Attack surface reduction still fails without identity controls

At a glance

What this is: This is a primer on attack surface risk that argues the real reduction lever is tighter access control, not just narrower perimeter visibility.

Why it matters: It matters to IAM and NHI practitioners because attack surface growth is often an identity problem, especially when service access, credentials, and privileges sprawl across systems.

By the numbers:

• 20% of all cyberattacks start with compromised credentials.
• Data breaches cost $4.45 million on average and take approximately 287 days to contain.
• 69% of companies have IoT devices that outnumber computers on their network, while only 16% have IoT attack surface visibility.

👉 Read StrongDM's full guide to attack surface reduction and access control

Context

Attack surface is the total set of entry points an attacker could use to reach systems, data, or identities. For IAM and NHI teams, the problem is not only how many endpoints exist, but how many credentials, service accounts, tokens, and privileged paths are attached to them. A larger attack surface usually means more identity pathways to govern, not just more infrastructure to scan.

StrongDM frames the issue through access sprawl, privileged access, and endpoint diversity, then ties reduction to stronger authentication, least privilege, and regular review of who can reach what. That is a familiar starting position, but it is incomplete without NHI governance, because machine identities and automation often expand faster than human-facing controls can track.

Key questions

Q: How can security teams reduce attack surface without slowing operations?

A: Reduce attack surface by removing unnecessary access, shortening credential lifetimes, and narrowing what each identity can do. The practical balance is not to block work, but to make access task-scoped and reviewable. That usually means least privilege, just-in-time elevation, and regular cleanup of unused endpoints, roles, and secrets.

Q: Why do non-human identities increase attack surface risk?

A: Non-human identities increase risk because they often operate at machine speed, hold broad permissions, and are harder to inventory than human accounts. When service accounts, tokens, and certificates are long-lived or reused, they become durable entry paths. The result is more reachable authority for attackers and less visibility for defenders.

Q: What is the difference between attack surface reduction and attack surface management?

A: Attack surface reduction is the act of shrinking exposed access and removing unnecessary pathways. Attack surface management is the ongoing process of discovering, monitoring, and reassessing those pathways over time. Teams need both, because reduction without continuous management quickly becomes stale as new services, identities, and integrations appear.

Q: When should organisations treat credential rotation as an attack surface control?

A: Organisations should treat credential rotation as an attack surface control whenever a secret can be reused to reach important systems. That is especially true for service accounts, automation tokens, and third-party access. Rotation reduces the usable window for attackers and helps convert a leaked credential from persistent access into a short-lived event.

Technical breakdown

How attack surfaces become identity surfaces

An attack surface becomes an identity surface when every exposed system depends on credentials, tokens, certificates, or privileged sessions to function. In modern environments, the real entry point is often not the host itself but the access path tied to it. That includes service accounts, API keys, federation trust, and administrative roles. Once those identities are over-scoped or left active too long, the attack surface grows even if the infrastructure footprint stays the same. The technical risk is not just exposure, but authorization that outlives the task it was meant to support.

Practical implication: Map exposed systems to the identities that can reach them, then remove standing access wherever the task does not require it.

Why compromised credentials dominate initial access

Compromised credentials are such a common entry vector because they bypass many perimeter controls and often look like legitimate activity. Attackers prefer identity abuse over noisy exploitation because authenticated access can blend into normal admin, service, or application traffic. In NHI environments, this gets worse when secrets are reused, stored in code, or shared across workloads. The issue is structural: the more long-lived and broadly trusted the credential, the easier it is to convert a single leak into expanded access. That is why attack surface reduction has to include credential lifecycle, not just network hardening.

Practical implication: Treat credential lifecycle as a core attack-surface control and rotate or replace shared secrets before they become reusable access paths.

How Zero Trust and least privilege reduce blast radius

Zero Trust Architecture reduces attack surface by forcing continuous verification instead of assuming that a network location or prior authentication event is enough. Least privilege narrows what an identity can do after it authenticates, which is critical when the identity is a workload, bot, or service account rather than a human user. For NHIs, the goal is to keep access task-scoped, time-bound, and traceable. If an attacker does get in, blast radius becomes the primary metric, because containment depends on whether the compromised identity can move laterally or only reach one narrowly defined resource.

Practical implication: Use zero standing privilege, short session lifetimes, and granular authorization rules to make compromise harder to scale.

Threat narrative

Attacker objective: The objective is to turn one trusted identity into repeated access across multiple assets, then use that access to exfiltrate data or extend control.

1. Entry occurs through compromised credentials or exposed secrets that provide authenticated access instead of exploiting code directly.
2. Escalation follows when the same identity has broader permissions than the task required, allowing the attacker to reach additional systems.
3. Impact comes when the attacker uses that expanded access to steal data, deploy malware, or establish persistence across the environment.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Attack surface reduction is increasingly an identity governance problem, not a perimeter problem. The article correctly connects exposure to access, but modern environments now attach identities to workloads, automation, and AI systems as much as to people. That means the true reduction target is not only open ports or public endpoints, but standing authorization that can be reused after an initial compromise. Practitioners should treat the attack surface as a living entitlement map.

