TL;DR: Identity-based attacks now rely on valid credentials in three out of four breaches, while phishing, credential stuffing, AiTM, and exposed secrets continue to widen the entry surface, according to Zero Networks and cited breach research. The core issue is not only access loss but the assumption that identities remain stable long enough for reactive controls to matter.
At a glance
What this is: This is an analysis of identity-based attack tactics and why credential abuse, lateral movement, and overprivileged machine identities keep defeating legacy security assumptions.
Why it matters: It matters because IAM, PAM, and NHI programmes now have to stop treating identity as a login problem and start treating it as the control plane for initial access, movement, and privilege escalation.
By the numbers:
- the median time to remediate exposed credentials on a GitHub repository is 94 days
- machine identities like service accounts and API tokens now make up over 70% of networked identities
👉 Read Zero Networks' analysis of identity based attacks and identity security best practices
Context
Identity-based attacks succeed because many environments still assume identity is a login event rather than the primary control surface. That assumption breaks down when valid credentials can be phished, stuffed, intercepted, or reused to move laterally and escalate privileges without triggering obvious alarms. For IAM and NHI programmes, the issue is not just authentication failure. It is the collapse of trust once identity becomes the attack path.
The article focuses on how attackers exploit both human and machine identities, but the operational problem is the same: credentials persist longer than defenders expect, permissions are broader than they need to be, and movement inside the environment is still too easy. That makes identity governance, segmentation, privileged access, and lifecycle control part of the same security problem rather than separate workstreams.
Key questions
Q: How should security teams reduce breach risk from stolen credentials?
A: Security teams should reduce credential lifetime, remove stale secrets from code and tooling, and make access revocation faster than attacker reuse. The key is to assume credentials will leak and to limit what they can do once exposed. Rotation, least privilege, and detection on abnormal use all matter, but only when they are enforced consistently across human, NHI, and delegated access.
Q: Why do machine identities create more risk than human identities in some environments?
A: Machine identities are often numerous, long-lived, and embedded in code or infrastructure. They are harder to review manually, easier to overlook during offboarding, and more likely to carry excessive privilege. That combination increases blast radius when a secret or token is exposed.
Q: What do security teams get wrong about Zero Trust and identity governance?
A: They often treat Zero Trust as an integration label rather than a continuous operating requirement. If identity signals are inconsistent across tools, the organisation may enforce local checks while still lacking enterprise-wide assurance. The mistake is assuming adoption equals execution when the data model and control surfaces do not line up.
Q: Who is accountable when a third-party credential is misused?
A: Accountability sits with the organisation that issued or retained the credential, even when a third party held it. That means supplier review, permission scoping, and offboarding discipline must be built into the contract and the IAM process. If the secret can still work, the governance failure is still yours.
Technical breakdown
Why valid credentials remain the most reliable entry path
Credential abuse works because identity systems often trust the credential more than the context around it. Phishing, credential stuffing, adversary-in-the-middle attacks, password spraying, and pass-the-ticket all exploit the same weakness: authentication can succeed even when the request is malicious. For machine identities, the problem is worse because service accounts, API tokens, and other secrets are frequently long-lived and widely distributed. Once an attacker has a valid identity, they do not need to break security controls in the conventional sense. They can operate through them.
Practical implication: Treat credential validity as a high-risk condition and tighten MFA, secret handling, and logon policy around every privileged identity.
How identity segmentation changes lateral movement economics
Identity segmentation limits what each identity can reach, regardless of whether the identity is human or machine. Unlike perimeter-based controls, segmentation is built around approved asset access, logon type, and behaviour patterns, so stolen credentials lose their usefulness outside the allowed boundary. That matters because lateral movement is where many identity incidents become enterprise-wide events. If segmentation is too coarse, attackers can still pivot from one identity to another systemically. If it is granular enough, the identity becomes much less valuable as a movement vehicle.
Practical implication: Map each identity to the smallest usable access path and block unapproved logon types, protocols, and asset combinations.
Why machine identity sprawl creates a different control problem
Machine identities now outnumber human users in many enterprises, and the article’s figures point to a classic governance failure: too many non-human identities have more access than they use. That creates a wide attack surface for infostealers, access brokers, and third-party compromise. The technical problem is not just that secrets exist. It is that they persist, accumulate permissions, and often sit outside the normal enforcement path for human-centric IAM controls. This is where NHI governance, rotation, and offboarding become operational security controls rather than administrative hygiene.
Practical implication: Inventory service accounts and tokens, then reduce standing privilege and remove identities that no longer have a business owner.
Threat narrative
Attacker objective: The attacker wants to turn identity into a trusted access path that supports stealthy movement, privilege gain, and durable foothold.
- Entry begins with credential harvesting through phishing, credential stuffing, AiTM interception, password spraying, or exposed secrets.
- Escalation follows when the attacker reuses valid identities to access privileged systems, request service tickets, or abuse overprivileged machine accounts.
- Impact comes from lateral movement, privilege escalation, and persistence inside the environment while the attacker operates as a legitimate user.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- TruffleNet BEC Attack — Stolen AWS Credentials — TruffleNet BEC campaign compromises 800+ hosts using stolen AWS credentials for business email compromise.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-based attack defence has become an identity governance problem, not just a detection problem. Once attackers are operating with valid credentials, the failure is usually upstream of the alert. Identity scope, privilege breadth, and access duration are what determine whether a breach stalls or spreads, so IAM, PAM, and NHI governance now carry direct containment value. Practitioners should treat identity control as the boundary itself, not as a supporting layer.
