By NHI Mgmt Group Editorial TeamPublished 2025-09-02Domain: Governance & RiskSource: Gurucul

TL;DR: Security leaders rank social engineering and phishing at 78% and identity-based threats at 73%, while 67% say they still lack sufficient visibility into access behavior and lateral movement, according to Gurucul’s 2025 Pulse of the AI SOC report. The operational gap is not more alerts but better identity context, because credentialed attacks now blend into normal access patterns.


At a glance

What this is: The article argues that identity-based threats have become the central SOC problem, with attackers using legitimate credentials, social engineering, and AI to hide in normal activity.

Why it matters: That matters because IAM, SOC, and identity teams now share the same detection problem: without behavioural context, compromised human and non-human access can look routine until impact has already begun.

By the numbers:

👉 Read Gurucul's analysis of identity-driven threats in the AI-powered SOC


Context

Identity has become the path of least resistance for attackers. When stolen credentials, phishing, and insider-style deception let an intruder authenticate as a legitimate user, perimeter controls become less relevant than the organisation's ability to spot abnormal access patterns in time.

For IAM and SOC teams, the issue is not simply that identity is being attacked. The issue is that cloud and SaaS environments produce enough routine activity to bury weak signals, while traditional rule-based detection still assumes malicious behaviour will stand out clearly.

Gurucul’s article frames AI as an amplifier of familiar tradecraft rather than a wholly new threat category. That is a typical starting position for current SOC analysis: the hardest problem is still identity misuse, but it is now faster, quieter, and easier to automate.


Key questions

Q: What breaks when identity attacks are not visible across cloud and SaaS systems?

A: When access behaviour is fragmented across tools, attackers can keep using legitimate credentials without standing out. The result is delayed detection, weak investigation trails, and blind spots around lateral movement. Security teams need joined-up identity telemetry so a session, a privilege change, and a suspicious resource access can be evaluated as one behavioural chain.

Q: Why do identity-based threats remain hard to detect even with mature SOC tooling?

A: Because mature tooling still often expects obvious malicious signatures, while identity attacks look like normal logins and normal application use. Once credentials are stolen, the attacker borrows trust instead of breaking it. That makes behavioural context, not just alert volume, the deciding factor in whether the SOC sees the problem early enough.

Q: How can security teams tell whether identity threat detection is actually working?

A: They should measure whether the organisation can reconstruct who accessed what, when privilege changed, and how movement spread across systems. If analysts can only see isolated alerts but cannot explain the access sequence, detection is not working at the level modern identity attacks require. The evidence should support investigation, not just notification.

Q: Who is accountable when stolen credentials are used to move laterally?

A: Accountability sits with both the identity owners and the security functions that govern detection and response. IAM sets the access conditions, while SOC teams must identify abnormal use before it expands. When those responsibilities are split, organisations often discover compromise only after the attacker has already blended into ordinary activity.


Technical breakdown

Why stolen credentials defeat perimeter-first detection

Once an attacker has valid credentials, the access path looks like routine authentication rather than intrusion. In cloud and SaaS environments, this matters because the defender sees an authorised session, not a broken perimeter. The real challenge is differentiating legitimate user intent from compromised identity behaviour using context such as device, timing, geolocation, privilege changes, and access sequence. Without those signals, credential theft becomes a detection problem rather than an authentication problem.

Practical implication: SOC and IAM teams need identity telemetry that can correlate authentication, privilege use, and session behaviour across systems.

How lateral movement hides inside normal access patterns

Lateral movement is especially difficult to spot when an attacker uses the same accounts and applications that employees use every day. In hybrid estates, the sequence of small accesses can look like normal work unless the platform can reconstruct behaviour over time. Rule-based systems often fail here because they expect one obvious event, not a low-and-slow chain of legitimate actions that gradually expands reach. Contextual analytics becomes the difference between noise and a readable attack path.

Practical implication: Build detections around access sequence and privilege escalation, not only around discrete alerts.

Why AI increases the speed and stealth of identity attacks

AI does not need to invent a new exploit to change the threat landscape. It can scale phishing, automate reconnaissance, and adapt credential misuse so the activity blends more easily into expected patterns. That pushes defenders toward behavioural and contextual analysis, because static thresholds and signatures are too brittle for attacks that adjust messaging, timing, and volume to avoid detection. The issue is acceleration of proven identity abuse, not novelty for its own sake.

Practical implication: Treat AI-enabled identity abuse as a force multiplier and test whether your detections still work under adaptive, low-noise behaviour.


Threat narrative

Attacker objective: The objective is to operate inside the environment as a trusted user long enough to steal data, move laterally, or prepare higher-impact access.

  1. Entry occurs when attackers use stolen credentials, phishing, or social engineering to obtain a legitimate login path.
  2. Escalation follows when the attacker uses that trusted session to probe cloud and SaaS resources, hide among normal activity, and expand privileges or access scope.
  3. Impact arrives when identity-based movement enables account takeover, sensitive data access, or operational disruption without triggering perimeter controls.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity visibility gaps are now a governance failure, not just a monitoring problem. When 67% of organisations still cannot see access behaviour and lateral movement clearly, the issue is broader than tooling quality. IAM, SOC, and identity governance programs are all relying on the same incomplete picture, which means compromised access can remain trusted long after the initial login. The practitioner conclusion is that visibility must be treated as an identity control objective, not only a SOC output.

