The only thing stopping the vast majority of government IT specialists from stealing sensitive government data is their moral compass, not security protocols, a recent survey found.

More than 80 percent of federal tech workers said it would be “easy” to steal data from their agencies, and 39 percent said they’d potentially make off with sensitive information if they were angry enough at their employer, according to a report published Tuesday by One Identity. Only 16 percent of feds told researchers they wouldn’t be able to get their hands on critical data.

The survey found insider threats are the single biggest worry when it comes to federal identity and access management programs, with one-quarter of government IT specialists calling sensitive data leaks their “worst nightmare.”

Additionally, roughly one in five government tech professionals said they weren’t confident their agency could defend its access control platform against a potential hack.

“These and other findings paint a bleak picture of how many organizations approach [identity and access management] and [privileged access management] programs, indicating that critical sensitive systems and data are not properly protected,” researchers wrote.

The report examined identity and access management practices across government and industry, and included responses from 203 federal IT specialists.

Agencies use a variety of identity and access management programs to make sure critical information stays in the right hands, but many federal tech shops still have a tough time securing that data, according to the report.

Some 60 percent of respondents cited data protection as the biggest challenge their organizations face when it comes to identity and access management. More than half of feds named legacy IT as a major problem for access management, and 48 percent said moving to the cloud is creating issues for their organizations.

Managing and maintaining secure passwords is critical to keeping sensitive information out of the wrong hands, but the survey found agencies don’t always follow best practices.

Nearly 60 percent of respondents said IT administrators at least “occasionally” share passwords for privileged accounts, and 21 percent said this is “always” the case. Almost one-quarter of feds said it takes a week or more to revoke access for people leaving the organization, and another 6 percent said their agency has no way to know if former employees are completely boxed out.

“Ineffective administrative account management practices coupled with careless sharing of passwords governing of these accounts demonstrate major gaps in [privileged access management] programs across the board,” the report said.