Machine identity sprawl is the named concept that explains why this attack class keeps expanding. Service accounts, tokens, and API keys are now pervasive enough that exposure is no longer exceptional. When over 70% of networked identities are non-human and many are overprivileged, attackers get a larger pool of silent credentials than most governance programmes are built to see. Practitioners need to understand that NHI sprawl changes the economics of attack discovery and response.
Standing trust in credentials is still the assumption most often exploited. Identity systems were designed for identities that authenticate, then remain observable long enough for review and response. That model fails when credentials are reused, exported, intercepted, or valid far beyond their intended use case. The implication is that governance must account for identity persistence, not only identity issuance.
Zero Trust works here only when it is applied as an access model, not a branding layer. The article’s core best practices point toward continuous verification, least privilege, segmentation, and just-in-time access for privileged paths. Those controls matter because identity-based attacks succeed when trust is implicit and movement is cheap. Practitioners should evaluate whether their Zero Trust programme actually constrains identity behaviour or simply re-labels existing access.
AI is amplifying identity abuse because it improves the attacker’s ability to scale tradecraft faster than defenders can re-tune controls. The article shows attackers using AI to sharpen phishing, cracking, and social engineering, while defenders are still struggling to secure their own AI systems. That widens the gap between static policy and adaptive abuse. Practitioners should assume identity attack volume and quality will keep rising unless controls become more dynamic.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- From our research: 97% of NHIs carry excessive privileges, according to Ultimate Guide to NHIs.
- If your programme still treats identity as a login event, the next step is to review 52 NHI Breaches Analysis for the failure patterns that turn credential exposure into enterprise-wide compromise.
What this signals
Identity based attacks will keep stressing programmes that still separate IAM, PAM, and NHI ownership. The control gap is not only visibility, it is convergence. Teams should expect more cases where human authentication, workload identity, and third-party access all appear in the same incident path, which means governance reporting needs a shared identity risk view.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations, the exposure problem is structural. That means credential hygiene cannot be a side project. If secrets still live in code or configuration, then detection alone will not keep pace with attacker use of exposed identity material.
Machine identity sprawl is now a programme design issue, not a niche security task. NHI governance, service-account ownership, and access lifecycle review need to sit alongside Zero Trust planning, otherwise the environment stays open even when the perimeter is closed.
For practitioners
- Reduce credential exposure windows Prioritise the removal of long-lived secrets from code, configuration files, and collaboration tools, then rotate exposed credentials faster than your current review cycle allows. The goal is to shrink the time a stolen identity remains useful, especially for API keys, tokens, and service accounts.
- Segment identity reach by allowed logon path Constrain each human and non-human identity to the specific protocols, hosts, and logon types it actually needs. Use identity segmentation so a stolen credential cannot automatically pivot to adjacent systems or privileged services.
- Apply just-in-time controls to privileged access Make privileged access conditional on current context, not on standing entitlement. For admin and service accounts, require step-up verification and time-bound access only where the task genuinely needs it.
- Review machine identity ownership and usage Assign a business owner to every service account and token, then remove identities that are inactive, unused, or impossible to attribute. Where permissions are barely used, reduce them before the identity becomes an attacker’s quiet foothold.
- Treat third-party access as a lifecycle risk Validate partner and vendor access continuously, not only at onboarding. If an external relationship changes, offboard the associated identity paths and revoke any credentials that still reach internal systems.
Key takeaways
- Identity based attacks succeed because valid credentials now function as a trusted entry point, not just a proof of login.
- The scale of the problem is already visible in exposed secrets, overprivileged machine identities, and long remediation windows.
- Practitioners need narrower identity scope, faster credential removal, and lifecycle ownership for both human and non-human access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity-based attacks here center on credential exposure and overprivilege across NHIs. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article maps directly to credential theft and internal pivoting. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and asset scoping are central to the controls discussed. |
| NIST Zero Trust (SP 800-207) | 5.2 | Continuous verification and reduced implicit trust are the article's core defensive themes. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential lifecycle and authenticator management are directly implicated by secret exposure and reuse. |
Reduce standing credentials, rotate secrets, and scope every machine identity to its minimum use case.
Key terms
- Identity-centric attack: An identity-centric attack is a compromise path that uses valid credentials, tokens, or sessions instead of breaking technical controls at the network edge. The attacker behaves like a legitimate identity long enough to move laterally, escalate privilege, or exfiltrate data while appearing authorised.
- Machine Identity: A machine identity is a non-human identity used by services, applications, devices, or automation to authenticate and access resources. In practice it includes service accounts, API tokens, certificates, and workload credentials that often outlive the task or system that created them.
- Identity Segmentation: Identity segmentation restricts what a user or workload can reach based on approved identity-to-resource relationships rather than broad network trust. It reduces blast radius by making stolen credentials less useful outside the specific logon types, assets, and protocols that were explicitly allowed.
- Adversary-in-the-middle Attack: An adversary-in-the-middle attack intercepts and relays authentication in real time between the user and the legitimate service. It is especially dangerous for OTPs because the attacker can capture the code while it is still valid and immediately use it to complete login.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- The article walks through specific identity attack patterns, including phishing, credential stuffing, AiTM, Kerberoasting, pass-the-ticket, and pass-the-hash.
- It includes implementation guidance for network-layer MFA, identity segmentation, microsegmentation, and adaptive access policies.
- The source also expands on machine identity exposure, infostealer trends, and the operational logic behind blocking lateral movement.
- It adds practitioner context from the vendor's field perspective on how identity controls are enforced across users, service accounts, and applications.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org