Identity controls as the attack surface in March 2026

At a glance

What this is: This is a monthly identity threat outlook showing that attackers are using identity systems themselves as the attack surface, with PAM, IAM, SSO, and federation controls increasingly compromised or bypassed.

Why it matters: It matters because IAM teams have to defend the control plane as an active target across human, NHI, and federated access paths, not just as a policy layer.

By the numbers:

• 67% of incidents investigated in 2025 stemmed from compromised credentials, weak or absent MFA, or direct exploitation of identity systems.
• In February, 399 of 3,182 CVEs were identity-related.

👉 Read Delinea's analysis of why identity controls have become the attack surface

Context

Identity controls only work when the systems enforcing access remain trustworthy. This March 2026 outlook argues that attackers are no longer just bypassing identity controls to reach data and systems. They are attacking the identity layer itself, including PAM, IAM, SSO, federation, and remote access infrastructure, because that is where trust decisions are made.

For IAM, NHI, and PAM teams, the implication is direct: control-plane compromise can invalidate downstream protections even when endpoints, networks, and applications are otherwise hardened. The article frames February as evidence that identity infrastructure now behaves like an exposed attack surface rather than a passive governance layer.

The pattern is not limited to one failure mode. Vulnerability exploitation, social engineering, token abuse, and credential harvesting all converge on the same outcome: the security boundary shifts into identity infrastructure before defenders can react. That is a typical operating reality now, not an edge case.

Key questions

Q: What breaks when identity control platforms are attacked directly?

A: When attackers target PAM, IAM, SSO, or federation infrastructure directly, the trust layer itself becomes unreliable. Access may still appear legitimate, but the system granting it can no longer be assumed safe. That means downstream controls inherit a compromised decision, and defenders must treat the control plane as an active security boundary, not a passive admin layer.

Q: Why do stolen sessions and tokens matter more than passwords in many breaches?

A: Stolen sessions and tokens let attackers continue activity without repeating authentication, which makes them more useful than a password alone. They also preserve the appearance of normal access, so detection is harder. Once session material is available, the attacker can often act inside existing trust with far less friction than a fresh login attempt would require.

Q: How can security teams tell whether identity controls are actually holding up?

A: Teams should measure whether identity systems still distinguish normal authentication from suspicious post-authentication behaviour. If elevation, token reuse, or lateral movement is visible only after damage occurs, the control layer is lagging. Effective programmes look for replay, unusual privilege changes, and trust boundary failures before those actions become business impact.

Q: Who is accountable when identity infrastructure is the entry point?

A: Accountability usually spans platform owners, IAM operations, and security governance because the failure often sits in the trust layer rather than in a single endpoint. Frameworks such as NIST CSF and OWASP Non-Human Identity Top 10 help assign ownership for privileged access, federation integrity, and non-human credentials. The practical goal is clear responsibility for the systems that issue trust.

Technical breakdown

Why PAM and remote access platforms are now prime targets

Privileged access management and remote support tools sit at the point where authentication, authorization, and session control converge. If an attacker gains execution before authentication, or can abuse the platform’s own elevation logic, the tool becomes the bridge into privileged sessions rather than the barrier in front of them. A pre-authentication remote code execution flaw can collapse the login boundary completely, while local privilege abuse inside an endpoint privilege manager turns enforcement logic into an escalation channel. Practical takeaway: treat identity infrastructure as internet-facing attack surface, not just security tooling.

Practical implication: Patch identity control platforms with the same urgency as externally exposed systems and monitor them as high-value targets.

How token integrity failures break federated identity

Federated identity depends on the trustworthiness of tokens, assertions, and redirects. When JWT signatures can be bypassed, SAML flows can be abused, or redirect logic leaks privileged tokens to attacker-controlled destinations, the authentication event still appears successful while the attacker inherits trust. This is why federation failures are dangerous: they preserve the appearance of normal access while subverting the trust artefact itself. Practical takeaway: validate token handling across every trust boundary, including issuer, audience, redirect, and session persistence.

Practical implication: Continuously test federation paths for token leakage, signature weakness, and redirect abuse across all SSO integrations.

Why stolen credentials now include session context

Infostealer ecosystems no longer collect passwords alone. They capture cookies, browser history, and session material that let attackers resume trusted activity without repeating the original login event. That changes the risk from credential theft to identity reconstruction, where the attacker receives enough context to impersonate a legitimate user or service with minimal friction. This also explains why compromised credentials are so often paired with later privilege escalation. Practical takeaway: defend against identity replay, not just password reuse.

Practical implication: Add detection for session reuse and suspicious post-authentication behaviour, not only password compromise signals.

Threat narrative

Attacker objective: The attacker’s objective is to turn identity infrastructure into a trusted conduit for privileged access, session theft, and downstream compromise.

1. Entry occurred through pre-authentication RCE, social engineering, or stolen session material that gave attackers a legitimate-looking foothold into identity infrastructure.
2. Escalation followed when attackers harvested privileged sessions, abused elevation dialogs, or used federation weaknesses to inherit higher trust without re-authenticating.
3. Impact came when the identity layer no longer functioned as a reliable security boundary, enabling lateral movement, data theft, and ransomware-ready access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity control-plane trust is now a broken assumption, not a safe default. The article shows that PAM, IAM, SSO, and remote access platforms are no longer merely enforcing access. They are being targeted as the first place to break trust, which means the security boundary has moved upward into the control plane itself. Practitioners should treat identity enforcement systems as live attack surface, not administrative infrastructure.

