There is an open question for legal teams. They probably just don't know it yet.
The wrong room has been running this conversation
For the last decade, the debate about identity security, Zero Trust, and access governance has lived entirely inside IT. CISOs present to boards. CSOs brief the CFO. Security vendors sell to procurement committees. The language is technical — MFA, ZTNA, PAM, IGA, NHI — and the outcomes are measured in frameworks certified, audits passed, and controls deployed.
Meanwhile, in a completely different wing of the building, the legal and patent team is sitting on what may be the most consequential data exposure question in the organisation — and nobody has walked through their door to ask it.
What happens to your drug formula, your patent filing, your trade secret, your litigation strategy — when the wrong identity can read it?
That is not an IT question. That is a legal liability question. And increasingly, it is a nine-figure question.
The blast radius is a legal problem first
Here is what a blast radius actually means in practice, translated out of security jargon.
A blast radius is the answer to a simple question: if this identity — human, service account, AI agent, API key — is compromised right now, what can it reach? What files can it open? What databases can it query? What repositories can it pull?
In a pharmaceutical company, that might be an unreleased drug formulation worth billions in R&D investment. In a law firm, it might be privileged client communications in active litigation. In a technology company, it might be source code underlying a pending patent. In financial services, it might be M&A strategy before a material announcement.
Every one of those scenarios is a legal event, not merely a security event. Trade secret misappropriation. Patent invalidation through prior disclosure. Breach of legal professional privilege. Exposure of material non-public information. The legal exposure in a single identity compromise, pointed at the wrong data, can dwarf the cost of any security budget conversation that preceded it.
We have been certifying process, not protecting value
The identity security industry has spent years building infrastructure to answer a process question: Did the access get provisioned correctly? Was the certification completed on time? Did the credential rotate on schedule?
These are necessary questions. They are not sufficient.
The question that legal teams, patent attorneys, and general counsel actually need answered is fundamentally different: Who can touch the thing we are trying to protect — and do we know what happens if they do?
IAM provisions the access. IGA certifies it quarterly. PAM vaults the credential and records the session. At no point in that entire chain does anyone answer: "This service account has read access to the directory where our unpatented formulations are stored, and we cannot show you what it has accessed in the last 90 days."
That is a legal disclosure problem. It is a trade secret exposure problem. It is an IP protection problem. And it is hiding in plain sight inside the gap between what identity tools certify and what they actually illuminate.
The question a patent attorney should be asking
Patent attorneys are trained to think about IP protection, prior disclosure, and competitive exposure. They understand, better than most, that the value of intellectual property is extinguished the moment it is disclosed outside controlled channels.
They should be asking: Can you show me, right now, which identities — including automated systems and AI agents — have access to any material that could constitute prior art if disclosed? Can you show me the blast radius of every identity that touches our pre-filing research?
If the answer is no — and in most organisations today it will be no — that is not a technology gap. That is a legal risk gap. The frameworks are incomplete, not because the tools failed, but because nobody connected the identity question to the IP protection obligation.
The same logic applies to corporate counsel managing litigation holds, compliance teams managing regulated data under GDPR or HIPAA, and M&A lawyers managing deal confidentiality. Every one of those workflows depends on a question that identity governance was never designed to answer: What can this identity reach, and does that exposure match the protection obligation attached to the data?
The conversation nobody is having
The CISO goes to the board and talks about security posture. The general counsel goes to the board and talks about legal exposure. These are usually two separate conversations, with two separate slide decks, using two completely different vocabularies.
They are describing the same problem.
The adversary who walks in using a compromised service account and exfiltrates a pre-patent formulation did not trigger a cybersecurity event in isolation. They triggered a trade secret theft event, a potential patent challenge, a regulatory disclosure obligation, and a board-level liability question — all at once.
The organisations that will get ahead of this are the ones where the legal team and the security team start answering the same question together: not "did our controls run correctly?" but "do we actually know what our most sensitive information is, who can reach it, and what the exposure looks like if they do?"
Operationalised risk is a legal deliverable
Real risk mitigation — the kind that answers the blast radius question concretely, for every identity, mapped to actual data sensitivity — is not just a security architecture outcome. It is a legal deliverable.
It is the evidence that reasonable steps were taken to protect trade secrets, satisfying the threshold for trade secret protection under the US Defend Trade Secrets Act and equivalent frameworks globally. It is the audit trail that demonstrates proportionate data access controls for GDPR Article 25 data protection by design. It is the documentation that shows a litigation hold was enforced consistently, not selectively.
When you can show — not claim, but show, with mapped permissions and documented blast radius — that access to sensitive IP was controlled, monitored, and proportionate, that is not just a security posture. That is a legal defence.
When you cannot show it, that gap is precisely where opposing counsel, regulators, and claimant firms will look first.
The right first question
The security industry has been asking how does Dave authenticate?
The legal team — once someone walks them through the door — will immediately understand that the right first question is: What can Dave read, and why is he allowed to read it?
That question has a different urgency in a law firm, a pharmaceutical company, or a technology company sitting on unpatented IP. It has a different audience: not just the CISO, but the general counsel, the patent attorney, the compliance officer, the board's audit committee.
And it has a different consequence when the answer turns out to be: we don't know.
Not a failed audit. Not a red finding on a penetration test. A legal liability. An existential IP exposure. A trade secret that can no longer be proven secret.
The lawyers will understand that immediately. Because they have been living with the consequence — they just never had the question framed in a language that made the connection to the identity stack visible.
It is time someone walked through their door and made it visible.