TL;DR: Identity security has shifted from protecting a directory to watching a distributed fabric of federated trust, SaaS tokens, and non-human identities that outnumber people many to one, according to Abnormal AI. The real control gap is behavioural visibility across the seams, because hardening sign-in alone does not reveal what identities do after authentication.
At a glance
What this is: This is an identity security analysis arguing that modern risk lives in the seams between federated apps, tokens, and service accounts, not at the sign-in gate.
Why it matters: It matters because IAM, NHI, and PAM teams need controls that see post-authentication behaviour across SaaS and workload identities, not just stronger login checks.
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Abnormal AI's analysis of identity seams and behavioural identity detection
Context
Identity security no longer means locking down a single directory. In a federated environment, authentication happens once and access is then expressed through tokens, grants, roles, and downstream service permissions across multiple SaaS platforms and workload systems.
That shift matters because the control problem is now distributed. If no system can see the full chain from sign-in to post-authentication activity, IAM teams lose the ability to tell which identities are benign, which are overextended, and which are behaving outside their expected pattern.
Key questions
Q: How should security teams monitor identity risk across federated SaaS environments?
A: Security teams should correlate identity events across the IdP and each downstream application, then alert on abnormal post-authentication behaviour. A clean login does not mean clean activity. The useful signal is whether an identity is touching systems, data, or actions it has never used before, especially when access is mediated by tokens or delegated grants.
Q: Why do service accounts and OAuth grants create more risk than a single directory account?
A: They create more risk because access is distributed, inherited, and often weakly owned. A service account or OAuth grant can carry permissions into multiple systems without a human operator in the loop, which makes scope harder to review and abuse harder to spot. The risk is compounded when ownership is unclear.
Q: What do IAM teams get wrong about stronger MFA and conditional access?
A: They often assume a stronger sign-in control will solve identity risk across the environment. In practice, MFA and conditional access protect the front door, but many attacks happen after authentication through legitimate tokens, delegated access, or anomalous application behaviour. That is where governance needs a second control layer.
Q: How should organisations decide where to apply behavioural identity monitoring first?
A: Start with identities that can reach financial data, customer systems, production workloads, or administrative functions across multiple applications. Those accounts have the greatest blast radius and the least tolerance for blind spots. Behavioural monitoring should begin where authentication success is least informative about whether access is appropriate.
Technical breakdown
Federated identity creates security seams
Federated identity replaces a single authoritative gate with a chain of trust across identity providers and service providers. Each application enforces its own access rules, but the access path is stitched together by short-lived tokens, delegated grants, and role mappings. That makes the security boundary procedural rather than physical. A sign-in event can look clean even when the downstream activity is risky, because the risky part happens after authentication. The main architectural weakness is not federation itself, but the absence of unified observation across the full access path.
Practical implication: correlate identity events across the IdP and downstream applications, not just at login.
NHI sprawl amplifies post-authentication risk
Non-human identities expand the attack surface because service accounts, API tokens, and OAuth grants can inherit access across systems without a human user in the loop. Unlike human sessions, these credentials may be long-lived, reused across workflows, and difficult to map back to an owner. That creates layered privilege accumulation, where one grant silently extends another. The result is not simply more identities, but more identities with unclear purpose, unclear ownership, and unclear boundaries. In a fabric model, that lack of clarity becomes an exploit path rather than just an administrative problem.
Practical implication: build an ownership and usage inventory for every NHI before adding more access controls.
Behavioural detection is the missing control plane
When identities are distributed across SaaS and machine workflows, static policy at the point of sign-in cannot explain whether the access is appropriate in context. Behavioural controls look at what the identity normally touches, when it acts, and whether its current activity deviates from that baseline. This is especially useful where role-based access control is too coarse to capture intent. The technical value is not that behaviour replaces authentication, but that it adds a second layer of context after authentication has already succeeded. That is where many modern identity attacks actually live.
Practical implication: add behavioural baselines for high-value human and non-human identities that routinely move across SaaS and data systems.
Threat narrative
Attacker objective: The attacker aims to hide inside trusted identity relationships long enough to exfiltrate data or abuse downstream application access without triggering a login-centric control.
- Entry occurs through a successful sign-in or trusted token grant, which places the attacker inside the federated identity fabric.
- Escalation happens as chained service account access and delegated OAuth permissions expand reach across downstream SaaS systems.
- Impact follows when the attacker performs actions that look legitimate at the login layer but are anomalous across the wider identity fabric.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity security has become a fabric problem, not a directory problem. The article is right to focus on seams, because the decisive risk is now distributed across identity providers, SaaS applications, and workload credentials. Traditional controls still treat sign-in as the main event, but the real attack surface begins after authentication. Practitioners should reframe identity governance around continuity of trust across the full access path.
