What Infra Teams Overlook: The Hidden Engineering Costs of IAM Workarounds

A White Paper by Orchid Security

Getting your Trinity Audio player ready...

Executive Summary

Identity governance is often seen as a “security problem,” owned by CISOs and GRC leaders. But in practice, much of the execution lands on infrastructure and platform engineering teams. Because infrastructure teams are not directly accountable for compliance or negligence outcomes, they often lack the incentive to fully resolve potential identity gaps. Instead, they apply quick fixes, IAM “workarounds” that get systems working but create hidden costs in engineering time, operational risk, and audit pain.

This paper examines the overlooked engineering toll of IAM workarounds, the organizational misalignment that drives them, and how Orchid’s application-level discovery and governance infrastructure helps both security and infra teams close the gap.

Introduction: Why IAM Gaps Lead to Engineering Workarounds

Even the most mature financial institutions and global enterprises struggle to align identity governance with the realities of their sprawling, complex IT estates. Despite years of investment in Access Management, PAM and IGA platforms, the execution gap remains wide.

Slow onboarding into an identity tool or stack:

Bringing a new application into central Access Management, PAM and IGA systems is rarely quick. In many cases, onboarding takes months, involving application review, connector development, role mapping, and approval workflows. This lag doesn’t match the pace of modern software delivery, where infrastructure and applications are spun up in hours, not quarters. There is constant pressure to “get it done” as fast as possible.

Divergent priorities between security and infrastructure teams:

CISOs and risk teams are measured on compliance with regulations or frameworks- like SOX, GDPR PCI, NIST CSF, ISO 27001 and similar- where completeness, auditability, and least-privilege access matter most. In contrast, infrastructure and DevOps teams are incentivized to optimize for uptime, comply with SLAs, speed delivery, and manage cost efficiency. Their success is judged by availability dashboards and velocity metrics, not by the completeness of access implementation and certifications.

The collision point:

When compliance-driven security requests meet aggressive delivery timelines and busy teams, friction is inevitable. To avoid delays that could stall product launches or revenue delivery, infra teams often take shortcuts:

Local accounts and ad-hoc credentials - Teams often create local accounts or static IAM users to avoid delays from IGA onboarding during application deployment. However, correlating these static, decentralized identities with managed centralized directories is anything but straightforward.
Bypassing IAM connectors - To accelerate integrations, infrastructure teams connect apps directly to resources without routing through central IAM or enforcing least privilege.
Hardcoded secrets and keys - Credentials get embedded in scripts, Terraform modules, or CI/CD pipelines to keep automation moving, creating long-lived, invisible risk.
Service accounts with broad privileges - Machine-to-machine access often relies on service accounts. Without proper governance, these accounts become “super users” that bypass human-centric controls. They’re rarely rotated, seldom tied to a business owner, and almost never reviewed in access certifications.
Autonomous agent identities - With the rise of autonomous agent-AI systems and microservices orchestration, non-human identities are exploding. These agents frequently create, exchange, and delegate credentials dynamically. Existing Access-Management, PAM and IGA systems weren’t designed to model or certify ephemeral agent-to-agent trust relationships, creating blind spots.
Opaque machine identity sprawl - Certificates, API tokens, and workload identities multiply rapidly across hybrid environments. They often lack lifecycle management, leading to “orphaned” machine identities with lingering access.
Hidden dependencies in automation - Infrastructure-as-code templates and orchestration frameworks frequently bake in credentials for service accounts. These patterns are optimized for velocity, but they scatter identity secrets across repos and pipelines, well outside the visibility of governance tools.

Each shortcut accelerates delivery in the short term but creates identity sprawl, unmanaged privileges, and audit blind spots.

The root issue - misaligned ownership:

Infrastructure teams don’t own identity governance outcomes. Their KPIs do not include regulatory compliance or audit performance. Instead, they are accountable for uptime, velocity, and cost control. This misalignment makes “identity debt” a rational choice: short-term workarounds appear less risky to infra teams than missed delivery commitments. Unfortunately, the accumulated identity debt magnifies long-term risks, exposure in audits, failed compliance checks, and expanded attack surfaces.

