Identity compromise is the new breach signal for NHI governance

At a glance

What this is: This is an analysis of how attackers use identity compromise, dormant access, machine identities, and visibility gaps to persist undetected in enterprise environments.

Why it matters: It matters because IAM, PAM, IGA, and NHI programmes need continuous discovery and behavioural monitoring to catch abuse that point-in-time reviews routinely miss.

By the numbers:

• More than 80% of breaches now involve some form of identity compromise.
• With 50-80x more machine identities than human ones, attackers exploit poor visibility and governance over them.
• A user account that hasn’t logged in for 90+ days suddenly accesses sensitive systems or resources.

👉 Read Hydden's analysis of identity compromise and early breach signals

Context

Identity compromise is now a governance problem, not just a detection problem. When attackers can turn dormant accounts, machine identities, or privileged sessions into stealthy footholds, traditional IAM and PAM controls often see the event too late to matter.

The primary issue is visibility. Point-in-time reviews, siloed IGA, and static discovery leave gaps between what exists and what is actually being used. For NHI programmes, that means service accounts, tokens, certificates, and cloud-admin identities can become active attack paths without a clear owner or audit trail.

Key questions

Q: How should security teams detect identity compromise before an attacker spreads?

A: Use continuous identity telemetry rather than periodic access review alone. Focus on dormant accounts that suddenly activate, privileged sessions with unusual timing or devices, account creation outside expected workflows, and machine identities acting outside their normal scope. The goal is to catch the first credible deviation from baseline, not to wait for a formal access violation.

Q: Why do machine identities increase breach risk so quickly?

A: Machine identities multiply the number of credentials defenders must govern and often lack the ownership, lifecycle discipline, and monitoring applied to human users. When service accounts, tokens, or certificates carry excessive privilege or live outside a secrets manager, attackers can use them to blend into normal traffic and expand access silently.

Q: What do security teams get wrong about quarterly access reviews?

A: They treat periodic certification as proof that access is under control, even though attacker activity can appear and disappear between review cycles. Access reviews are useful for governance evidence, but they do not detect a dormant account waking up, a privileged session going rogue, or a machine identity being misused in real time.

Q: Who is accountable when shadow accounts or orphan identities are found?

A: Accountability should sit with the identity governance function and the system or business owner that depends on the account. If no owner can be identified, the identity should be treated as a control failure with security and audit implications, because unresolved ownership is itself a risk condition.

Technical breakdown

Why identity compromise slips past existing IAM and PAM controls

Identity compromise often looks ordinary at first. Attackers do not need to break every control if they can reuse valid credentials, create a new account, or pivot through a privileged session that appears legitimate. Legacy IAM tools are built to manage known identities and expected workflows, while PAM is often tuned to approved elevation events. That leaves a gap when the abuse happens through dormant accounts, hidden service identities, or privilege changes that occur outside normal review windows.

Practical implication: pair access governance with continuous identity telemetry so unusual usage is detected before the session ends.

Machine identities create a much larger attack surface than most teams model

Machine identities include tokens, service accounts, certificates, and other non-human credentials that can authenticate and act without a person in the loop. Because there are far more of them than human users, visibility failures scale quickly. If these identities are unmanaged, excessive, or unowned, attackers can use them to blend into normal system activity, move laterally, or call downstream services with legitimate trust. This is why machine identity hygiene is a core part of NHI governance.

Practical implication: inventory machine identities continuously and remove any credential that cannot be tied to a business owner and use case.

Behavior-based monitoring exposes identity drift that role models miss

Role-based access models assume identity use stays close to the original purpose of the account. In practice, attackers exploit timing, location, device, and access patterns that drift away from the baseline without immediately violating a policy rule. Behaviour-based monitoring looks for those shifts, such as a rarely used account waking up, a privileged session running at a strange time, or a machine identity calling systems outside its normal scope. That gives defenders a way to see compromise as it unfolds, not after the fact.

Practical implication: define identity baselines for time, volume, and resource use, then alert on deviations that matter operationally.

Threat narrative

Attacker objective: The attacker aims to convert trusted identity relationships into durable, low-noise access that supports persistence, lateral movement, and data theft.

1. Entry occurs when attackers use compromised credentials, exploit trusted identities, or abuse a vulnerable system that quickly leads to account creation or impersonation.
2. Escalation follows when the attacker modifies roles, activates dormant accounts, or uses machine identities and privileged sessions to expand reach without tripping normal approval paths.
3. Impact comes from staying below the radar for days or weeks while the attacker moves laterally, exfiltrates data, or establishes persistence through shadow accounts and excessive privilege.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity compromise is now the dominant failure mode in enterprise intrusion, not a secondary symptom. Once attackers can log in with valid credentials or abuse trusted sessions, perimeter controls lose explanatory power and governance must focus on who and what is actually using access. The practical conclusion is that identity telemetry has become a primary security control, not a supporting one.

