Identity visibility gaps are undermining cyber defence programmes

At a glance

What this is: This is an independent analysis of why identity visibility remains a blind spot and why credential misuse can defeat otherwise mature security programmes.

Why it matters: It matters because IAM, NHI, and PAM teams cannot govern what they cannot see, and the same visibility gap weakens human, machine, and privileged access controls alike.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Silverfort's analysis of identity visibility gaps and credential misuse

Context

Identity visibility is the ability to see which accounts exist, where they are used, and what access they actually exercise. In many enterprises, that picture is still fragmented, which means security teams are forced to rely on assumptions rather than evidence when they assess exposure across human identities, non-human identities, and privileged accounts.

The article argues that mature perimeter defence does not compensate for weak identity telemetry. That matters for IAM and PAM programmes because attackers often succeed through credential misuse, not through breaking the perimeter first, and the same blind spot applies to service accounts, API keys, and other non-human identities.

Key questions

Q: How should security teams quantify identity risk in mature environments?

A: Start by measuring how many identities exist, which ones are privileged, and where those identities are actually used. Then compare the inventory against lifecycle records, access reviews, and detection coverage. A programme that cannot answer those questions is still operating on assumptions, not risk data, even if its perimeter and endpoint controls are well funded.

Q: Why do privileged credentials remain such an effective attack path?

A: Privileged credentials are effective because they are legitimate by design. If an attacker obtains them, the environment often treats the activity as authorised unless the programme has strong context, lifecycle discipline, and anomaly detection. That is why dormant admin accounts and over-privileged access remain high-value targets across human and non-human identity estates.

Q: What breaks when organisations lack identity visibility?

A: Without identity visibility, teams cannot reliably spot forgotten privileged accounts, unmanaged access paths, or abnormal use of valid credentials. That makes containment slower and increases the chance that attackers can move from initial access to broader control without being challenged. Visibility failure therefore becomes a direct exposure multiplier, not just a reporting gap.

Q: Who is accountable when a privileged account is abused?

A: Accountability sits with the teams that own identity lifecycle, access governance, and privileged access controls, because those functions define whether the account should still exist and who can use it. If an account persists without review or ownership, the failure is governance as much as detection, and frameworks like NIST CSF expect that gap to be managed.

Technical breakdown

Why identity visibility breaks down in mature environments

Identity visibility breaks down when reporting is strong in operational domains but weak at the identity layer. Organisations can measure availability, vulnerability status, and perimeter events, yet still lack a reliable inventory of active accounts, privilege assignments, and legacy access paths. That leaves gaps around dormant privileged accounts, stale entitlements, and unmanaged non-human identities. The result is not just poor reporting. It is a control environment where attackers can use valid credentials without immediately triggering meaningful detection.

Practical implication: build a complete identity inventory that covers human, privileged, and non-human accounts before relying on control effectiveness claims.

How phishing plus privileged account misuse becomes domain access

The attack path in the article is a classic identity-led compromise. A phishing click provided the initial foothold, but the real damage came from a forgotten privileged account that allowed escalation to domain access. This matters because the attack did not depend on malware sophistication alone. It depended on credential legitimacy, weak account lifecycle discipline, and insufficient lateral movement controls. In practice, valid access often looks normal until the attacker starts using it for administrative reach.

Practical implication: treat dormant privileged accounts as active attack surfaces and remove the assumption that valid credentials are safe credentials.

Why SIEM and SOC coverage can still miss identity abuse

A SIEM can process huge volumes of telemetry and still miss the sequence that matters if the identity layer is not instrumented well enough. That is because identity abuse often blends into routine authentication, directory activity, and administrative behaviour. If alerts are not tuned to privilege escalation, unusual account use, or movement across identity stores, the SOC sees noise instead of risk. The problem is not simply alert volume. It is that detection logic often lacks identity context.

Practical implication: enrich detection with identity context so SOC workflows can identify misuse of privileged credentials rather than only obvious intrusion patterns.

Threat narrative

Attacker objective: The attacker objective is domain-level administrative access that enables broad control over the environment without immediate detection.

