EDR and NDR focus on endpoints and traffic, so they often miss abuse that happens through valid credentials, tokens, and delegated access. Identity attacks can look normal at the device and network layers while the attacker uses legitimate access paths. That is why identity telemetry must complement, not follow behind, endpoint and network monitoring.
Why This Matters for Security Teams
EDR and NDR are strong at detecting suspicious processes, endpoint tampering, and network anomalies, but identity attacks often stay inside legitimate control planes. If an attacker uses a valid API key, session token, service account, or delegated OAuth grant, the activity can look authorized at the device and transport layers even while it is abusive. That is why identity abuse is a visibility problem as much as a detection problem. NHIMG’s Ultimate Guide to NHIs shows how often organisations struggle with exposure, rotation, and visibility gaps, which gives attackers room to operate without tripping classic perimeter alarms. External guidance from CISA cyber threat advisories also reinforces that modern intrusion paths increasingly rely on valid credentials and trusted access paths.
Identity-centric attacks also fit a broader trend: attackers prefer what already works, because it produces less noise and more persistence. In practice, many security teams encounter compromised identities only after unusual access has already blended into normal admin activity.
How It Works in Practice
Identity attacks bypass EDR and NDR because the attacker does not need malware on the host or obvious command-and-control traffic. They use the identity itself. That can mean a stolen cloud access key, an over-permissioned service account, a leaked OAuth refresh token, or an AI agent credential that can call tools on behalf of a workflow. The endpoint may remain clean, and network traffic may originate from expected SaaS, cloud, or automation services.
The practical response is to move identity telemetry earlier in the detection chain. Security teams need logs and alerts for authentication events, token minting, privilege changes, unusual API actions, delegated consent grants, and cross-account access patterns. In cloud and agentic environments, the key question is not only “what device made the call?” but “what identity was allowed to make it, under what context, and for how long?” That is why current guidance increasingly points to short-lived credentials, workload identity, and policy checks at request time rather than static trust in a device or subnet.
- Use identity controls to detect impossible or improbable access sequences, not just malicious binaries.
- Correlate EDR and NDR data with IAM, PAM, cloud audit, and IdP logs.
- Rotate and expire secrets aggressively, especially for service accounts and automation.
- Prefer workload identity over long-lived shared credentials where possible.
NHIMG’s 52 NHI Breaches Analysis and Top 10 NHI Issues both show that exposure, privilege, and weak lifecycle controls are common failure points, not edge cases. These controls tend to break down in environments with heavy automation, federated SaaS integrations, or AI agents because legitimate identity use is high-volume, dynamic, and difficult to baseline with endpoint-centric tools.
Common Variations and Edge Cases
Tighter identity monitoring often increases operational overhead, requiring organisations to balance detection depth against alert volume and integration effort. There is no universal standard for this yet, especially in agentic AI and multi-cloud environments where identities are short-lived and context changes quickly.
Some teams expect EDR to catch everything because the attacker eventually “does something bad” on a host. That assumption fails when abuse happens entirely in cloud APIs, CI/CD pipelines, or SaaS admin consoles. In those cases, the harmful action is the authorisation event itself, not a payload dropped on disk. Other edge cases include service-to-service calls that are technically valid but misused at scale, and delegated automation that acts within scope but outside intended business context.
Best practice is evolving toward layered identity observability: combine IAM change monitoring, privileged session review, token lifecycle enforcement, and runtime policy evaluation. For threat modeling, the Anthropic report on AI-orchestrated cyber espionage and the MITRE ATLAS adversarial AI threat matrix are useful reminders that autonomous and delegated behaviors can look ordinary until the blast radius is already large. Organisations that rely only on endpoint and network alerts usually discover identity misuse after access has been reused, chained, and expanded across multiple systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity abuse often persists because secrets and tokens are not rotated. |
| NIST CSF 2.0 | DE.CM-1 | Identity telemetry must supplement endpoint and network monitoring. |
| NIST AI RMF | Autonomous and delegated AI use changes the identity risk profile. |
Assess AI identity risk at runtime and govern agent access with context-aware controls.
Related resources from NHI Mgmt Group
- Why do endpoint tools miss so many browser-based account takeover attacks?
- Why do indicator-based detections fail against modern identity attacks?
- Why do non-human identities create more risk than many human accounts?
- Why do non-human identities create more remediation risk than many human accounts?