Contextual detection is the new minimum for identity security. Rule-based and signature-based systems assume that malicious behaviour is obvious enough to match a pattern. That assumption breaks in cloud and SaaS estates where legitimate credentials, normal application traffic, and low-noise movement can look identical without behavioural context. The implication is that security teams must evaluate identity telemetry by whether it explains intent and sequence, not whether it simply raises more alerts.

AI is amplifying identity abuse faster than programmes are adapting. The article’s strongest signal is not that attackers are learning completely new tricks, but that they are making phishing, reconnaissance, and credential misuse cheaper and more adaptive. That pressure exposes a governance lag between access provisioning and detection maturity. The practitioner conclusion is that identity threat detection must now be designed for adaptive adversaries, not static misuse patterns.

Identity threat detection is becoming a shared control plane across IAM and SOC. The old split between access governance and security operations no longer holds when the same credential can be both the login event and the attack path. Organisations that keep those functions separate will keep missing the behavioural sequence that turns a valid session into a breach. The practitioner conclusion is that identity evidence, not just alert volume, should drive both investigation and governance decisions.

Access behaviour is the new identity blast radius. Once an attacker blends into normal user activity, the damage is defined by how far that identity can move before the pattern is recognized. That makes access scope, session context, and privilege sequencing central to modern defence. The practitioner conclusion is that the next generation of IAM maturity will be measured by how quickly it can bound blast radius after compromise.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
  • If you are mapping identity exposure beyond the SOC, compare that pattern with the 52 NHI breaches Report for recurring failure modes and control gaps.

What this signals

Identity threat detection will increasingly be evaluated as a governance capability, not a standalone monitoring function. The practical question for programme owners is whether identity evidence can support decisions about access review, containment, and remediation in one flow. That is where SOC and IAM roadmaps now intersect, because compromised identities rarely stay inside one team’s operating model.

Visibility gaps will push more organisations toward behavioural baselines for both human and non-human access. The same problem that hides phishing-driven account takeover also hides compromised service accounts and machine identities once they begin acting normally. A programme that cannot explain access sequence will struggle to prove control effectiveness after an incident.

As AI speeds up credential abuse, mature teams will need playbooks that combine detection with identity lifecycle action. The next step is not just better alerting. It is faster containment, tighter session governance, and clearer offboarding or privilege reduction paths when the identity itself has become the attack vehicle.


For practitioners

  • Instrument access behaviour end to end Correlate authentication, privilege changes, application access, and lateral movement signals so investigators can reconstruct identity misuse across cloud and SaaS systems.
  • Prioritise detections that model sequence Build alerts around chains of behaviour such as login, privilege escalation, and unusual resource access rather than isolated events that can look harmless on their own.
  • Test AI-resistant phishing controls Run simulations that use varied wording, timing, and volume to see whether your MFA, behavioural analytics, and user reporting still catch AI-generated lures.
  • Unify SOC and IAM response triggers Define when identity anomalies should open an access review, force session termination, or trigger containment so governance and investigation move from the same evidence set.

Key takeaways

  • Identity-based attacks are now a primary SOC problem because valid credentials can bypass perimeter-first assumptions.
  • The scale of the issue is visible in both leader concern and poor behavioural visibility, which leaves attacks hidden in normal activity.
  • Security teams need contextual identity telemetry and faster governance response if they want to reduce blast radius before impact.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Identity threat detection depends on continuous monitoring of anomalous access behaviour.
NIST SP 800-53 Rev 5AU-6The article centres on the need to analyse identity events and correlate them across systems.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous verification when credentials are no longer trustworthy by default.
OWASP Non-Human Identity Top 10NHI-01Compromised non-human identities are directly relevant to the article's attack patterns.

Align identity detection with zero trust principles and reduce implicit trust in authenticated sessions.


Key terms

  • Identity-based threat: An identity-based threat is an attack that abuses legitimate credentials, sessions, or account permissions rather than breaking into the network first. It succeeds by looking like normal access while the attacker steals data, moves laterally, or escalates privilege.
  • Lateral movement: Lateral movement is the process of moving from one account, host, or application to another after initial access is obtained. In identity-centric environments, it often appears as valid activity unless defenders can connect access sequence, privilege changes, and unusual destination patterns.
  • Identity threat detection: Identity threat detection is the practice of identifying malicious account behaviour through context, sequence, and behaviour rather than signatures alone. It combines authentication data, access logs, privilege events, and user or workload context to reveal compromise that looks legitimate in isolation.
  • Access behaviour: Access behaviour is the pattern of how an identity authenticates, requests resources, and moves through systems over time. For security teams, it is the operational evidence that shows whether an account is acting as expected or has been taken over.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • The chapter-level findings behind the 78% phishing concern and 73% identity-threat priority figures.
  • The report's explanation of why 67% visibility gaps persist in hybrid and cloud environments.
  • Examples of how AI is being used to scale phishing, reconnaissance, and low-noise credential abuse.
  • The broader SOC maturity themes discussed in the 2025 AI-powered SOC report.

👉 Gurucul's full blog adds the chapter context, survey framing, and AI-driven threat discussion.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org