Cyber threat landscape pressure is exposing security architecture gaps

At a glance

What this is: A panel discussion argues that rising cyberattacks are exposing the limits of any single security control and putting more weight on architecture, third-party risk, and user awareness.

Why it matters: For IAM teams, this reinforces that identity controls, user training, and third-party access governance must be managed as one operating model across human, NHI, and delegated access paths.

👉 Watch Abnormal AI's briefing on today's cyber threat landscape and third-party risk

Context

Cyber threat pressure is not only a detection problem. It is an identity and governance problem because attackers exploit gaps in user behaviour, delegated access, and third-party trust relationships faster than many programmes can adapt.

For IAM, NHI, and security operations teams, the practical issue is whether controls are designed to absorb adversary pivots or simply to catch known patterns. When an organisation depends on a single layer of defence, the blind spots usually show up in access pathways, vendor connections, and end-user judgement.

Key questions

Q: How should security teams handle third-party access as part of identity governance?

A: Security teams should treat third-party access as a governed identity lifecycle, not a static vendor record. That means assigning ownership, defining least privilege, setting expiry or review points, and making revocation testable. External integrations should be audited with the same discipline used for internal privileged access, because attackers often exploit trust relationships rather than direct compromise.

Q: Why do layered security controls still fail against modern attackers?

A: Layered controls fail when they are designed for a stable attack path and the attacker can pivot around them. If each layer assumes the previous one will absorb risk, a single blind spot can cascade into compromise. Teams need to test how controls behave under changing tactics, not just whether the controls exist.

Q: How do employee awareness programmes support IAM and NHI security?

A: Awareness programmes support IAM and NHI security by reducing the chance that users approve malicious prompts, trust suspicious requests, or normalise unusual access events. They do not replace technical controls, but they improve the odds that MFA, approval workflows, and vendor requests are questioned at the moment it matters.

Q: What should organisations do when controls are not catching every attack?

A: Organisations should move from control counting to control resilience. That means identifying where attackers can pivot, where trust is delegated, and where access decisions rely on human judgement. A programme is mature when it can explain which exposures remain acceptable and which ones require redesign or tighter governance.

Background and context

Why layered controls still fail under adversary pivoting

Layered security works only when each layer assumes a relatively stable attack path. Modern attackers do not stay inside a fixed kill chain. They shift across email, identity, vendor access, and endpoint paths until they find a weaker trust boundary. That makes control effectiveness depend on whether governance can keep pace with behavioural change, not just whether the tool stack is modern. In identity terms, the failure is often not authentication alone. It is the gap between what a programme thinks it can observe and what an attacker can actually route around.

Practical implication: map where one control depends on another and identify the access paths that remain unreviewed when attackers change tactics.

Third-party access and delegated trust as an attack surface

Third-party threats matter because they extend trust beyond the organisation's direct control. When access is delegated to vendors, apps, or service integrations, the security boundary becomes harder to inspect and revoke. That creates exposure in both human and non-human identity programmes, especially where permissions are broad and lifecycle offboarding is weak. The article's core point is that external relationships are not just procurement risk. They are operational identity risk because compromise can arrive through a trusted integration rather than a direct break-in.

Practical implication: review every external integration as an access relationship with a lifecycle, ownership, and revocation path.

Why employee awareness remains part of identity security

User awareness is often treated as a soft control, but it remains essential because many attacks still depend on a human decision point somewhere in the chain. Training does not replace technical controls, yet it reduces the chance that an attacker can turn a suspicious message, request, or workflow into a successful foothold. For identity teams, this means awareness is not separate from IAM. It is part of the control environment that determines whether MFA prompts, vendor requests, or unusual login events are challenged or ignored.

Practical implication: align security awareness training with the identity events users actually encounter, especially high-risk access requests and third-party interactions.

