Posted on

The Hidden Tax Trap Keeping America’s Housing Market Frozen

4 min read

capital gains taxes on your home America’s housing crisis has reached a breaking point. With median home prices soaring past $400,000, the National Association of Home Builders reports that 60 percent of U.S. households can’t even afford a $300,000 home. The math has become impossible for most American families.

While we often blame high mortgage rates, restrictive zoning laws and rising construction costs for the housing shortage, there’s another culprit hiding in plain sight: a decades-old tax rule that’s trapping millions of homeowners in houses they’d rather leave.

The $500,000 Problem

When Congress overhauled capital gains taxes on home sales in 1997, they created what seemed like a generous benefit: homeowners could exclude up to $250,000 in profits from taxes ($500,000 for married couples) when selling their primary residence. This replaced a complex system of rollovers and age-based exemptions with something simpler and cleaner.

But Congress made one critical mistake – they never adjusted these limits for inflation or housing price growth.

Nearly three decades later, these same dollar amounts remain frozen in time, even as home values have skyrocketed. According to new research from Moody’s Analytics, if the exclusion had kept pace with home prices, it would now stand at $885,000 for singles and $1,775,000 for couples. Even adjusting for general inflation alone would double today’s limits.

The Senior Squeeze

This outdated tax rule hits empty-nesters particularly hard. Consider this: nearly 6 million households headed by seniors live in homes larger than 2,500 square feet. Many would gladly downsize to something more manageable, but selling could trigger six-figure tax bills on homes they’ve owned for decades.

The result? They stay put, waiting until death when their heirs can inherit the property with a stepped-up basis that erases all capital gains. Meanwhile, these oversized homes remain off the market, unavailable to growing families who desperately need the space.

Moody’s Analytics estimates these “overhoused” seniors spend $3,000 to $5,000 more annually on maintenance, utilities and property taxes than they would in smaller homes – adding up to $20 billion to 30 billion in unnecessary costs nationwide each year.

An Unexpected Burden on the Middle Class

Surprisingly, this tax burden doesn’t primarily affect the wealthy. Middle-class homeowners in expensive markets like California and Massachusetts face steep tax bills despite modest incomes. Widows face their own challenges, having just two years after a spouse’s death to sell while maintaining the full $500,000 exclusion (though they do receive a partial step-up in basis on their late spouse’s share).

An IRS study revealed a startling fact: 20 percent to 25 percent of capital gains taxes collected under current rules come from filers earning less than $20,000 annually. Meanwhile, wealthier homeowners often have the resources and flexibility to structure sales strategically, minimizing their tax exposure.

The Housing Market Ripple Effect

This tax trap creates a cascade of problems. Young families remain stuck in starter homes. First-time buyers face even fiercer competition for limited inventory. Labor mobility suffers as workers can’t relocate to areas with better job opportunities. The entire housing ecosystem becomes frozen.

The shortage is stark: monthly active listings only climbed back above 1 million in May, according to realtor.com. Before the pandemic, that number hadn’t dropped below that threshold since at least 2016.

Solutions on the Table

Congress is considering two approaches to break this logjam. One would be to double the current exclusions and index them to inflation going forward. The more radical proposal would eliminate the cap entirely.

The Double-Edged Sword

Any change comes with risks. Moody’s Analytics warns that while updating these limits could unlock hundreds of thousands of homes and boost inventory, it might also intensify competition at the lower end of the market as downsizing seniors compete with first-time buyers for the same properties. It could also make housing an even more attractive tax shelter, which would ultimately drive prices higher.

The Path Forward

The paradox is clear: raising or eliminating the capital gains exclusion could provide immediate relief to millions of homeowners trapped by tax considerations. It could inject a much-needed supply into a starved market. But without careful implementation, it could just as easily fuel another round of price increases, leaving affordability as elusive as ever.

Posted on

New Rules for Inherited Traditional IRA Distributions

3 min read

Inherited Traditional IRA DistributionsThe rules for IRAs inherited after 2020 changed when Congress passed the Secure Act in 2019. The new rules eliminated the opportunity for non-spousal beneficiaries to “stretch” inherited IRA earnings over their own lifetime. Up until this year, required minimum distributions (RMDs) and associated penalties were waived while the IRS clarified the new rules; but in 2025, they are in full force for most inherited IRA beneficiaries.

For clarity: Non-spouses who inherited IRA assets after 2020 MUST take RMDs starting this year.

RMD Rules For Non-Spouses

For Traditional IRAs inherited after 2020, the first thing a non-spousal beneficiary must do is transfer the inherited assets into an inherited IRA under his own name. Note that RMDs are then required only if the original owner had reached their RMD age before dying. Under this scenario, the beneficiary must take required minimum distributions going forward, including any RMD not taken in the year the original IRA owner died. Over the next nine years, the new inherited IRA owner must take annual RMDs based on his own life expectancy and deplete the account within 10 years of the decedent’s death.

However, if the original account owner was NOT required to take minimum distributions as of the time he passed, the inherited IRA beneficiary is NOT required to take them – unless he reaches RMD age during the 10-year holding period(starting at age 73, or age 75 effective 2033). Either way, he still must empty the account and pay the requisite tax bill within 10 years of the original account owner’s death.

In addition to paying taxes owed on RMDs, inherited account owners are subject to a 25 percent penalty on any amount shy of that year’s required distribution. Should you miss an RMD, you may be able to reduce the penalty to 10 percent if the correct distribution is taken within two years.