Static trust in federated identity is too fragile for current attack patterns. JWT bypass, SAML abuse, and redirect-based token theft all preserve the appearance of legitimate access while undermining the artefact that proves it. That means federated trust can fail without a visible authentication error, which complicates both detection and accountability. The implication is that token integrity has become a governance problem, not just an implementation detail.

Standing privilege and reusable session material create the identity blast radius attackers want. Once credentials, cookies, or elevation pathways are compromised, the attacker can move from one trusted action to the next with little friction. Delinea Labs’ monthly outlook reinforces a simple field lesson: the more durable the credential or session, the more durable the attacker’s access path. Practitioners should prioritise reducing persistence, not just blocking initial login attempts.

Session-level compromise is replacing password compromise as the more operationally useful failure mode. Infostealers and post-authentication abuse mean defenders increasingly face attackers who already look authenticated. That changes the governance problem from who can log in to what can be done once trust has already been granted. Security teams need to measure post-authentication privilege use as carefully as login success.

Identity systems are becoming the control layer where breach impact is decided. When attackers target PAM and federation first, downstream tools inherit a compromised trust decision. That is why the operational question is no longer whether access was granted, but whether the granting mechanism itself was still trustworthy at the moment of use. Practitioners should re-evaluate control-plane resilience as a core identity governance objective.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
• This gap points forward to stronger lifecycle controls, and the Ultimate Guide to NHIs is the natural next step for teams reassessing standing access and secrets exposure.

What this signals

Identity control planes are now part of the threat model, not just the mitigation model. Teams that still treat PAM, SSO, and federation as back-office services will miss the fact that attackers are actively hunting those systems first. The programme impact is immediate: exposure management, patch prioritisation, and privileged session monitoring all need to be anchored to control-plane criticality rather than application tier alone.

Static credentials and reusable sessions are becoming the most durable attacker assets. That is why the governance conversation is shifting toward reducing persistence, shortening trust windows, and improving visibility after authentication. With 59.8% of organisations seeing value in dynamic ephemeral credentials according to The 2024 Non-Human Identity Security Report, the direction of travel is clear even if implementation maturity is still uneven.

Identity blast radius is the right concept for the next phase of programme design. Once attackers can move through federated access, standing privilege, and session material in one chain, the question is not whether compromise occurs but how far it spreads before containment. Security leaders should align monitoring, recertification, and offboarding around that blast radius rather than around isolated authentication events.

For practitioners

• Patch identity control planes like internet-facing assets Place PAM, remote access, federation, and SSO platforms on the same emergency patch cadence as public-facing services. Track exposure, privilege impact, and exploitability together so security work is driven by control-plane risk, not product ownership.
• Validate federation paths for token leakage and signature abuse Test JWT, SAML, redirect, and session persistence flows for trust breaks that preserve successful login while handing control to an attacker. Include identity providers, brokers, and application callbacks in the same validation scope.
• Reduce standing privilege across privileged and machine accounts Replace persistent elevation with just-in-time access where possible, and review service accounts, API keys, and automation tokens for unnecessary durability. The goal is to shorten the period in which stolen identity material remains usable.
• Detect suspicious post-authentication behaviour Look for abnormal elevation, unusual lateral movement, token replay, and access patterns that follow a successful login rather than precede it. This is where identity compromise often becomes visible after the attacker has already blended in.
• Inventory non-human identities as first-class attack paths Map service accounts, automation tokens, and API keys to the systems they can reach and the sessions they can sustain. For a deeper baseline, pair this work with the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.

Key takeaways

• Attackers are increasingly targeting identity systems themselves, which turns PAM, IAM, SSO, and federation into active attack surface rather than passive control infrastructure.
• The scale of the problem is material, with 399 identity-related CVEs in February and broad evidence that compromised credentials and identity exploitation dominate incidents.
• Programs should prioritise control-plane patching, token integrity, standing privilege reduction, and post-authentication detection to limit how far identity compromise can spread.

Key terms

• Identity Control Plane: The identity control plane is the layer where authentication, authorization, federation, and privileged session decisions are made. When attackers compromise it, they are not just bypassing controls. They are tampering with the mechanism that decides which identities can be trusted in the first place.
• Session Material: Session material is the set of tokens, cookies, and other artefacts that let a user or service continue an authenticated session. It matters because it can be reused without repeating login steps, which makes it more valuable to attackers than a password alone.
• Standing Privilege: Standing privilege is access that remains continuously available rather than being granted only when needed. It increases exposure because stolen credentials, tokens, or sessions stay useful for longer, and it gives attackers more time to move laterally once they inherit the account's rights.
• Federation Trust Boundary: A federation trust boundary is the point where one identity system accepts assertions, tokens, or sessions issued by another system. It is a critical boundary because any weakness in signature validation, redirect handling, or token issuance can convert a legitimate sign-in into attacker-controlled access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: When identity controls become the attack surface. Read the original.