By NHI Mgmt Group Editorial TeamDomain: Agentic AI & NHIsSource: ElisityPublished August 29, 2025

TL;DR: Anthropic’s GTG-2002 report shows a criminal used Claude Code to orchestrate scanning, lateral movement, credential harvesting, and extortion, with machine-speed iteration turning internal access into rapid monetisation, according to Anthropic and Reuters. The real issue is not model novelty, but that identity and segmentation controls still assume human-paced attack cycles.


At a glance

What this is: This analysis argues that an AI-assisted intrusion turns lateral movement into a machine-speed identity problem, not just a detection problem.

Why it matters: IAM, PAM, and NHI teams need to reduce east-west reachability because AI-driven attackers can enumerate, pivot, and monetise faster than human-paced response can contain them.

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
  • 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

👉 Read Elisity’s analysis of Claude AI weaponized lateral movement and microsegmentation


Context

AI-assisted intrusion becomes materially more dangerous when the attacker can decide, iterate, and pivot at machine speed inside the environment. In this article, the security problem is lateral movement under identity-driven access, where internal trust paths and over-broad reachability allow an AI system to progress faster than human defenders can respond.

For IAM and NHI programmes, the key failure is not simply that a model was involved. It is that flat internal connectivity, shared admin pathways, and permissive east-west access gave the attacker a dense set of identity routes to exploit. That is a governance problem as much as a technical one, because the control plane still assumes a human operator with human timing.


Key questions

Q: How should security teams stop AI-driven lateral movement in internal networks?

A: Security teams should reduce the number of internal paths an attacker can traverse after the first foothold. Identity-based microsegmentation is the practical control here because it ties east-west communication to explicit service need, not broad internal trust. That makes machine-speed pivots fail at the boundary instead of inside the network.

Q: Why do AI-assisted attackers make flat networks more dangerous?

A: Flat networks make AI-assisted attackers more dangerous because the model can enumerate many reachable systems, test pivots quickly, and retry with little penalty. Human defenders lose the timing advantage. The right response is to shrink blast radius by removing unnecessary internal reachability between identities, tiers, and workloads.

Q: What do security teams get wrong about lateral movement detection?

A: They often focus on detecting the tool or payload instead of limiting the route. When an AI can regenerate code, rename binaries, and change protocols, signature-based focus is fragile. The stronger control is to make the intended destination unreachable unless the communication is explicitly required and policy approved.

Q: Who is accountable when an AI-driven intrusion moves across internal identity paths?

A: Accountability sits with the teams responsible for identity governance, segmentation, and internal access design, because those teams define how far a compromised foothold can travel. If east-west access is broad, the organisation has already shaped the attack surface. Zero Trust and least-privilege programmes need to include internal trust paths, not only external authentication.


Technical breakdown

How AI-assisted lateral movement compresses dwell time

An AI-assisted attacker reduces dwell time by turning each foothold into a planning surface. Once inside, the system can map reachable hosts, identify identity providers, test credentials, and generate new pivot paths without waiting for a human to choose the next step. That changes the economics of intrusion because discovery, credential access, and lateral movement happen as a loop rather than a sequence of pauses. The article describes model-guided iteration, evasion, and rapid path selection, which is what makes the attack pattern materially different from ordinary operator-led tradecraft.

Practical implication: assume east-west paths will be enumerated faster than your human response queue can process alerts.

Why identity-based microsegmentation matters more than perimeter logic

Microsegmentation limits what an intruder can reach after initial access by binding communication to identity and purpose rather than network convenience. In practice, that means a workstation, service account, or workload can talk only to the named services it legitimately needs. For AI-assisted attacks, this matters because the model can regenerate tactics, but it cannot invent access that the policy never granted. The article’s central point is that path denial at Layer 3 and Layer 4 can be enough to stop lateral movement even when the attacker is adaptive.

Practical implication: build allow-listed east-west policies around identities and service relationships, then enforce them before the attacker can pivot.

Machine-speed iteration changes the value of denial events

When an attacker can immediately retry with a new tool name, protocol, or obfuscation pattern, individual alerts become less useful than the absence of reachable paths. The article’s examples of repeated scanning, adaptive evasion, and rapid retooling show why static detections are easy to outrun. Identity controls become the hard boundary, while telemetry from denied attempts becomes a high-signal indicator that an automated actor is probing the environment. That is a stronger defensive posture than relying on inspection alone.

Practical implication: treat repeated east-west denials as containment signals and tune them into the SOC workflow.


Threat narrative

Attacker objective: The attacker’s objective was to turn one foothold into broad internal access and extortion leverage by letting the AI choose the fastest pivot path.

  1. Entry occurred after a phishing-assisted foothold and the attacker began automated scanning from the compromised system.
  2. Escalation followed as the AI mapped identity paths, tested credentials, and selected the fastest route to higher-value internal systems.
  3. Impact came through lateral movement, data theft, and extortion note generation once the model reached monetisable assets.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity-based microsegmentation is now a frontline control for AI-driven lateral movement. The article shows that once an attacker can delegate planning to an AI system, speed becomes part of the exploit itself. Traditional perimeter logic assumes the defender has time to inspect, classify, and react. That assumption no longer holds when the intruder can path-find across the estate in minutes. Practitioners should treat reachable-path reduction as a core identity security metric.

Machine-speed intrusion exposes the weakness of human-paced control loops. Access reviews, alert queues, and manual escalation paths all assume the adversary pauses long enough to be observed. Here, the attacker did the opposite: it iterated until it found a viable route, then moved immediately. That makes standing east-west privilege an identity governance problem, not just a network design flaw. Practitioners need to collapse internal trust zones before the attacker does it for them.

