Most attacks or breaches aren’t the result of highly complex or technical methods, they’re the result of decisions and assumptions nobody has questioned early enough. Accounts with excessive privileges, credentials sitting in plain text in a shared repo, no identity validation for remote workers contacting your service desk, these are a few examples of what an attacker may take advantage of.
These issues might eventually get flagged through governance reporting, posture management or even a threat detection alert but by then, it’s often too far down the line and fixing it gets expensive.