Organizations today are grappling with an ever-growing number of identities, both human and what are known as “non-human identities” (NHIs). This is complicated by what is already a significant and often exploited attack vector – identity – largely due to the growing complexity of identity hygiene.
Enterprises today require a comprehensive security approach that encompasses all these identities, both human and non-human. This can seem like an overwhelming task, but the good news is that with the right tools and approach, it can be accomplished effectively.
The Current Identity Security Landscape
The volume of identities that organizations must manage is growing quickly, driven by cloud adoption, IoT, remote work, and other factors. This includes human identities: the people interacting with the organization’s systems and data, including employees, customers, partners, and vendors.
It also includes NHIs, which are used to identify, authorize, and authenticate various software entities such as applications, APIs, bots, and automated systems—including AI models and agents—to securely access digital resources. In ephemeral environments, where systems and workloads are rapidly created and destroyed, these NHIs are often short-lived and dynamically provisioned, increasing the complexity of managing access and enforcing governance. As AI-driven systems increasingly perform tasks autonomously, managing their identities with the same rigor as human users, especially in transient, high-velocity environments, is essential for maintaining trust, security, and compliance.
It’s hard to estimate just how many of these machine identities organizations have. A 2024 Enterprise Strategy Group (ESG) report found that NHIs outnumber human identities by a factor of 20, which is quickly increasing. That may even be an underestimate, given how rapidly NHIs are proliferating.
As a result, organizations are experiencing identity sprawl and often struggle to manage all these disparate identities effectively. Organizations also typically have multiple identity systems in place, further complicating their efforts.
More identities mean more risks. Identities are a significant target for malicious actors, and ESG found that the average organization believes as many as one in five of its non-human identities are insufficiently secured. This proliferation of identities opens doors for bad actors.
Identity-based attacks have increasingly become one of the most effective tactics in the attacker’s playbook. Threat actors use phishing, credential stuffing, or credential stealing via dark web marketplaces to gain unauthorized access to identity systems. Once the bad actor is inside, they move laterally, exploiting over-permissioned identities to reach sensitive data or the crown jewels. Identity-based threats (including compromised accounts and password leaks) have emerged as one of the most effective threats to cybersecurity.
A More Comprehensive Approach to Identity Security Is Needed
As identity-based attacks become a bigger threat, organizations need a holistic approach. Traditional tools like IAM/PAM tools are used to manage identities; they don’t watch for misuse. Identity Threat Detection & Response (ITDR) closes this gap by providing continuous visibility on identities and detecting anomalous behavior, signs of compromise, privilege escalation, and lateral movement wherever they occur. It also orchestrates a rapid response.
Many solutions that claim to address identity-related threats often focus on specific areas, such as monitoring Active Directory. What’s needed is a wider net – an approach that examines all aspects of identity. It’s about identifying compromised accounts, whether in an Active Directory or another identity repository. Ideally, organizations need a solution that monitors all of the different identity repositories to ensure they haven’t been compromised. Securing identities in ephemeral environments demands automation, agility, and alignment with zero trust principles.
The next layer centers on telemetry, leveraging network traffic analysis to gain deeper visibility into traffic sources and detect signs of suspicious activity. An identity compromise, or a broader breach of the identity infrastructure, can often be much more extensive than what an identity store alone reveals.
Behavioral analytics for users and entities is also a critical component in this analysis. For example, is a domain controller behaving as expected, or is it initiating communications with systems it typically doesn’t interact with—especially those outside its peer group? Such anomalies may indicate a compromised domain controller. However, many organizations still struggle to achieve full visibility across the wide range of entity types within their environment.
Again, it comes down to needing a holistic view of every identity – whether it’s a human or a machine – within your entire service ecosystem. Any entity, identity or machine that can act on your network should be monitored, and you need to establish a baseline norm for each of those identities to detect anomalies.
Additional Identity Security Best Practices
To ensure your security strategy can successfully account for the risks of both human and non-human identities, it’s important to make sure you’ve included elements like:
- Implementing strong authentication is critical to mitigating threats such as credential theft, stuffing, and brute force attacks. This includes enforcing Multi-Factor Authentication and robust password policies. Equally important is adopting a zero-trust security model that requires continuous authentication, validating identity whenever access is requested. While the traditional “trust but verify” mindset has value, today’s threat landscape demands a stronger emphasis on verification at every step.
- Monitoring for behavior anomalies to detect unusual login patterns, privilege escalations, and data exfiltration are symptoms of potential threats.
- Full visibility into all system identity stores to detect over-privileged, orphaned, rogue, or compromised accounts.
- Automated and rapid threat response enabling teams to suspend accounts, harden authentication, and revoke privileges with reduced response times.
- Training and education for employees and other users through security awareness programs that focus on phishing and social engineering.
Shift Your Mindset for Stronger Security
In a hyper-connected world, identity-based attacks have emerged as one of the most prevalent and damaging threat vectors. With over 80% of breaches involving compromised credentials, it is clear that traditional security tools often fall short in detecting identity misuse. The path forward requires a strategic shift, from reactive defense mechanisms to an identity-first and analytics-driven approach to security.
ITDR is not just a toolset; it represents a fundamental change in how organizations approach access, trust, and threat detection. By continuously monitoring who is taking what actions, when, and why, ITDR empowers security teams to proactively identify identity risks, stopping potential breaches before they become a reality.
Craig Cooper is the Senior Vice President - Customer Success at Gurucul
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.