For a long time, cybersecurity had a simple story.
Build the wall. Harden the servers. Patch the endpoints. Run the pen test. Pass the audit.
Feel better.
That story is not useless. It’s just incomplete. The wall still matters, but the breach rarely comes through the wall anymore.
It comes through the doors we built ourselves. The ones we forgot we installed. The ones we handed to vendors, integrations, and “helpful” apps that promised to make work easier.
That’s delegated trust. And in 2026, it is the new perimeter.
What delegated trust really looks like
Most organizations have a mental picture of risk that still looks like a network diagram. Subnets. Firewalls. “Inside” and “outside.” That picture is comforting because it’s familiar.
But business does not run inside the network anymore.
Your data lives in SaaS platforms.
Your workflows live in cloud services.
Your files live in shared drives and collaboration tools.
Your users log in through identity providers.
Your apps connect to other apps with permissions that are approved once and then forgotten.
Those approvals are where the modern breach lives.
It’s not always a bad password. It’s often a legitimate token. It’s a trusted integration. It’s an app that has mailbox access. It’s a third party that can read files. It’s a service account with more privilege than any human should ever have.
It’s access that looks normal until you zoom out and realize it should never have existed in the first place.
The quiet threat nobody inventories
Here’s the uncomfortable truth. Most organizations do not have a clean list of:
-
Which apps are connected to core platforms
-
What permissions those apps have
-
Who approved them
-
Who owns them now
-
Whether they are still needed
They have a list of servers. They have a list of endpoints. They might even have a list of vendors.
But delegated trust is messier. It spreads over time. It grows during busy weeks. It expands when someone needs to “just make it work.” It stays because nobody wants to break the workflow.
Attackers love this environment. Not because it’s sophisticated. Because it’s easy.
A single compromised vendor or integration can give an attacker legitimate access into dozens, hundreds, or thousands of customer environments. That is not theory. That is the modern supply chain problem, and it is why identity and integration governance belongs in the boardroom.
The blast radius problem
Delegated trust has a brutal feature. It increases blast radius.
A compromised laptop might get you a foothold.
A compromised password might get you a user.
A compromised OAuth token might get you the business.
Because tokens and integrations tend to be broad. They are often scoped for convenience, not containment.
If an integration can read all mailboxes, the attacker does not need to phish the CFO.
If an app can access shared drives, the attacker does not need to move laterally.
If a service account can administer systems, the attacker does not need persistence tricks. They already have it.
This is what it means when I say the perimeter is gone. It did not vanish. It moved. It moved into identity paths and trust chains.
What to do about it
This is fixable. It just requires discipline.
Start here:
-
Inventory every integration and connected app
If you cannot list it, you cannot govern it. -
Document ownership
Every app, integration, and service account needs a human owner. A real one. -
Cut permissions down to what is actually needed
Convenience is not a security model. -
Require periodic re-approval
If an app cannot justify access every 90 days, it loses access. -
Build revocation muscle
You should be able to revoke tokens and cut off access fast, without turning the business into a crime scene.
That’s what mature looks like.
Closing
If your security strategy still assumes the breach starts at the firewall, you are defending the wrong border.
The new border is delegated trust.
Integrations. Tokens. Service accounts. Vendor access.
In Part 2, I’ll get into why traditional audits and pen tests often miss this reality, and why organizations can “pass” and still get crushed.
If you want help mapping your trust chains and shrinking your blast radius, Critical Path Security does this work every day. We build clarity where most environments are running on assumptions.