top of page
Search

If Identity Is the Perimeter, Why Are You Still Trusting It?

If identity is your primary security boundary, blind trust is your biggest weakness. Here’s why identity must be continuously verified — not assumed.



Identity Replaced the Network. Trust Replaced Security.

Most organizations now agree on one thing: identity is the new perimeter.


But then they immediately make a dangerous leap:

If the identity is valid, the access must be safe.

That assumption made sense when identities were few, static, and centrally managed.

It makes no sense in a world of SaaS, OAuth, contractors, APIs, and automation.

If identity is the perimeter — trusting it blindly is the equivalent of leaving the gate unlocked.


The Problem Isn’t Identity. It’s Static Trust.

Identity systems were built to answer a simple question:

Is this user who they say they are?

Modern security needs to answer harder ones:

  • Should this identity still have access?

  • Should it have this level of access?

  • Should it have access right now?

Static trust — authenticate once, trust forever — breaks down when:

  • OAuth tokens never expire

  • SaaS accounts bypass SSO

  • Contractors outlive contracts

  • Integrations persist after ownership changes

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS apps are unknown to IT

  • Less than 1% of SaaS accounts enforce MFA

  • 100% of organizations have unauthorized cloud accounts

That’s not an identity failure. That’s a trust failure.

OAuth Is Trusted More Than Humans

In many environments, OAuth tokens enjoy more trust than employees.

They:

  • Don’t re-authenticate

  • Aren’t challenged by MFA

  • Aren’t reviewed regularly

  • Aren’t tied to lifecycle events

Once granted, they quietly operate in the background — syncing files, reading inboxes, moving data — indefinitely.

CISA’s Secure Cloud Business Applications (SCuBA) guidance explicitly warns that OAuth permissions create long-lived access paths that bypass centralized enforcement:https://www.cisa.gov/secure-cloud-business-applications-scuba

If identity is the perimeter, OAuth is the part no one is watching.

Compliance Assumes Continuous Doubt — Not Permanent Trust

Modern frameworks already reject the idea of static trust.

The CISA Zero Trust Maturity Model defines trust as continuously evaluated, not granted once:https://www.cisa.gov/zero-trust-maturity-model

The NIST Privacy Framework and ISO/IEC 27001 require:

  • Ongoing access validation

  • Evidence of revocation

  • Accountability across systems

Trust without verification doesn’t meet those standards.

If you can’t prove that access is still appropriate, it isn’t compliant — regardless of how it was granted.

Why Organizations Keep Trusting Identity

Because mistrusting identity feels disruptive.

Questioning access:

  • Slows workflows

  • Forces visibility

  • Challenges assumptions

  • Exposes unknowns

And unknowns are uncomfortable.

But attackers thrive on comfort. They don’t break identity — they inherit it.

What Continuous Identity Verification Actually Looks Like

This isn’t about prompting MFA every five minutes.

It’s about:

  • Knowing every identity that exists

  • Knowing how it authenticates

  • Knowing what it can reach

  • Knowing whether it should still exist

That requires:

  • Continuous discovery of SaaS and cloud services

  • Visibility into OAuth and delegated access

  • Lifecycle alignment for humans and integrations

  • Ownership and expiration for every identity

This is Zero Trust applied to reality — not just architecture diagrams.

Why Discovery Comes Before Distrust

You can’t challenge access you don’t see.

Most organizations trust identity because they only see:

  • IdP-managed users

  • Sanctioned SaaS apps

  • Official cloud accounts

Everything else is assumed not to exist — which is exactly where risk hides.

Waldo Security’s SaaS & Cloud Discovery Engine exposes the identities most teams never question by:

  • Discovering SaaS and Shadow CSP accounts

  • Surfacing OAuth tokens and non-human identities

  • Mapping identity exposure across compliance frameworks

  • Providing continuous evidence for audits and security reviews

You can’t stop trusting identity until you know what you’re trusting.

Conclusion: Identity Without Verification Is Just Hope

Identity is powerful. But power without scrutiny becomes risk.

If identity is your perimeter — and it is — then trust must be earned continuously, not granted permanently.

The most dangerous identities aren’t compromised. They’re trusted.

👉 See how organizations are moving from blind trust to continuous identity verification in the 2025 SaaS & Cloud Discovery Report.

About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, OAuth risk, and Shadow IT, Waldo enables security teams to defend the identity perimeter with evidence, not assumptions.

Comments

bottom of page