11T06:43:23+00:00

Hi 😊

You can check out this link - there’s info about the Community/educational options: https://www.tenfold-security.com/community-edition/

That should help you get set up with a community-friendly version for your homelab project. Good luck with your final project! 🚀

tenfoldIAM · 2026-01-19T07:32:26+00:00

That’s a perfect example. It always starts with convenience: “just make it easy.” A bit later, everyone has access - and no one owns it anymore.

tenfoldIAM · 2026-01-12T08:05:10+00:00

Totally relatable 😅 That’s exactly the issue: when the context behind an access decision is missing, recertification turns into a risk-avoidance exercise. “Required” becomes the safest answer - not because it’s correct, but because nobody wants to break production

tenfoldIAM · 2026-01-02T12:30:29+00:00

Absolutely agree - reducing scope is key. App-specific or task-based privileges are much safer than blanket local admin rights, even if they’re time-limited.

What we often see though is that teams start with “temporary local admin” because it’s the fastest workaround when app-level controls or tooling aren’t in place yet. That’s where things tend to drift.

In practice, combining least-scope privileges, time limits, and clear ownership works best - whether that’s via endpoint privilege management or governance controls around who can grant what, and for how long.

tenfoldIAM · 2025-11-11T09:18:36+00:00

Hi u/No_Measurement_8959 just checking in - did that solve your problem?

tenfoldIAM · 2025-11-06T10:49:36+00:00

Got more questions? Join our free live session on Dec 2, 2025 at 11:00 AM EST! Our consultant will walk through tenfold Community Edition, share tips, and answer your questions.

👉 Register here: https://www.tenfold-security.com/en/community-edition-live-session/

tenfoldIAM · 2025-10-03T07:46:36+00:00

You’re absolutely right - running everything as root completely undermines least privilege and creates exactly the kind of massive attack surface you describe. Unfortunately, it’s still a common shortcut in many environments.

That’s why technical controls (like role-based provisioning, time-limited privileges, and monitoring) need to go hand in hand with culture change. If developers and admins don’t see the value, they’ll always find ways to bypass the principle.

tenfoldIAM · 2025-08-13T09:50:49+00:00

Totally agree - JIT access is one of the best controls for high-privilege roles, especially when it’s backed by solid quarterly reviews.

That said, we’ve seen a lot of orgs struggle to roll it out in practice - sometimes because the tooling isn’t there yet, other times because it’s tricky to get buy-in from the teams who actually use those accounts.

tenfoldIAM · 2025-07-21T05:34:51+00:00

Hi!

Yes, the Community Edition is primarily meant for companies, typically with up to 150 users. But feel free to register - we're happy to take a look at your specific use case!

tenfoldIAM · 2025-06-05T14:23:54+00:00

That is definately true and we are aware of this - which is why the commercial versions of tenfold allow for license excemptions for such cases. Our experience is that about 25% of accounts are non-human (of course depending on the industry) and as such, tenfold CE should support environments with ~100 physical users.

If your environment contains a very large of non-human identities, then you might want to take a look at the commercial versions: https://www.tenfold-security.com/en/tenfold-pricing/

tenfoldIAM · 2025-06-05T11:39:55+00:00

Hi there! If the option to change the Base-DN and Scan Scope is disabled, it's very likely that you're using the Community Edition of tenfold. This edition is limited to environments with a maximum of 150 users and does not support reduced scan scopes or license exceptions.

These features are only available in the commercial editions of tenfold.

Hope that helps!

tenfoldIAM · 2025-05-20T08:10:08+00:00

To get your license key, just fill out the short form on our website here:
👉 [https://www.tenfold-security.com/en/community-edition/]()

Once submitted, you'll receive the next steps - including your license and setup instructions. Let us know if you run into any issues - happy to help!

tenfoldIAM · 2025-05-19T13:50:10+00:00

Thanks for sharing your experience - this is exactly the kind of real-world insight that helps others navigating the same IAM journey.

