Stop Treating IAM Like a Black Box: How to Automate Permission Audits

TLDR: Enterprise Identity and Access Management (IAM) systems are often bloated with redundant business roles and excessive permissions that create massive attack surfaces. By applying Gower’s metric and hierarchical clustering to role-membership data, security teams can identify and prune these redundant roles without breaking legitimate access. This approach significantly reduces the noise in attestation processes and helps defenders enforce the principle of least privilege at scale.

Identity and Access Management is the graveyard of security operations. Most large organizations suffer from "role bloat," where thousands of business roles are created, abandoned, or duplicated over years of organizational churn. For a pentester, this is a goldmine. You don't need to find a zero-day when you can simply pivot through a user account that has been assigned five different, overlapping business roles, each granting a sliver of access that, when combined, provides full administrative control.

The research presented at Black Hat 2024 by the team from ING and TU Delft cuts through this complexity. They moved beyond the standard, manual "attestation" process—where managers blindly click "approve" on access reviews—and treated the problem as a data science challenge.

The Mechanics of Role Redundancy

At the heart of the problem is the disconnect between how roles are defined and how they are actually used. When an organization has 80,000 employees and 80,000 business roles, the mapping becomes impossible to audit manually. The researchers identified that many of these roles are functionally identical. They contain the same members and grant the same permissions, yet they persist as separate entities in the IAM system.

To solve this, they utilized Gower’s metric, a similarity measure for mixed data types, combined with hierarchical clustering. By representing the IAM landscape as a co-membership matrix, they could mathematically identify groups of roles that were essentially clones of one another.

The logic is straightforward: if Business Role A and Business Role B share the exact same set of members, they are candidates for consolidation. The researchers built a custom harmonization algorithm to automate this. Instead of relying on the "business function" label—which is often misleading—they looked at the ground truth of the membership data.

Practical Implementation for Pentesters

If you are performing an internal assessment, you can apply this logic to your reconnaissance phase. When you gain access to an IAM export or a directory service dump, don't just look for the "Admin" group. Look for the "Role Density."

If you find a user with a high number of assigned roles, check for overlap. You can script a simple comparison of group memberships to identify these redundant roles. If you can prove that Role X and Role Y are identical, you have identified a systemic failure in the organization's access control governance. This is a high-impact finding because it demonstrates that the organization cannot effectively manage its own security perimeter.

The researchers also highlighted the issue of "manual membership" in OWASP A01:2021-Broken Access Control. When permissions are assigned manually rather than through automated, role-based rules, they become "zombie permissions" that never get revoked. Their approach to automating these memberships—tying them to active directory attributes—is the only way to kill these zombies.

Beyond IAM: Attack Surface Management

The same logic applies to Attack Surface Management (ASM). The researchers demonstrated that detection tools like GitGuardian or static analysis tools like Checkmarx generate thousands of findings, most of which are noise. By applying similar clustering techniques to these findings, you can group them by root cause rather than by individual file path.

This is critical for bug bounty hunters. If you are scanning a massive codebase, don't report 50 individual instances of the same hardcoded credential. Use a clustering approach to identify the underlying pattern or the shared configuration file that is causing the leak. Reporting a single, systemic issue is far more valuable to a security team than flooding their inbox with 50 identical tickets.

The Defensive Reality

Defenders need to stop relying on manual attestation. It is a broken process that provides a false sense of security. If your IAM system allows for the creation of redundant roles, you are failing at the most basic level of access control.

The path forward is clear: integrate your data science team with your security operations. You have the logs, you have the membership data, and you have the tools to cluster that data. Use them to find the patterns of over-provisioning. If you are a developer or a security engineer, start looking at your IAM exports as datasets rather than just lists of users.

Security is not about having the most tools; it is about having the most clarity. When you can mathematically prove that 15,000 roles are redundant, you have done more for the organization's security than a dozen automated scanners ever could. Stop auditing the users and start auditing the structure of the access itself.