Machine identity visibility is the governance gap attackers increasingly exploit. With far more machine identities than human ones, organisations that cannot inventory service accounts, tokens, and certificates are effectively defending an unknown estate. That is not a tooling inconvenience. It is a structural weakness in ownership, lifecycle, and accountability.

Continuous discovery matters because identity risk changes faster than review cadences. Quarterly access reviews and static discovery jobs are designed for stable environments, but attacker behaviour is opportunistic and time-sensitive. When identities can be created, modified, or abused between review cycles, governance based on periodic certification cannot close the exposure window.

Shadow and orphan identities are a named concept worth treating as a category of control failure. These are not simply forgotten accounts. They are identities that exist outside reliable ownership and monitoring, which makes them attractive persistence points for attackers. Practitioners should treat unresolved identity ownership as an active risk signal, not an administrative backlog.

Identity and vulnerability management now intersect at the point of exploitation. Several high-profile CVEs become identity incidents once the attacker turns system compromise into account creation, credential dumping, or impersonation. That means vulnerability response must include identity follow-through, because the real breach often begins after the initial exploit.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 52 NHI Breaches Analysis shows how hidden credentials, over-privilege, and weak offboarding turn identity exposure into repeatable compromise patterns.

What this signals

Shadow identity debt: environments that cannot continuously reconcile who owns each account, token, and certificate will keep absorbing compromise quietly. The issue is not just discovery volume. It is that governance processes designed for stable inventories do not keep pace with identities that appear, drift, and disappear between review cycles.

Hydden’s findings point to a broader programme shift: identity security has to move from certification to observation. That means tying access governance to behaviour signals, especially for privileged and machine identities, so the organisation can see anomalous use rather than merely attest to policy.

The numbers reinforce the gap. With 97% of NHIs carrying excessive privileges according to Ultimate Guide to NHIs, the problem is not isolated misconfiguration but a scaling failure in entitlement design and lifecycle control.

For practitioners

• Build continuous identity discovery into your control stack Replace point-in-time scans with continuous discovery for human, machine, and privileged identities, including cloud admin accounts, API tokens, local accounts, and certificates. Reconcile discoveries against owners and business purpose before the next review cycle closes.
• Correlate identity events with vulnerability signals When a CVE is exploited on a system, immediately inspect whether the incident created new accounts, dumped credentials, or altered privileged access paths. Join vulnerability response with identity telemetry so exploitation does not become an invisible access event.
• Baseline identity behaviour, not just entitlements Track time of access, frequency, device, and resource patterns for accounts that matter most, then alert on anomalies such as dormant accounts waking up, unusual MFA prompts, or privileged sessions lacking a clear workflow trigger.
• Eliminate unowned shadow and orphan identities Create a cleanup process for accounts, tokens, and machine identities that have no clear owner, no current business justification, or no direct governance path. Escalate unresolved ownership as an operational risk, not a documentation issue.
• Harden fallback authentication paths Review SMS, email, and other weak fallback MFA methods on legacy and local accounts. Attackers often exploit the least defended recovery path, so the weakest factor becomes the real control boundary.

Key takeaways

• Identity compromise is now the shortest path from intrusion to persistence, which makes visibility and behavioural monitoring core controls.
• Machine identities and shadow accounts expand the attack surface faster than periodic reviews can reduce it, especially when ownership is unclear.
• Teams should treat anomalous identity behaviour as an incident signal and tie remediation to continuous discovery, not quarterly certification.

Key terms

• Shadow Account: A shadow account is an identity that exists outside normal governance, visibility, or ownership controls. It may be human or non-human, but the key problem is the same: no reliable process can explain who uses it, why it exists, or when it should be removed.
• Orphan Identity: An orphan identity is an account, token, certificate, or service credential with no clear business owner or lifecycle path. These identities persist because no one is formally responsible for them, which makes them attractive for attackers and hard for defenders to retire safely.
• Identity Drift: Identity drift is the gradual divergence between an identity’s intended permissions and its actual use. In practice, it shows up as privilege creep, unusual access timing, or accounts being repurposed without clear governance, which makes baseline reviews less reliable over time.
• Behaviour Baseline: A behaviour baseline is a reference pattern for how an identity normally authenticates and accesses resources. It combines timing, location, frequency, and resource use so defenders can spot deviations that may indicate compromise, misuse, or hidden administrative activity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: identity compromise, machine identities, and early breach signals. Read the original.