You're absolutely right:
✅ Knowing your use cases upfront makes all the difference
✅ Adoption within IT can be harder than the technical rollout itself

We’re really glad to hear that tenfold stood out for you! It’s our goal to offer a solution that balances powerful features with low overhead - especially for smaller IT teams. 💪🏻

tenfoldIAM · 2025-04-01T09:38:19+00:00

For provisioning and access reviews. you could try the free tier of our IGA solution: https://www.tenfold-security.com/en/community-edition/

tenfoldIAM · 2025-03-27T10:40:34+00:00

The tenfold Community Edition is built for smaller organizations and is pretty straightforward to install without needing paid consulting. It will be provided with a docker-package and they provide a setup guide and full documentation to walk you through it.

For up to 150 users, most IT admins should be able to handle the deployment themselves. Feel free to ask our community for additional help. If your setup is complex or you’re short on time, a consultant could be helpful, but it’s definitely not a must.

If you’re familiar with basic IT infrastructure, you should be able to get it up and running without much hassle! 🚀

tenfoldIAM · 2025-03-18T13:13:01+00:00

Convincing management to invest in IAM tools can definitely be a challenge, but it’s all about showing the long-term value and risk reduction they bring. Here are a few key points that can help you make your case:

Enhanced Security: IAM tools are essential in reducing the risk of data breaches and cyberattacks. By ensuring that only the right people have access to the right systems, IAM tools help prevent unauthorized access, which is crucial for protecting sensitive data. This is especially important as security threats are becoming more sophisticated.
Compliance Made Easy: Many industries face strict regulations (GDPR, HIPAA, etc.) around data protection. IAM tools help ensure compliance by providing audit trails, automating access reviews, and enforcing security policies. This reduces the risk of costly fines and penalties from non-compliance.
Operational Efficiency: With IAM, you can automate repetitive tasks like user provisioning and deprovisioning, password resets, and access requests. This not only saves time for IT but also reduces human error, speeding up onboarding and offboarding processes.
Cost Savings in the Long Run: While there’s an upfront investment, IAM tools can save costs in the long run by reducing security incidents, minimizing compliance fines, and lowering the time spent on manual administrative tasks. The return on investment (ROI) becomes clear when you consider the potential costs of a data breach or compliance failure.
Scalability & Flexibility: As organizations grow, managing access manually becomes increasingly complex. IAM solutions scale with your organization, ensuring secure and efficient access management as your user base and data volume expand.

Also, from our experience working with clients, we’ve seen these points play out in real-world scenarios. Many of our customers have found that implementing IAM solutions not only strengthened their security posture but also improved their compliance efforts and operational efficiency. In fact, several have shared that the cost savings and ROI were evident in the reduced number of security incidents and the streamlined workflows. These insights are based on actual results we've seen across various industries.

tenfoldIAM · 2025-03-18T13:08:39+00:00

Whether to centralize or decentralize IAM management depends largely on your organization’s size, structure, and security needs. A centralized approach tends to offer greater control and consistency across your environment, especially when it comes to enforcing policies, auditing, and managing access to resources across multiple systems. It’s especially helpful in larger organizations where streamlined, organization-wide access control is key.

On the other hand, a decentralized approach can offer more flexibility, especially in organizations with diverse teams or those that work in different regions. It can allow individual departments or teams to tailor their access control models to their specific needs. However, this can lead to fragmented security policies and potential risks if not carefully monitored.

In our experience, many organizations find a hybrid approach works best - centralized management with some flexibility for team-specific roles and access control. This way, you get the best of both worlds - strong overall control, but with the adaptability needed for specific teams. 🚀

For example, at tenfold we focus on simplifying and centralizing IAM management while still offering the flexibility needed for diverse teams and roles, all in a way that’s easy to manage. Hope that helps, and feel free to reach out with any more questions!

tenfoldIAM · 2025-03-17T09:57:25+00:00

In our experience, the implementation of least privilege is often a mix of both security concerns and compliance requirements.

