Most Regulatory Frameworks are Built on Graves Most Regulatory Frameworks are Built on Top of Graves<br>May 31, 2026 Elizabeth Garber Blog, Newsletter

Author: Nishad Sankaranarayanan<br>Role: Cybersecurity Executive | “Identity-First” Security Leader<br>What IAM practitioners need to understand about the human cost hiding inside your compliance checklist…<br>The Pattern Nobody Talks About Out Loud<br>Every major regulatory framework you work against was written in response to something that already went wrong. Not hypothetically wrong. Catastrophically, publicly, irreversibly wrong. We don’t build policy proactively in this industry; we build it reactively, after the damage has been done and the headlines have forced someone’s hand.<br>Think about what’s sitting underneath the frameworks you navigate daily.<br>HIPAA didn’t emerge from healthcare executives deciding patient data deserved protection. It emerged from a landscape of rampant insurance fraud, discriminatory data practices, and medical record abuses that left real people with real consequences – lost jobs, denied coverage, destroyed privacy. The law was the cleanup crew, not the prevention.<br>SOX didn’t come from auditors deciding financial controls needed tightening. It came after Enron and WorldCom vaporized billions in investor value and shredded retirement accounts for thousands of ordinary people who trusted the numbers they were shown. The Act is a forensic document masquerading as a compliance framework.<br>GDPR wasn’t a vision for a privacy-respecting digital future. It was a regulatory response to years of data harvesting, unconsented profiling, and cross-border data abuses that regulators finally couldn’t ignore after Facebook’s Cambridge Analytica exposure became impossible to contain politically.<br>The Amber Alert system is named after Amber Hagerman, a nine-year-old murdered in Arlington, Texas in 1996. The system that now protects children didn’t exist until a child was killed and her community demanded something change.<br>PCI-DSS exists because card fraud became so pervasive and so costly to the financial ecosystem that the major card networks had no choice but to mandate baseline controls across every merchant touching card data. The standard didn’t anticipate the breach, it was written after thousands of them.<br>This is the pattern. Harm occurs. Harm scales. Harm becomes undeniable. Regulation follows. And then we all inherit the compliance framework and treat it like it arrived from nowhere, like it was always just the way things were.<br>It didn’t arrive from nowhere. It arrived from graves.<br>IAM Is No Different – Here Are the Breaches That Wrote Your Policies<br>The identity space follows the same pattern exactly. The controls we build and enforce today weren’t invented in a vacuum by forward-thinking architects. They were demanded by specific, named failures that exposed how badly we were underinvesting in identity fundamentals.<br>Target (2013): The breach wasn’t a sophisticated nation-state attack. An HVAC vendor with network access and no meaningful segmentation became the entry point for 40 million stolen card records. The core failure was third-party identity governance, an external account with far more privilege than its function required, and no monitoring to detect its abuse. Every time I review a vendor access policy, this breach is in the room.<br>SolarWinds (2020): Supply chain compromise at massive scale, enabled in part by service accounts operating with excessive privilege across thousands of customer environments. The attackers didn’t force their way in, they walked through doors that were left open by over-permissioned build pipeline identities and inadequate separation between production and development access.<br>Colonial Pipeline (2021): A single compromised VPN account with no MFA enforced. One identity. No second factor. Fuel supply disruption across the eastern United States. Every MFA mandate that landed in your organization after 2021 has this incident’s fingerprints on it.<br>Uber (2022): A contractor’s credentials obtained through MFA fatigue, repeated push notifications until the user accepted to stop the noise. The attacker then moved laterally through internal systems because access controls weren’t scoped tightly enough to limit blast radius. The failure wasn’t technical sophistication. It was operational immaturity in how MFA was implemented and how privilege was bounded.<br>Microsoft (2023): A stolen MSA signing key used to forge authentication tokens across cloud tenants. The identity trust model itself became the attack surface. When cryptographic key management fails, every downstream access decision built on top of it is compromised.<br>MGM Resorts (2023): Attackers identified a senior employee via LinkedIn, called the IT help desk impersonating them, and convinced the agent to reset credentials and MFA with no callback protocol, no strong out-of-band verification. Caesars Entertainment was hit the same month by the same pattern. The failure...