RMD Rules For Spouse Beneficiaries

A spousal beneficiary of the original IRA owner has more options than a non-spouse. For starters, she can retain the original account under her own name. Similar to the non-spouse beneficiary, if the decedent spouse HAD reached his RMD age, the surviving spouse must take required minimum distributions as well, including any RMD not taken in the year the original owner died. However, RMDs thereafter will be calculated based on the surviving spouse’s life expectancy, and there is no requirement to deplete the account within 10 years.

If the original IRA owner had?NOT?started taking RMDs, then the spouse does not have to take RMDs until she reaches the age required to do so. At that point, the RMDs will be based on her own life expectancy.

A spousal beneficiary also has the option to transfer the inherited assets into her own IRA. Under this scenario, her RMD schedule is based on her own age. This option allows her to delay taking RMDs until she reaches RMD age, regardless of the RMD status of the deceased spouse. This strategy provides the opportunity for the inherited assets to grow longer, tax-deferred.

For clarity: the 10-year rule for full distribution does not apply to spouses.

Note that the rules discussed herein do not apply to Traditional IRAs inherited by Trusts or “Eligible Designated Beneficiaries” (EDBs), which refer to chronically ill or disabled beneficiaries, beneficiaries who are younger than the deceased account owner by 10 years or less, or minor children of the account owner.

It’s best to work with a financial advisor or IRA account custodian to choose the option best suited to your circumstances – and ensure you adhere to the appropriate rules.

Posted on

Why Authorization Sprawl Is the Next Big Security Blind Spot and How to Fix It

4 min read

Authorization Sprawl, What is Authorization SprawlDespite major investments in cybersecurity, organizations continue to face breaches. Most security mechanisms implemented guard against threats such as password theft. However, there is a growing concern with the unchecked expansion of user access, permissions, and tokens across apps, clouds, and systems.

This growing challenge is known as authorization sprawl, and it is becoming one of the most dangerous and least visible threats in modern enterprise security.

According to insights from the SANS keynote at the RSAC 2025 Conference, attackers are increasingly exploiting this sprawl to gain legitimate, persistent access that bypasses multifactor authentication (MFA), security information and event management (SIEM) alerts, and endpoint detection and response (EDR) visibility altogether.

What is Authorization Sprawl?

Authorization sprawl occurs when access permissions multiply uncontrollably across systems, users, and applications. Every time a team or department adds a new SaaS integration, service account, or API key, another layer of permission is introduced.

In an attempt to make access to multiple applications easy, users also have single sign-on (SSO), designed to help log in once and access multiple applications securely. Here, users are granted access to several connected systems through SSO, adding to the authorization sprawl problem.

Over time, all these factors create a complex ecosystem that even security teams have a hard time tracing who can access what.

Unlike authentication, which verifies who someone is, authorization determines what one can do. When permissions expand without review, attackers take advantage of forgotten tokens, dormant accounts, or outdated roles to move freely inside systems.

Why Traditional Defenses Miss It

Most defenses focus on identity verification, such as MFA, conditional access, and endpoint protection. But once a user is authenticated, there is no monitoring. This is the blind spot that attackers exploit. Instead of breaking in, they log in using legitimate session tokens, application programming interface (API) keys, or open authorization (OAuth) grants.

The misuse of valid credentials or access tokens enables cloud-related breaches. These attacks bypass traditional detection tools because they appear to be normal activity by authorized users.

A recent incident involving Salesloft’s Drift application highlights how damaging authorization sprawl can be. Drift, an AI chatbot often integrated with Salesforce, was exploited after attackers gained access to Salesloft’s GitHub account and later its AWS environment. From there, they stole OAuth tokens and authentication credentials, exposing Salesforce data from potentially hundreds of organizations. This incident is an example of how interconnected SaaS systems and unchecked authorization links can create a cascading breach effect, where one weak point leads to multiple breaches across services.

The Business Impact of Authorization Sprawl

Aside from increasing technical risk, authorization sprawl erodes compliance, governance, and trust.

  1. Regulatory Exposure – Frameworks like GDPR, SOC 2, and HIPAA require strict access control and auditability. Untracked permissions make demonstrating compliance nearly impossible.
  2. Operational Risk – An overprivileged account can unintentionally leak data, delete configurations, or expose APIs.
  3. False Sense of Security – Zero Trust frameworks often stop at identity verification. Failing to continuously validate authorization is equivalent to protecting the front door while leaving internal doors wide open.

How to Fix Authorization Sprawl

Luckily, solving this problem does not require removing existing security controls but rather extending visibility and discipline into authorization.

  1. Conduct Regular Access Audits – Map users, roles, and permissions across your environment. Be sure to look for redundant privileges, dormant accounts, and orphaned API keys. Use tools that help visualize hidden paths and privilege escalation routes.
  2. Implement Structured Access Control – Use frameworks like role-based access control (RBAC) or attribute-based access control (ABAC). Standardizing roles ensures fewer exceptions and easier auditing.
  3. Automate Reviews and Revocations – Integrate identity and access management (IAM) with HR systems so access automatically changes when employees leave or change roles. This helps eliminate the temporary access that never gets removed.
  4. Shorten Token Lifetimes and Rotate Credentials – Session tokens and personal access tokens (PATs) should have an expiration period, such as 30 to 90 days. Using automated key rotation policies will help prevent long-lived access tokens from becoming backdoors.
  5. Enforce the Principle of Least Privilege – Grant users and systems only the minimum access needed.
  6. Extend Zero Trust to Authorization – Verification shouldn’t end with login. Apply continuous authorization checks.

Conclusion

As cloud ecosystems, APIs, and integrations continue to multiply, authorization complexity will grow exponentially. Businesses that invest in mapping and controlling authorization sprawl will stay ahead of both attackers and regulators. In cybersecurity, visibility equals control, and this begins with knowing exactly who can do what.