1. Entry occurred through a cleverly crafted phishing attack that convinced a small percentage of users to click.
2. Escalation followed when the attackers found and used a long-forgotten privileged account to gain administrative reach.
3. Impact emerged as the red team obtained domain access and remained undetected for weeks, demonstrating how identity misuse defeats perimeter confidence.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity visibility, not tool count, is the controlling variable in modern defence. The article shows that organisations can have strong perimeter controls, a large SOC, and extensive SIEM investment and still not know how exposed they are. That is because identity data remains the least measured layer in many programmes. The practitioner conclusion is simple: security posture claims are weak unless they can be verified against actual identity use.

Long-forgotten privileged access is a governance failure, not just an operational miss. This story is not about one phishing email. It is about the persistence of accounts that outlive their business justification and remain capable of domain-level harm. That pattern is exactly why lifecycle discipline matters across PAM, IAM, and NHI programmes. The practitioner implication is that accounts without an owner, purpose, or review cadence are latent breach paths.

Misuse of privileged credentials is the common control failure across human and non-human identity. The article’s central lesson is that valid credentials can be abused whether they belong to a person, a service account, or another machine identity. That means identity security cannot be segmented into separate problem sets without losing attack continuity. Practitioners should treat credential misuse as a cross-domain governance problem, not a single-control issue.

Identity blast radius is the right concept for measuring exposure after initial access. Once a foothold exists, the decisive question is how far valid identity can carry an attacker before containment occurs. This article demonstrates that blast radius expands dramatically when privileged access is still available and visibility is weak. The practitioner conclusion is to measure the reach of each identity, not just whether authentication succeeds.

Security programmes that cannot quantify identity risk are operating on belief, not evidence. The article’s core warning is that mature-sounding environments can still be blind to the accounts that matter most. That is a NIST CSF problem as much as an IAM problem, because governance without measurement cannot support protection or recovery decisions. The practitioner implication is to make identity telemetry a board-level risk metric.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader view of breach patterns, see 52 NHI Breaches Analysis for recurring identity failure modes.

What this signals

Identity programmes are moving from inventory exercises to exposure management. The next maturity step is not another dashboard. It is proving which identities can still move an attacker from foothold to domain reach, and which ones are already outside governance.

The visibility gap will matter even more as enterprises increase their use of service accounts, APIs, and delegated admin roles. Once those identities are spread across cloud, on-premises, and third-party systems, the programme needs identity telemetry that is strong enough to support operational decision-making, not just audit reporting.

For practitioners

• Inventory all privileged identities across the environment Build a single view of human admin accounts, service accounts, and other non-human identities so you can identify dormant, duplicated, or unexplained access paths before they become breach routes.
• Remove forgotten privileged accounts from production use Review accounts that still have elevated rights but no current business owner or documented purpose, then revoke or re-justify them through a formal access review.
• Test for lateral movement after initial compromise Use red team or adversary simulation exercises to determine whether a phishing foothold can still lead to domain-level reach through legacy identity paths.
• Tune detections for identity misuse, not just malware Focus SOC rules on unusual privilege use, account takeover patterns, and movement across identity stores so valid credential abuse is visible before broad damage occurs.

Key takeaways

• The article shows that mature security stacks can still fail when identity visibility is weak and privileged credentials remain available.
• The evidence is operational, not theoretical: a phishing foothold and a forgotten privileged account were enough to reach domain access without immediate detection.
• Practitioners should focus on identity inventory, lifecycle discipline, and identity-aware detection to reduce the blast radius of valid credential abuse.

Key terms

• Identity Visibility: Identity visibility is the ability to discover, classify, and monitor accounts, entitlements, and their actual use across the environment. In practice, it means knowing not just that an identity exists, but whether it is privileged, dormant, shared, or operating outside its expected purpose.
• Privileged Credential Misuse: Privileged credential misuse occurs when an attacker or unauthorised user operates through legitimate high-access credentials. The challenge is that the activity can look valid to traditional controls unless identity context, lifecycle status, and behavioural detection are strong enough to distinguish normal use from abuse.
• Identity Blast Radius: Identity blast radius is the amount of access and operational reach an identity can expose if it is compromised. For human, machine, and privileged accounts, it is a more useful measure than login success alone because it shows how far an attacker can move once trust has already been granted.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort: identity visibility gaps and the limits of perimeter defence. Read the original.