Identity-driven attacks on management planes are redefining cyber risk

At a glance

What this is: This is an analysis of the Stryker cyberattack and the wider shift toward identity-driven operations that weaponize legitimate management tools.

Why it matters: For IAM and NHI practitioners, it shows that privileged identity governance and control-plane protection now matter as much as endpoint defence.

👉 Read Unosecur's analysis of the Stryker cyberattack and identity-driven disruption

Context

Identity-driven attacks are operations in which an attacker uses legitimate credentials or administrative access to control systems already trusted by the enterprise. In the Stryker case, the reported focus on Microsoft identity and device management infrastructure shows why IAM teams need to think in terms of control planes, not just users and endpoints. When the attacker owns the administrative layer, the same tools meant to enforce policy can be turned into outage mechanisms.

The broader governance gap is that many enterprises still separate identity security, endpoint management, and operational resilience into different programmes. That separation breaks down when a privileged identity can lock users out, suppress controls, or disrupt provisioning at scale. For NHI management, the lesson is direct: service accounts, admin tokens, and platform identities need the same blast-radius scrutiny as human privileged access.

Key questions

Q: How should security teams govern identities that can control device and identity management planes?

A: Treat those identities as high-risk privileged access, regardless of whether they are human or non-human. Scope their permissions to specific tasks, shorten session duration, require strong approval for elevation, and monitor their actions continuously. The core test is blast radius: if compromise could disable access or operations at scale, the identity needs PAM-level governance and tight operational oversight.

Q: Why are identity-driven attacks harder to detect than malware-based attacks?

A: Because the attacker is using legitimate administrative tooling and valid permissions, the activity often resembles normal operations. There may be no malicious file, exploit signature, or endpoint alert to anchor detection. Teams need behavioural baselines, change-window correlation, and authority-aware telemetry to distinguish routine administration from abuse of privilege.

Q: What is the difference between endpoint compromise and management-plane compromise?

A: Endpoint compromise affects individual devices or users, while management-plane compromise affects the systems that control many devices, identities, or policies at once. The second is more dangerous because it can create enterprise-wide lockout, mass policy changes, or broad disruption from a single privileged account. That is why management-plane identities require stricter controls than ordinary admin roles.

Q: When should organisations treat an NHI like a privileged administrator?

A: Whenever the NHI can change authentication, provisioning, policy enforcement, or device state. At that point it is no longer a simple automation credential. It is an operator with delegated power, and it should be governed with the same approval, monitoring, and revocation discipline used for human privileged access.

Technical breakdown

How identity-driven control-plane attacks work

These attacks do not depend on malicious binaries or exploit chains in the traditional sense. Instead, the adversary compromises an administrative identity, then uses trusted tooling such as device management, identity administration, or SaaS consoles to issue legitimate commands. Because the actions come from authorised systems, detection is harder and the signal often looks like normal administration until the impact becomes visible. The key architectural weakness is that the management plane is both highly privileged and highly trusted, so compromise there can cascade into broad operational denial.

Practical implication: Map every management-plane identity and treat compromise of those accounts as a high-severity enterprise outage scenario.

Why privileged identity blast radius is the real failure mode

Blast radius is the amount of damage a single compromised identity can cause. In identity-driven attacks, it is governed by role scope, token lifetime, delegated permissions, and whether the identity can affect authentication, device policy, or account recovery. A narrow account may expose one system, but an over-privileged administrative identity can disable access across thousands of devices or services. That makes least privilege and step-up controls central to resilience, not just access hygiene. The Stryker case is a reminder that privileged access design is now an operational continuity issue.

Practical implication: Review privileged role scope, delegation paths, and token lifetimes before the next access review cycle.

Living-off-the-land operations in enterprise identity environments

Living-off-the-land means using the tools already present in the environment instead of adding new malware. In identity and device management contexts, that can include remote actions, policy enforcement, token revocation, application control, or device wipe functions. The advantage for the attacker is stealth and speed. The defence challenge is that the same functions are legitimate, so context and behavioural baselines matter more than static signatures. Security teams need telemetry that distinguishes normal administrative change from abuse of administrative authority.

Practical implication: Correlate administrative commands with change windows, device populations, and operator identity to spot abuse early.

Threat narrative

Attacker objective: The objective is to disrupt enterprise operations by abusing legitimate management capabilities, not to rely on traditional malware execution.

1. Entry via compromise of Microsoft-based identity and device management infrastructure rather than malware delivery on endpoints.
2. Escalation through privileged administrative access that can issue trusted commands across the enterprise environment.
3. Impact through lockout and disruption of internal services supporting manufacturing, logistics, and order processing.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity control-plane compromise is now a primary outage vector. The Stryker incident fits a pattern where the attacker does not need to defeat every endpoint if they can own the administration layer. That changes the unit of risk from device compromise to governance of privileged identities, management consoles, and delegated automation. Practitioners should treat identity control-plane security as a resilience requirement, not a niche IAM concern.

