When it comes to identity and access management, startups from Central and Eastern Europe and those from the United States and Western Europe are indeed moving along different trajectories—not because of differences in competence, but due to different incentives and priorities.
In Western Europe and the United States, the rules of the game are set by regulators, standards, and contractual obligations. Violations of such requirements as GDPR, SOC 2, or ISO 27001 quickly result in fines, legal risks, and lost deals. As a result, identity and access management there is usually formalized early, even before scaling. In Central and Eastern Europe, the logic is different: security is often postponed to a later stage. MVP, growth, and customers come first; and only afterward do clear roles, environment segmentation, and proper handling of service accounts follow.
This leads to different typical vulnerabilities. In CEE, the issue is a lack of formal processes: shared accounts, manually granted access, blurred boundaries between dev and prod, and the same key used for training and inference. In the West, the opposite extreme is common. There are many tools and even more policies, but a blind spot emerges around machine identities: long-term keys with excessive privileges, complex roles without real ownership, and formal control without live monitoring.
A telling example is an incident at xAI investigated by security researchers: an active API key was accidentally published in a public GitHub repository and remained valid for an extended period, providing access to private models. A similar pattern can be seen in the Clearview AI case, when the company experienced several isolated incidents in 2020: on the one hand, disclosure of information about its customer base; on the other, leaks caused by misconfigurations that exposed internal files, source code, and secret keys.
None of these stories is about sophisticated attacks, they are about basic failures in access management and segmentation.
Ultimately, neither trajectory is ideal. Regulatory pressure alone does not guarantee discipline at the level of service identities, just as focusing on speed does not justify ignoring basic controls. The winning startup is the one that makes IAM part of the product from day one: minimizing privileges, managing keys and service accounts transparently, maintaining access logs, and regularly verifying that the real system matches the intended architecture.
Olga is a recognized expert in IT and information security with 19 years of experience. Among other things, she specializes in information security systems design and implementation. Her profound knowledge of IT technologies and principles of building IT infrastructure put her in the position of the Chairperson of the Committee on IT and Cyber Security of the German-Ukrainian Chamber of Industry and Commerce. Olga is also the CEO of the Ukrainian IT company Silvery LLC.