Compromised credentials remain the most efficient route from exposure to impact because they preserve normal-looking behaviour. When attackers authenticate successfully, they inherit trust that scanners and firewalls may not challenge. That makes lifecycle controls, secret rotation, and session limits more important than static perimeter checks. Teams should assume any long-lived shared credential is an attack-surface multiplier.

Identity blast radius: the smallest useful unit of attack-surface reduction is the set of actions one identity can perform. A broad environment with narrowly scoped identities is easier to recover from than a small environment with over-privileged NHIs. That shifts the governance question from how many assets exist to how much damage one identity can do. Practitioners should measure and reduce blast radius before they measure tooling coverage.

AI and IoT expand the attack surface because they introduce high-volume, low-visibility identities and endpoints. These systems often generate credentials faster than humans can review them, and their access patterns are harder to baseline. That does not make them uniquely dangerous by default, but it does make unmanaged trust more likely. Practitioners should fold AI and IoT identities into the same review model as service accounts and privileged users.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader root-cause view, The 52 NHI breaches Report maps how unmanaged machine access becomes repeated compromise.

What this signals

Identity sprawl is now the control problem hidden inside attack surface management. As organisations add automation, AI, and ephemeral services, the count of reachable identities grows faster than the count of humans reviewing them. That is why conventional inventory and perimeter thinking misses the real governance gap. Practitioners should assume that any environment with rising machine activity needs identity-centric discovery, not just asset discovery.

With 72% of organisations already reporting or suspecting NHI breaches, the programme risk is no longer theoretical. Teams that still separate infrastructure review from identity review will keep finding the same exposure twice, once in the asset layer and again in the access layer. The right response is unified entitlement review across humans, workloads, and agents.

Ephemeral credential trust debt: short-lived access reduces dwell time, but it still creates trust if issuance, scope, and revocation are weak. That matters for CI/CD, service meshes, and agentic workflows where credentials appear and disappear faster than manual controls can track. Security teams should pair short TTLs with policy enforcement and event-driven revocation rather than treating ephemerality as a control on its own.

For practitioners

• Inventory every external entry point tied to an identity Build an access map that links each public endpoint, service, workload, and automation path to the credential or role that can reach it. Include API keys, certificates, service accounts, and delegated access so the attack surface is measured as reachable authority, not just exposed infrastructure.
• Shorten the lifetime of all non-human credentials Replace long-lived secrets with time-bound credentials where possible, and enforce rotation for anything that cannot be eliminated. Focus first on shared keys, CI/CD tokens, and administrative service accounts that can reach multiple systems.
• Apply least privilege to every machine identity Review whether each service account, bot, or workload truly needs its current permissions, then remove broad roles and unused entitlements. Pair the review with just-in-time access for elevated actions so standing privilege does not become the default.
• Measure blast radius, not just exposure count Test what an attacker could do after compromising a single identity, including lateral movement, data access, and persistence options. Use those results to prioritize the identities that would turn one leak into environment-wide compromise.
• Add AI and IoT identities to governance reviews Treat agentic systems, device fleets, and their service credentials as part of the same review cycle as human access. Their scale and automation can multiply attack surface quickly if they are excluded from entitlement review and anomaly detection.

Key takeaways

• Attack surface is best understood as reachable authority, which makes identity governance central to reduction efforts.
• Compromised credentials remain a high-probability entry path because they preserve normal authentication behaviour after exposure.
• The practical answer is to shrink blast radius through least privilege, short-lived access, and continuous review of non-human identities.

Key terms

• Attack Surface: Attack surface is the full set of points where an attacker could interact with a system, identity, or data path. In practice, it includes exposed services, credentials, APIs, devices, and human workflows that create reachable authority. The smaller and better governed that set is, the harder it is for attackers to find a usable path.
• Attack Vector: An attack vector is the specific pathway or method used to exploit part of the attack surface. It can be a stolen credential, a misconfigured service, a phishing message, or a vulnerable integration. In identity-heavy environments, vectors often succeed because the access looks legitimate once the attacker obtains valid authorization.
• Non-Human Identity: A non-human identity is any machine or software identity that authenticates to systems, including service accounts, tokens, API keys, certificates, bots, workloads, and AI agents. These identities need the same governance discipline as human users because they can carry privilege, persist over time, and create broad downstream access if unmanaged.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised identity can cause. It depends on permissions, reach, duration, and the ability to move laterally. Reducing blast radius means making access narrower, shorter-lived, and easier to revoke so one compromise does not become an environment-wide incident.

Deepen your knowledge

Attack surface reduction, least privilege, and credential lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from perimeter thinking to identity-centric governance, it is worth exploring.

This post draws on content published by StrongDM: What Is an Attack Surface? (And the Best Way to Reduce It). Read the original.