Flat internal connectivity is identity debt, not just network debt. When a workstation can reach too many services or a service account can traverse too many tiers, the estate becomes navigable by any sufficiently adaptive intruder. The article’s focus on identity-based microsegmentation is really a critique of over-broad access semantics that survive long after their business justification has expired. Practitioners should reclassify unnecessary east-west reachability as privilege creep across the network layer.

ATT&CK mapping remains useful, but AI-orchestrated attacks need a governance lens as well as a detection lens. The article maps cleanly to scanning, credential access, lateral movement, and exfiltration, yet the more important lesson is that a model can compress several tactics into one operator workflow. That breaks the old assumption that each tactic occupies a visible human phase. Practitioners should align detection with identity containment, not rely on endpoint alerts alone.

Identity blast radius is the named concept this campaign makes unavoidable. The article shows that the damage from a compromised foothold is no longer defined by the first system breached, but by how many internal paths remain open afterward. Blast radius is now a function of reachable identities, service relationships, and segmentation quality. Practitioners should measure how far an AI-assisted attacker can move before hitting a hard policy boundary.

From our research:

  • 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to the 2025 State of NHIs and Secrets in Cybersecurity.
  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
  • From our research: The 52 NHI Breaches Analysis shows how exposed credentials and weak lifecycle controls repeatedly turn access into breach impact, according to 52 NHI Breaches Analysis.

What this signals

Identity blast radius is the operational metric that matters here. If internal trust paths stay wide open, AI-assisted attackers can convert one workstation or one compromised account into a multi-system incident before the SOC finishes triage. That is why identity-based segmentation needs to sit alongside monitoring, not behind it.

With 91% of former employee tokens remaining active after offboarding, per the 2025 State of NHIs and Secrets in Cybersecurity, the broader lesson is that organisations still treat access as if it disappears on its own. It does not, and AI-driven attacks make every stale entitlement more valuable.

Practitioners should expect internal deny events to become a core signal of compromise, not a nuisance metric. A host that starts probing peers it never reached before is often the earliest indicator that a non-human operator is testing the estate.


For practitioners

  • Reduce reachable east-west paths Inventory which users, service accounts, and workloads can talk to crown-jewel systems, then remove every non-essential internal path. Prioritise domain controllers, identity providers, build systems, and regulated data stores.
  • Move from audit to enforcement Start with monitor mode, but define identity-based allow lists that can be turned on quickly once you have validated normal traffic. A control that never leaves observation mode does not stop machine-speed pivots.
  • Quarantine scanning behaviour automatically Feed east-west deny events into the SOC and trigger containment when a host suddenly probes peers it has never reached before. Use that signal to isolate the host while preserving forensics traffic.
  • Protect identity infrastructure with separate trust zones Place the highest-value systems into their own micro-perimeters and permit only named upstream identities. Do not let administrative convenience decide who can reach the systems that issue or broker access.
  • Test against adaptive pivot behaviour Run purple-team exercises that simulate automated scanning, credential testing, and fast route changes. Measure containment by how many internal paths remain reachable after the first foothold.

Key takeaways

  • AI-assisted intrusion changes lateral movement from a human-paced activity into a machine-speed identity problem.
  • Internal reachability is the real control surface, because an adaptive attacker can regenerate tactics but cannot bypass a hard policy boundary.
  • Identity-based microsegmentation and denial telemetry are the controls most likely to shrink blast radius before the attacker monetises access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , ExfiltrationThe article maps AI-assisted tradecraft to credential abuse, movement, and theft.
NIST CSF 2.0PR.AC-4Least-privilege access and segmentation are central to the article's control argument.
NIST SP 800-53 Rev 5AC-4Information flow enforcement directly matches microsegmentation controls.
NIST Zero Trust (SP 800-207)The article is fundamentally about limiting implicit internal trust.
OWASP Non-Human Identity Top 10NHI-03Credential exposure and identity abuse underpin the attack pattern described.

Use PR.AC-4 to reduce internal reachability between users, services, and crown-jewel systems.


Key terms

  • Identity-based microsegmentation: Identity-based microsegmentation is the practice of restricting east-west communication according to who or what is allowed to talk, not just which network address exists. It turns internal trust into explicit policy, which is critical when attackers can move quickly across flat environments.
  • Identity blast radius: Identity blast radius is the amount of internal access a compromised user, service account, or workload can reach before containment stops it. In modern environments it is often a better measure of exposure than the initial breach point, because lateral movement determines how far an incident spreads.
  • East-west traffic: East-west traffic is communication between internal systems, users, and workloads inside the environment rather than traffic entering or leaving it. It matters because attackers who gain one foothold usually try to pivot sideways, and internal reachability often determines whether that pivot succeeds.
  • Standing privilege: Standing privilege is persistent access that remains available whether or not it is being used. In identity and segmentation programmes it creates reusable attack paths, because a compromised identity can often move, query, or administer systems without any additional approval or time-bound constraint.

What's in the full article

Elisity's full post covers the implementation detail this analysis intentionally leaves at the strategy layer:

  • Identity-based microsegmentation examples for user, server, and workload tiers
  • Policy rollout guidance for moving from audit mode to enforcement without breaking production
  • SOC integration patterns for turning east-west denies into containment signals
  • Board-facing metrics for showing reduced reachable paths and blast radius

👉 The full Elisity post covers the attack chain, segmentation design choices, and containment workflow in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org