Invisible Security Gaps: How Fragmented IAM Increases Breach and Compliance Risk

Fragmented identity systems don’t usually fail in dramatic ways. They fail quietly. Accounts aren’t deprovisioned. Access persists longer than it should. MFA is enforced in one system but not another. Individually, these gaps may seem small. Together, they create exactly the conditions attackers thrive on.

Orphaned Accounts and Real Risk

Manual offboarding is one of the most common failure points in higher education. A student who withdraws mid-semester may lose LMS access but retain credentials elsewhere. A terminated employee’s directory account may be disabled, while access to research or cloud systems persists. These kinds of oversights result in orphaned login accounts which present an attack vector for intrusion.

The 2025 Verizon Data Breach Investigations Report documented 1,075 security incidents in Educational Services, with 851 confirmed breaches.⁴ System intrusion—where ransomware operates—accounted for 37% of breaches, while stolen credentials appeared in 24% of cases.⁵

In the case of higher education (and most verticals), these intruders are financially motivated,⁶ and they’re simply walking through doors that should have been locked months ago—often using credentials that were stolen, reused, or never properly revoked.

Why Education is Uniquely Vulnerable

Unlike most industries, education sees a high proportion of internal-actor breaches. Verizon reports that 38% of education breaches involve internal actors, largely due to mistakes rather than malicious intent.⁷ Fragmented IAM environments increase the likelihood of these errors and reduce visibility when they occur.

Compounding the risk, breaches involving stolen or compromised credentials take longer to identify and contain than any other attack vector. IBM’s 2025 Cost of a Data Breach Report found that breaches involving compromised credentials took an average of 241 days to identify and contain⁸—only slightly down from the previous year. That means months of exposure from a single account that should have been deactivated.

Compliance Blind Spots

Fragmented IAM also creates compliance exposure. A 2024 academic study examining 101 U.S. and Canadian universities found widespread noncompliance with NIST digital identity guidelines, concluding that "expert cybersecurity recommendations are not sufficiently influencing the policies of higher education institutions."⁹

Regulations and frameworks increasingly require institutions to demonstrate:

· Who has access to sensitive systems

· When access was granted

· Whether access is still appropriate

· Who approved it

When identity data is scattered across systems, answering these questions becomes time-consuming—or impossible. This visibility gap isn’t just inconvenient. For institutions subject to FERPA, GLBA, and state privacy laws, it represents real compliance liability.

Higher education–focused IAM platforms such as RapidIdentity, part of Jamf’s broader security and access strategy, help institutions centralize lifecycle management, enforce consistent controls, and gain the visibility needed to reduce risk and meet compliance expectations.

Schedule a demo to learn how centralized identity and lifecycle management strengthen security and compliance in higher education.

This is the second in a series of blog posts about Identity and Access Management in Higher Education In our next post, learn how Identity Fragmentation drains IT teams as the “Help Desk Tax.” Miss the first post in the series? Find it here.

4 Verizon. "2025 Data Breach Investigations Report." 2025. https://www.verizon.com/business/resources/reports/dbir/
5 Ibid.
6 Ibid.
7 Ibid.
8 IBM Security & Ponemon Institute. (2025). Cost of a data breach report 2025: The AI oversight gap. IBM Corporation. https://www.ibm.com/reports/data-breach
9 Gavazzi et al. "The Authentication Gap: Higher Education's Widespread Noncompliance with NIST Digital Identity Guidelines." arXiv, September 2024. https://arxiv.org/html/2409.00546v1

Bryan Christ is an IT professional with almost three decades of industry experience. He has worked for a number of high-profile companies including Compaq, Hewlett-Packard and MediaFire. After serving two years in a fractional CIO role in the Greater Houston area, Bryan shifted into the identity and access management (IAM) arena and has spent the last several years focused on Higher Education.