Identity security is becoming the foundation of defense in depth

At a glance

What this is: This is Saviynt’s analysis of EY’s view that identity security has become a primary defense layer as AI-driven attackers compress exploitation windows and non-human identities expand the attack surface.

Why it matters: IAM and NHI teams need to treat identity controls as operational defense because weak entitlement governance now affects breach prevention, zero trust enforcement, and AI security readiness.

By the numbers:

• Identity is involved in 90% of breaches through lateral movement and privilege escalation, making it the most critical and most overlooked layer of cyber defense.
• If a certification campaign only eliminates 2–5% of entitlements, you're doing compliance.

👉 Read Saviynt's analysis of EY's view on identity security and defense in depth

Context

Identity security is the discipline of controlling who and what can reach systems, data, and tools, and it is increasingly the point where modern attack chains succeed or fail. In this article, Saviynt relays EY’s position that identity is no longer a secondary layer, because attackers move through privilege and access rather than only through malware or endpoints. For NHI governance, that shift matters because service accounts, tokens, API keys, and AI agents now sit inside the same control problem as human access.

The practical gap is that many identity programs still optimize for periodic compliance checks, not for rapid attack containment or machine-scale governance. That is an atypical starting point for enterprises facing AI-accelerated threats and expanding NHI populations. Teams that still treat identity as an administrative function are behind the operating model this article describes.

Key questions

Q: How should security teams govern non-human identities alongside workforce access?

A: Security teams should govern non-human identities with the same ownership, lifecycle, and review discipline used for people, but with tighter rotation and revocation expectations. That means inventorying service accounts, API keys, certificates, bots, and agents, assigning accountable owners, and enforcing task-scoped permissions so machine access does not become permanent by default.

Q: When does identity security become more important than perimeter controls?

A: Identity security becomes more important when attackers can reach critical systems through valid credentials, delegated access, or over-privileged accounts. At that point the perimeter has already been crossed, and the real question is whether entitlement, verification, and privilege controls can stop lateral movement before impact.

Q: What is the difference between compliance-driven access review and real identity security?

A: Compliance-driven review checks whether a process was completed, while real identity security checks whether access risk was actually reduced. If a campaign removes only a small share of excess entitlements, the environment still carries the same exposure. Effective programs shrink privilege footprint, improve ownership, and shorten the time risky access remains valid.

Q: Why do AI agents create new identity governance risks?

A: AI agents create new governance risks because they can act autonomously, chain actions across tools, and hold privileges without a human explicitly approving each step. That makes them non-human identities with execution authority, which means traditional workforce IAM controls do not fully address their access, delegation, or blast-radius risk.

Technical breakdown

Why identity becomes the control point in modern attack chains

Attackers rarely need to break every layer when identity lets them blend into legitimate access paths. Once credentials, tokens, or privileged entitlements are obtained, lateral movement and privilege escalation become easier than attacking hardened infrastructure directly. That is why identity security is not just about login events. It is about the authorization model behind every session, every service account, and every delegated privilege. In NHI environments, the same pattern appears when long-lived secrets or over-privileged automation are left in place after deployment.

Practical implication: Security teams should treat identity telemetry as a first-class detection source and not rely on endpoint data alone.

How AI compresses the time-to-exploit window

AI changes the economics of discovery and exploitation by letting adversaries test, adapt, and operationalize weakness faster than traditional response cycles can keep up. That means the window between vulnerability discovery and active abuse shrinks, which reduces the value of slow, periodic governance processes. Identity controls must therefore be able to react quickly, especially when privileged accounts, service identities, or AI agents can be created and used in minutes. Static review cycles no longer match the tempo of the threat.

Practical implication: Teams need near-real-time entitlement changes, revocation, and anomaly detection for both human and non-human identities.

Why non-human identities break workforce-centric identity models

Non-human identities behave differently from people because they scale faster, authenticate more frequently, and often operate without a human in the loop. Service accounts, API keys, bots, and AI agents can outnumber workforce identities by a wide margin, which means traditional joiner-mover-leaver processes do not cover the real blast radius. These identities also tend to be embedded in code, pipelines, and integrations, making them harder to inventory and harder to offboard. Governance must therefore extend beyond employee lifecycle management into runtime entitlement control and secret hygiene.

Practical implication: Inventory, ownership, and rotation controls must explicitly include machine identities and automated agents.

Threat narrative

Attacker objective: The attacker aims to turn legitimate identity access into broad operational reach while avoiding noisy intrusion patterns.

1. Entry occurs when attackers obtain valid credentials or exploit an exposed identity path instead of attacking the application directly.
2. Escalation follows through privilege abuse or lateral movement, using trusted identity pathways to reach higher-value systems.
3. Impact lands when privileged access or machine identities are used to reach sensitive data, disrupt operations, or expand control across the environment.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security is now a core control plane, not a supporting control. The article reflects a broader shift that many CISOs are already confronting. If identity is involved in the majority of breach paths, then detection, authorization, and governance all depend on it. That means identity operations need to be designed as a live defense layer, not as an annual review cycle. Practitioners should align identity controls with breach containment, not just access administration.

Ephemeral access does not solve trust debt when the identity model itself is weak. Shorter-lived access reduces exposure, but it does not fix over-privilege, missing ownership, or poor revocation discipline. That is especially true for NHI environments where secrets, service accounts, and agent permissions are created faster than they are reviewed. The result is a trust debt problem, not simply a credential lifetime problem. Teams should focus on blast-radius reduction, not only access duration.