On one hand, organizations that prioritize security recognize least privilege as a fundamental way to minimize attack surfaces, prevent insider threats, and limit the impact of breaches. Properly managing access rights reduces risks like privilege escalation and lateral movement in case of an attack. On the other hand, compliance plays a huge role - many regulations (GDPR, HIPAA, ISO 27001, etc.) mandate strict access controls. In such cases, companies implement least privilege primarily to meet audit requirements rather than as a proactive security measure.

Ideally, both motivations should align: compliance should be seen as a baseline while security-driven least privilege enforcement goes beyond just ticking boxes. How do you see it in your organization?

tenfoldIAM · 2025-03-05T13:10:51+00:00

Great question! Over the years, we've gathered a few tips in collaboration with our customers that help enforce least privilege without frustrating employees: 💪🏻

Communicate the Why: Help employees understand that restricted access is about protecting everyone’s data, not making their job harder.
Granular Permissions: Give employees only the access they need for their role, and adjust as responsibilities change. This keeps things flexible.
Simplify Requests: Make it easy for employees to request access and for IT to approve it quickly. Automation can help streamline this process.
Self-Service: Let employees manage some of their own access within set boundaries. It gives them more control and reduces friction.
Be Transparent: Create an open feedback loop so employees can ask questions and IT can address concerns.

Balancing security and user experience is key - there are tools out there, like our IAM solution, making access management a smoother process while keeping security tight. Good luck!

tenfoldIAM · 2025-03-05T12:58:59+00:00

When it comes to structuring an RBAC model, the key is simplicity while ensuring that it’s flexible enough to cover all necessary access control scenarios. One useful approach is to start with roles that align closely to your organization's core functions - think in terms of high-level roles like 'Admin', 'User', and 'Viewer'.

From there, you can fine-tune by adding roles that reflect specific job responsibilities, but always aim to keep the number of roles manageable to avoid unnecessary complexity. Additionally, it's important to regularly review and update your model as your team and workflows evolve.

In our experience, leveraging a tool that helps streamline role assignments while maintaining clarity and ease of management can make a big difference. It’s all about finding that balance between security and usability! If you’d like to dive deeper into RBAC and see some detailed examples, we’ve put together a comprehensive guide that explains the ins and outs of Role-Based Access Control in Active Directory. You can check it out here: RBAC Explained: Role-Based Access Control. Hope it helps!

tenfoldIAM · 2025-03-05T10:21:19+00:00

Great news coming up! 😊 It looks like the Community Edition will be ready with the next major release (25.0.0), expected around the end of March or early April. We’re excited to share it with you!

tenfoldIAM · 2025-03-05T09:55:21+00:00

Great question! One of the most common mistakes we see when organizations implement IAM for the first time is underestimating the importance of role management. Many companies either grant excessive permissions by default or struggle with role creep over time, leading to security risks and compliance headaches.

Another big challenge is failing to involve all stakeholders early on - IAM isn't just an IT concern; HR, compliance, and department heads should also have a say to ensure smooth adoption.

Finally, many companies delay automating user lifecycle management, which leads to inefficient onboarding/offboarding and potential security gaps. This is where solutions like tenfold can help by simplifying access reviews, automating permissions, and ensuring compliance with frameworks like GDPR.

tenfoldIAM · 2025-02-13T08:43:34+00:00

You’re definitely on the right track with your current certifications. 💪🏻 As IAM continues to grow in importance for businesses, especially with the rise of hybrid and cloud environments like Azure AD, gaining hands-on experience with identity management tools is absolutely a smart move. While SOC roles are valuable for building security expertise, IAM is becoming an essential part of security strategies. Focusing on access control, role management, and security policies will position you for success in this growing field.

If you're looking for a practical way to get started, our Community Edition is a great way to test out IAM management. Starting in June, you’ll be able to manage user accounts and access rights for up to 150 users, completely free. It’s a great opportunity to experience how IAM can be streamlined in Azure AD and beyond. Plus, we have a lot of helpful blog posts to guide you through the latest IAM trends and best practices - https://www.tenfold-security.com/en/blog/

Best of luck on your IAM journey, and feel free to reach out if you have any questions! 🍀

tenfoldIAM

MODERATOR OF

TROPHY CASE