Key point:

Until organizations address this structural misalignment, identity governance will remain a back-burner concern for infrastructure teams, leading to accumulating shortcuts and continued cycles of debt, remediation, and recurring risk.

The Hidden Costs That Add Up

Engineering Debt

Maintaining glue code, brittle scripts, and exception processes consumes valuable engineering cycles.
Every upgrade or migration re-breaks these integrations, compounding costs.

Operational Drag

App onboarding to IAM stacks slows down.
Incident investigations take longer when logs can’t be trusted.
Engineering time is wasted reconciling access across fragmented systems.

Compliance Risk

Auditors can’t validate MFA, SoD, or access reviews across unmanaged apps.
Orphaned accounts persist because there’s no visibility outside IAM.
Findings increase, remediation timelines lengthen, and costs rise.

Incident Response Gaps

In unmanaged systems, activity logs don’t distinguish between human users, service accounts, and AI agents.
Attribution becomes impossible, and response times stretch.

The real cost isn’t just dollars, it’s awareness, visibility, the drag on agility, compliance, and resilience.

Real-World Scenarios

The Pre-Audit Scramble - Infrastructure teams scramble to script reports and reconcile data from unmanaged apps to satisfy a SOX audit. Hundreds of hours lost.
The Silent Breach - An orphaned admin account on a legacy server is exploited. The CISO is accountable, but the infrastructure team owned the server and didn’t retire the account.
The Cloud Migration Trap - A legacy payment app is lifted into AWS with its hardcoded service keys intact, IAM blind spots carried into the cloud.
Agent AI Blind Spot - Teams adopt AI agents for operations without aligning their authorization with operators, leaving new highly privileged agent-AI roles. Logs show “system did it,” but not which agent, ran by which operator and why.

The Accountability Gap: Why Workarounds Persist

Security (CISO, GRC) - Accountable for compliance, audit, and risk reduction.
Infrastructure / Platform Teams - Responsible for keeping systems running, meeting SLAs, but not accountable for identity governance failures.

This misalignment creates a built-in motivation gap: infra teams prioritize delivery, while security teams clean up identity messes later. The result is IAM workarounds that solve today’s delivery problem but worsen tomorrow’s compliance and risk problem.

To close the gap, governance must embed itself into infra workflows automatically, not rely on motivation or manual discipline.

The Orchid Security Approach

Orchid eliminates the need for IAM workarounds by making identity truth visible where it actually resides, in the application itself.

Application-Level Discovery - Surfaces identities, accounts, and access models directly from app binaries/configs.
Continuous Correlation - Matches unmanaged and managed accounts to deliver a single source of truth.
Prioritization by Risk & Business Impact - Infrastructure and security teams know where to act first.
Frictionless Onboarding - Cuts months of manual questionnaires and app owner back-and-forth.
Agent AI Governance - Extends identity rigor to AI-driven operators with attribution and dynamic authorization.

Business Value for Infra & Security Teams

For Security (CISO, GRC) - A compliance-ready baseline that shrinks dark matter, supports audits, and reduces regulatory exposure.
For Infrastructure Teams - Less engineering debt, fewer scripts to maintain, and faster onboarding of applications.
For the Enterprise - Stronger governance at lower cost, with identity becoming an enabler instead of a blocker.

Closing Statement

Workarounds may feel efficient, but they erode compliance, drain engineering capacity, and open the door to unmanaged risk. By uncovering identity truth at the application level, Orchid helps security teams uphold accountability while freeing infrastructure teams from IAM debt. The result is a governance approach that aligns both groups, reducing risk without slowing the business.

Understanding, let alone maintaining, identity security posture across any large organization- with its diverse and always evolving application estate- is a constant challenge.

Remember, that estate includes applications created by different developers, at different times- when technology, regulations and cyber risk were different- and even by different organizations if acquisitions were part of the growth strategy.

Any approach, but especially an automated one, that provides a comprehensive and accurate view into the true state of identity, is hugely valuable to CISOs. Especially when it can surface all of the identity flows coded in each application. We know that many threat actors are adept at finding the alternate or forgotten ways into our organizations, and this report highlights the most common exposures we need to look out for (and address).

The insights shared here are instructive for every cyber security professional.