NHI sprawl turns delegated trust into silent privilege accumulation. Service accounts, API tokens, and OAuth grants inherit reach in ways most organisations cannot fully map. That is why ownership gaps matter as much as access gaps. When half of NHIs lack a clear owner, governance cannot reliably explain who is accountable for the access path or its downstream effects.
Behavioural visibility is the missing named concept: identity seam monitoring. This is the ability to detect misuse across federated systems, not just at the login boundary. The control gap is not stronger MFA, it is the absence of observation after authentication. Practitioners should treat every identity that can cross application boundaries as needing behavioural scrutiny, especially when access is not human-mediated.
Access review processes assume the relevant risk is visible at the entitlement layer, but federated identity attacks often express risk in activity rather than in standing permission. That assumption fails when a short-lived token is used legitimately but the downstream behaviour is abnormal. The implication is that review models must account for how access is exercised, not only how it was issued.
This article reinforces a broader governance shift already visible in modern identity programmes. OWASP NHI guidance and zero trust both point toward continuous verification, but the operational challenge is making those principles work across heterogeneous SaaS and machine identities. Practitioners should expect identity governance to become more behavioural, more cross-domain, and less dependent on a single authoritative directory.
From our research:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- For a practical next step, see Guide to the Secret Sprawl Challenge for how exposed credentials and hidden secrets broaden the same identity-fabric risk.
What this signals
Identity seam monitoring: the next maturity step for IAM teams is not more login friction, but visibility into what identities do after authentication across SaaS and workload systems. With NHIs outnumbering human identities by 25x to 50x in modern enterprises, the governance challenge is already structural, not exceptional.
Teams should expect behavioural controls to become a core part of identity architecture, especially where tokens and delegated grants cross application boundaries. The control question is no longer whether a user signed in successfully, but whether the resulting activity is normal for that identity, in that system, at that time.
For broader guidance on where federated identity and secret exposure intersect, the Ultimate Guide to NHIs remains the best baseline reference, while the OWASP Non-Human Identity Top 10 helps teams anchor their control priorities in a recognised framework.
For practitioners
- Map the full identity fabric Inventory the IdP, downstream SaaS applications, service accounts, OAuth grants, and token issuers that participate in the access chain. Identify where no single control plane can see both authentication and post-authentication activity.
- Establish ownership for every NHI Assign a responsible owner for each service account, API token, and OAuth grant, then validate that the owner can explain why the identity exists and what systems it should touch.
- Baseline behaviour for high-value identities Define normal access patterns for accounts that touch payroll, CRM, finance, or production data, and alert on deviations in time, target system, or action type.
- Review downstream access, not just login policy Test whether stronger MFA and conditional access are masking post-login blind spots. Prioritise controls that detect suspicious behaviour after the authentication event has already succeeded.
Key takeaways
- Modern identity risk now lives in the seams between federated systems, not just at the sign-in gate.
- NHI sprawl and delegated grants create visibility gaps that most IAM stacks still cannot explain end to end.
- Behavioural monitoring and ownership clarity are the controls that change the outcome when post-login activity is where attacks play out.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Federated token and grant sprawl creates the identity seams discussed here. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification fits the need to assess activity after authentication. |
| NIST CSF 2.0 | DE.CM-8 | Behavioural monitoring aligns with detecting anomalous identity activity across systems. |
Apply least-privilege and continuous verification to identity activity, not only sign-in events.
Key terms
- Federated Identity Fabric: A federated identity fabric is the connected set of identity providers, applications, tokens, and delegated permissions that together determine access across an enterprise. It matters because security decisions no longer happen in one place. Risk emerges in the handoffs between systems, especially when no team can see the whole chain.
- Identity Seam: An identity seam is the gap between two trusted systems where visibility, policy, or ownership breaks down. In practice, seams appear between the IdP and downstream SaaS apps, or between human-managed and machine-managed credentials. Attackers exploit seams because each individual system can look compliant while the whole chain is not.
- Behavioural Identity Monitoring: Behavioural identity monitoring is the practice of watching how an identity actually acts after authentication, then comparing that activity to its normal pattern. It is more useful than login-only controls when tokens, grants, and service accounts move across systems. The goal is to spot misuse in context, not just authenticate successfully.
- Non-Human Identity: A non-human identity is a credentialed digital entity such as a service account, API token, certificate, or OAuth grant that can authenticate and act without a person directly operating it. These identities often accumulate privileges, outlive their owners, and become hard to govern when visibility and lifecycle controls are weak.
What's in the full article
Abnormal AI's full blog post covers the operational detail this post intentionally leaves for the source:
- How the vendor models identity behaviour across email and SaaS environments to spot post-authentication anomalies
- Examples of activity patterns that stand out when an identity touches Workday or Salesforce in an unusual way
- The vendor's explanation of why sign-in hardening alone does not expose activity across the identity fabric
- Operational framing for behavioural AI in identity security programs
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org