Named concept: identity blast radius. The article points to a practical reality in which a single compromised identity can unlock many systems, pipelines, or privileges. That blast radius grows when machines and agents inherit standing permissions from legacy workforce models. NHI governance has to measure reach, not just existence, because the dangerous part is how far one identity can travel after compromise. Practitioners should map and constrain identity blast radius as a first-order risk metric.

Identity programs must prove business enablement, not only control coverage. EY’s examples show that identity can speed launches, support digital revenue, and make M&A or supplier transitions safer to execute. That matters because security programs get funded when they shorten business cycle time as well as reduce risk. The field should stop positioning identity as overhead and start treating it as a precondition for secure execution. Practitioners should translate identity maturity into business throughput.

Certification without meaningful entitlement reduction is governance theater. If reviews only remove a small fraction of access, the program is documenting exposure rather than shrinking it. That pattern is common in large identity estates where ownership is unclear and entitlements accumulate faster than they are retired. The right measure is whether reviews materially reduce privilege footprint and improve control over both human and non-human access. Practitioners should judge programs by entitlement reduction, not by completion rates.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• From our research: Use Top 10 NHI Issues to translate identity risk into an operational remediation agenda.

What this signals

Identity blast radius will become a board-level metric. As AI compresses exploit windows and machine identities multiply, programme owners will need to show how far a single compromised credential can travel before it is contained. The governance conversation shifts from access counts to reach, duration, and revocation speed. Teams that cannot measure blast radius will struggle to prove control effectiveness.

With 91.6% of secrets still valid five days after notification in our research, revocation speed remains a structural weakness, not an edge case. That means identity programmes need tighter offboarding, stronger secret hygiene, and faster response to compromised access across both human and non-human populations. The practical priority is shortening the life of exposed access, not simply documenting it.

AI security and identity security are converging. When agents can execute tools, hold credentials, and make chained decisions, the access model becomes part of the AI risk model. Practitioners should align identity governance with zero trust and emerging agentic controls such as the NIST Cybersecurity Framework 2.0 and the MITRE ATLAS adversarial AI threat matrix. The field is moving toward governance of behaviour, not just authentication.

For practitioners

• Map identity blast radius across human and non-human access Build an inventory that links each identity to its privileges, downstream systems, and automation paths. Include service accounts, API keys, certificates, bots, and AI agents so you can see where one compromised identity can spread. Use ownership data to identify where blast radius is currently unconstrained.
• Reduce standing privilege in high-risk paths Prioritize just-in-time elevation for admin, pipeline, and integration accounts that currently hold persistent rights. Where JIT is not feasible, segment access by task and enforce short approval windows to reduce the duration of exposed privileges.
• Tie identity telemetry to detection engineering Feed identity events into SIEM and endpoint workflows so privilege escalation, token misuse, and anomalous delegation can trigger response actions. Identity signals need to be correlated with process, network, and cloud control-plane data to catch lateral movement early.
• Measure entitlement reduction, not review completion Set a target for how much excess access should actually be removed in each certification cycle. If reviews are not materially lowering privilege levels, rework the role model, ownership model, or approval process instead of scaling the same workflow.
• Expand governance to machine identities and AI agents Apply the same accountability, rotation, and offboarding discipline to non-human identities that you use for workforce access. That includes lifecycle ownership, secret rotation, and revocation triggers for automation that no longer has a business need.

Key takeaways

• Identity security is now a primary containment layer because breach paths increasingly move through privileges, not just endpoints.
• Non-human identities expand the attack surface faster than workforce-only models can govern, especially when excess privilege is already the norm.
• Practitioners should measure blast radius, revocation speed, and real entitlement reduction if they want identity programmes to change security outcomes.

Key terms

• Non-Human Identity: A non-human identity is any machine, workload, or software actor that authenticates to systems and receives access rights. This includes service accounts, API keys, certificates, bots, and AI agents. The governance challenge is that these identities often scale faster than human access controls can safely track.
• Identity Blast Radius: Identity blast radius is the amount of access, data, and systems that become reachable if one identity is compromised. In practice, it is a measure of how far a stolen credential, token, or agent permission can travel before it is contained. Lowering blast radius is a core containment goal.
• Standing Privilege: Standing privilege is persistent access that remains in place whether or not it is actively needed. It creates avoidable exposure because the identity can be used at any time without fresh approval or context. In NHI environments, standing privilege is especially risky when automation and secrets are long-lived.
• Identity Security Posture Management: Identity Security Posture Management is the continuous assessment of identity configuration, entitlement, and control weaknesses across an environment. It looks beyond simple access reviews to identify misconfigurations, excessive permissions, and weak lifecycle controls. For NHI programmes, it is a practical way to find hidden exposure at scale.

What's in the full article

Saviynt's full post covers the operational detail this analysis intentionally leaves for the source:

• The full EY conversation on why identity security is now treated as a defense-in-depth control, including the operational framing used with CISOs and boards.
• The business-case examples showing how identity work supports product launches, digital revenue, and M&A activity without exposing transactions.
• The discussion of speed, scale, and smarter entitlement reduction that underpins the three design principles for modern identity programs.
• The episode-specific distinctions between IVIP and ISPM, which are useful if you are mapping capability gaps in an existing identity stack.

👉 The full Saviynt post includes the EY examples, the revenue framing, and the three design principles for identity programs.

Deepen your knowledge

Identity blast radius and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still built around workforce access assumptions, this course helps close that gap.