NHI Mgmt Group analysis

Security architecture fails first where programmes assume a single control can absorb adversary adaptation. The panel's central point is that attackers do not respect control boundaries, so architectures built around one protective layer eventually depend on luck. That is not a tooling failure alone. It is a governance assumption failure about how much variability a control stack can absorb before it breaks. Practitioners should treat adaptive adversary behaviour as a design constraint, not an edge case.

Third-party access is identity risk, not just supplier risk. Once external vendors, SaaS connections, and delegated workflows sit inside operational processes, they inherit the same governance burden as internal identities. Abnormal AI's panel reinforces that the most dangerous trust relationships are often the ones teams do not review as identities at all. Practitioners should evaluate external access through the same lifecycle and privilege lens used for internal accounts.

User awareness remains a control layer because identity systems still terminate in human judgement. Even strong authentication and monitoring can be undermined if users accept malicious prompts, ignore warnings, or normalise suspicious requests. That does not make awareness a substitute for technical controls. It makes it part of the identity control stack. Practitioners should measure whether training changes user behaviour at the access decision points attackers actually target.

Threat adaptation exposes the difference between control presence and control resilience. Many programmes can list controls, but fewer can explain how those controls behave when an adversary pivots across channels. The article points to a maturity issue that spans human identity, vendor access, and machine-mediated workflows. Practitioners should prioritise resilience testing over control inventorying.

Identity programmes need to treat trust as something that degrades over time. Once access, delegation, or user judgement becomes stale, attackers have room to convert a small exposure into a larger incident. The practical lesson is to govern trust as a lifecycle, not a static entitlement.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a wider view of the attack surface, read 52 NHI Breaches Analysis for real-world case patterns and root cause breakdowns.

What this signals

Trust decay is the real operating condition behind this kind of guidance. Once access depends on third parties, human judgement, and adaptive attackers, security programmes need to measure how quickly trust expires rather than assuming it remains valid until a review cycle closes.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, the market is signalling that identity governance is moving beyond human-centric access reviews into machine and delegated access oversight.

The programme question is no longer whether to add another control. It is whether 52 NHI Breaches Analysis style root-cause review is being used to expose where trust, privilege, and lifecycle ownership are actually breaking down.

For practitioners

• Map adversary pivot paths across identity controls Trace how an attacker could move from email, vendor access, or a user prompt into privileged systems without being blocked by the next control in sequence. Focus on handoff points where one team owns monitoring but another owns access decisions.
• Review third-party connections as access lifecycles Inventory SaaS integrations, vendor accounts, and delegated permissions with named owners, expiration rules, and revocation procedures. Treat each connection as a governed identity rather than a procurement record.
• Tie employee training to real access events Use phishing, approval, and unusual login scenarios that mirror the requests users actually see in daily work. Measure whether training changes challenge behaviour at the moment a malicious request appears.
• Test resilience, not just control existence Run exercises that deliberately vary the attack path so teams can see which controls still hold when an adversary changes tactics. Document where alerting, approval, or revocation fails under pressure.

Key takeaways

• The article's core warning is that attackers can outmaneuver single controls, so resilience matters more than control count.
• Third-party connections and user behaviour sit inside the identity problem, which means IAM teams must govern both delegation and judgement.
• Organisations should test how access, approvals, and monitoring behave when attackers pivot, not just whether the controls are deployed.

Key terms

• Third-party access: Access granted to an external vendor, SaaS app, or integration that can act inside an organisation's environment. In identity governance, it must be treated as a live entitlement with ownership, scope, review, and revocation, not as a passive procurement relationship.
• Control resilience: The ability of a security control stack to keep working when an attacker changes tactics, route, or timing. Resilience is stronger than mere control presence because it measures whether governance survives adversary adaptation rather than assuming a fixed attack pattern.
• Identity lifecycle: The process that governs how access is created, used, reviewed, changed, and removed across humans, non-human identities, and delegated accounts. Lifecycle discipline matters because stale trust, unowned access, and missed offboarding are common ways attackers turn exposure into impact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: a panel discussion on today's cyber threat landscape, third-party threats, and employee awareness. Read the original.