Ephemeral credential trust debt: short-lived sessions and tokens reduce exposure, but they do not eliminate the underlying trust granted to powerful administrative identities. When those identities can alter access, policy, or device state, the enterprise accumulates trust debt every time privilege is broadened for convenience. The practical conclusion is that time-limited access must still be tightly scoped, monitored, and revocable.

Living-off-the-land shifts detection from malware to authority abuse. Traditional endpoint security looks for suspicious binaries, but identity-driven operations exploit normal administrative functions. That means detection must look at who exercised power, from where, against what assets, and in what sequence. Security teams that do not instrument those relationships will miss the attack until business disruption is already underway.

Non-human identities inherit the same blast-radius problem as human admins. Service accounts, automation tokens, and integration identities can become equivalent to privileged operators when they carry broad management rights. That means NHI governance should include access review, policy constraints, and behavioural monitoring for every identity that can change state at scale. The practitioner takeaway is simple: if an NHI can move the environment, it must be governed like an admin.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which makes access governance a near-term control problem rather than a future concern.
• That same survey shows only 44% of organisations have implemented policies to manage AI agents, a gap that should prompt teams to review OWASP NHI Top 10 alongside privileged access controls.

What this signals

Identity control-plane compromise will increasingly look like business interruption, not just cyber incident response. For security programmes, the practical shift is to align IAM, endpoint management, and resilience planning around the same privileged identities. Teams that separate those functions will continue to miss the common failure mode: a trusted operator account being turned into an outage mechanism.

With 70% of organisations already granting AI systems more access than human employees, according to The 2026 Infrastructure Identity Survey, the governance gap extends well beyond human administrators. The same control assumptions that fail for AI agents also fail for service accounts and automation identities that can touch production.

Non-human identity programmes need a control-plane threat model. That means inventorying every identity with authority over identity providers, device management, and recovery workflows, then testing what happens when one of those identities is abused. The next step for practitioners is to make management-plane compromise a defined scenario in tabletop exercises and access reviews.

For practitioners

• Inventory management-plane identities Catalog every identity that can change device state, authentication policy, or administrative access. Include human admins, service accounts, automation workflows, and delegated integration identities. Build an owner for each identity and require a documented business purpose.
• Reduce privileged blast radius Replace broad administrative roles with narrowly scoped permissions, short session lifetimes, and task-specific elevation. Where possible, separate device management, identity administration, and security policy enforcement so one compromise cannot disable the whole stack.
• Monitor authority, not just anomalies Correlate admin actions with expected operators, approved change windows, and affected asset groups. Alert when a privileged identity performs unusual bulk actions such as mass lockout, policy changes, or remote device control outside normal patterns.
• Harden recovery and break-glass paths Protect emergency access with strong controls, offline governance, and periodic testing. Break-glass accounts should not be permanently privileged, and their use should trigger immediate review and containment workflows.
• Tie NHI governance to operational resilience Use the same review cadence for service accounts and automation identities that you use for privileged human access. The question is not whether the identity is human, but whether it can disrupt production if abused.

Key takeaways

• Identity-driven attacks shift the primary risk from compromised endpoints to compromised administration.
• Privilege scope, token lifetime, and delegated authority determine how far a single identity can damage the enterprise.
• Security teams should govern management-plane identities, including NHIs, with the same seriousness as privileged human admins.

Key terms

• Identity Control Plane: The identity control plane is the set of systems that create, authenticate, authorize, and manage access across the enterprise. When attackers compromise it, they can change policy, lock users out, or widen access without touching every endpoint individually.
• Management-Plane Identity: A management-plane identity is any human or non-human account that can administer devices, identity providers, or security policy. These identities carry outsized risk because abuse can cascade across many systems from a single trusted account or token.
• Blast Radius: Blast radius is the amount of damage a compromised identity or system can cause before it is contained. In NHI governance, it is shaped by privilege scope, token lifetime, and whether the identity can alter authentication, provisioning, or device state.
• Living-off-the-Land: Living-off-the-land attacks use legitimate enterprise tools instead of custom malware. In identity environments, that means abusing approved administrative functions to perform disruptive actions while blending into normal operational traffic.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Its incident-specific walkthrough of how the Stryker cyberattack disrupted Microsoft-based identity and device management systems.
• The vendor's breakdown of the "lethal trifecta" pattern, including how privileged identities and trusted management platforms interact.
• Examples of identity-threat-detection signals and automated response actions used to contain administrative abuse.
• The article's product-oriented explanation of visibility, posture management, and response workflows for identity-first defence.

👉 Unosecur's full post covers the identity-first attack pattern, response controls, and platform-oriented mitigation details.

Deepen your knowledge

Identity control-plane compromise and privileged access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for service accounts, automation identities, and admin tokens, it is a practical place to start.