TL;DR: Insider attacks cost an average of $17.4 million in 2024, and Sumsub’s podcast argues the real challenge is balancing fraud controls, internal trust, and culture without weakening operations. The lesson for IAM and security teams is that governance has to cover people, process, and privileged access together, not as separate problems.
At a glance
What this is: This is a Sumsub podcast episode on insider fraud that frames internal attacks as a costly business and trust problem, with an average 2024 insider-attack cost of $17.4 million.
Why it matters: It matters because insider risk sits at the intersection of human identity, access governance, and privileged control, so IAM, PAM, and fraud teams need shared response patterns rather than siloed controls.
By the numbers:
👉 Read Sumsub's podcast on insider fraud and trust controls
Context
Insider fraud is the abuse of trusted access by someone inside the organisation, whether that means an employee, contractor, or other privileged internal actor. In identity terms, the problem is not just detection after the fact, but the governance gap between granted access, behavioural trust, and the ability to limit damage when trust is misused.
For IAM and security teams, insider risk is a cross-domain control problem. It touches identity lifecycle, privileged access, monitoring, and fraud response at the same time, which is why isolated controls often miss the business impact until losses are already material.
Key questions
Q: How should security teams reduce insider fraud without undermining employee trust?
A: Use trust as a design principle, not as a control substitute. Limit high-impact actions with approval steps, privilege segmentation, and monitoring that focuses on sensitive workflows rather than blanket surveillance. When employees know the rules are consistent and tied to risk, security can improve without turning every user into a suspect.
Q: Why do insider threats become so expensive when privileged access is broad?
A: Broad privileged access lets a trusted user reach many systems, change records, approve actions, or disable controls from one account. That increases both the scale of loss and the difficulty of investigation. Narrower privileges reduce the blast radius and make suspicious activity easier to isolate and contain.
Q: How do IAM and fraud teams know when insider risk is moving from theory to loss?
A: They should look for unusual access combined with business-impacting activity, such as late-night approvals, entitlement changes, or unexpected exports of sensitive data. A mature programme correlates identity telemetry with fraud signals so the same person can be evaluated across access, behaviour, and transaction context.
Q: Who should own response when a legitimate employee is suspected of fraud?
A: Ownership should be shared across IAM, fraud, HR, legal, and security operations, with one lead incident coordinator. IAM should suspend or restrict access, fraud should assess financial impact, and HR and legal should manage employment and evidence issues. Clear playbooks prevent delay when the actor is still trusted on paper.
Technical breakdown
Why insider fraud defeats perimeter-first controls
Insider fraud bypasses the assumptions behind perimeter security because the actor is already authenticated and often already authorised. That means the security problem shifts from initial access to misuse of legitimate access paths, including sensitive systems, data, and payment flows. The control challenge is not simply blocking login, but constraining what trusted users can do once inside. In practice, that requires stronger entitlement design, anomaly detection, and separation of duties around the actions that create financial or reputational loss.
Practical implication: review whether your access model restricts sensitive actions, not just logins.
The trust gap between culture and control
The podcast points to a common tension in insider-risk programmes: organisations want to preserve trust while reducing fraud exposure. That tension becomes dangerous when culture is treated as a substitute for control design. Good employees do not eliminate the need for monitoring, approval flows, or privilege segmentation. In identity governance terms, trust should shape policy design, not replace it. A mature programme assumes that most users are honest, but still limits the blast radius if a small number are not.
Practical implication: align culture messaging with compensating controls so trust does not become a blind spot.
Why privileged access makes insider fraud more expensive
Insider fraud becomes more damaging when a trusted actor has broad or persistent privileges. Privileged accounts can approve transactions, alter records, export data, or disable controls, which amplifies both direct loss and investigative complexity. This is why PAM and access lifecycle discipline matter as much as fraud analytics. If elevated access is not tightly scoped and time-bound, the organisation gives an insider more room to hide, persist, and escalate. The result is usually higher cost, slower containment, and weaker attribution.
Practical implication: tighten privileged workflows around high-impact actions and recertify access more aggressively.
NHI Mgmt Group analysis
Insider fraud is an identity governance problem before it is a fraud problem. The episode frames internal abuse as something that starts with trusted access, not malware or external compromise. That means the real control question is whether identity governance can detect and constrain misuse after access has already been granted. Practitioners should treat insider risk as a lifecycle and privilege issue, not just a behavioural one.
Culture alone cannot absorb the cost of misuse. A company can have a strong trust culture and still be exposed if approvals, logging, and escalation paths are weak. The operational lesson is that trust is a business value, but governance is what turns that value into resilience. Security teams should assume that trust must be bounded by controls that survive exceptions and pressure.
High-impact access needs smaller blast radius: insider events become materially more expensive when a single account can touch multiple critical systems or sensitive records. That is the governance failure mode this topic exposes: overbroad internal privilege without enough segmentation, review, or decision friction. Practitioners should read that as a signal that entitlement design, not just detection, determines loss magnitude.
Fraud and IAM teams need a shared operating model. Insider abuse sits across authentication, authorisation, access reviews, and incident response, so one team cannot own the full problem in isolation. The field should move toward coordinated identity controls that connect HR, IAM, PAM, and fraud operations. The practitioner takeaway is that separated programmes create separated blind spots.
The $17.4 million cost figure is a governance warning, not a headline number. Costs at that level indicate that containment lag, privilege breadth, and response coordination are all part of the loss equation. Organisations that only monitor for suspicious behaviour after the fact are already behind. The practical conclusion is that insider-risk reduction has to be designed into access control, not bolted onto investigation.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves most identity programmes blind to a large part of the attack surface.
- That visibility gap is why NHI Lifecycle Management Guide belongs in any programme that needs to track privileged identities from creation through offboarding.
What this signals
Insider fraud programmes are converging with identity governance because the same access paths that enable productive work can also enable misuse. Organisations that treat fraud as a separate domain will continue to miss the entitlement and approval signals that matter most. The practical signal is whether your access model can distinguish routine use from high-impact misuse without slowing the business.
Identity blast radius: the amount of damage one trusted account can cause is now a core risk metric, not a theoretical one. The more systems a user can approve, export, or modify, the more expensive any misuse becomes. Security leaders should watch whether privilege design is shrinking that blast radius or quietly expanding it.
For programmes building a broader identity strategy, the issue is not whether trust exists but whether it is governed. Monitoring, recertification, and workflow controls have to work together if insider risk is to be contained before it turns into a financial event. That is the point where IAM, PAM, and fraud operations stop being adjacent and start being interdependent.
For practitioners
- Segment privileged actions by business impact Separate read, approve, export, and admin capabilities so one insider cannot move from routine work to high-loss activity without additional checks. Use least privilege for day-to-day work and reserve elevated rights for narrowly defined tasks. This reduces the damage possible from a single compromised or malicious internal identity.
- Add friction to sensitive workflows Require step-up approval, dual control, or secondary review for actions that can move money, expose data, or disable monitoring. The goal is not to slow everything down, but to slow the few actions that create outsized loss if abused. Keep the friction tied to impact, not job title.
- Review insider-risk signals with IAM and fraud teams together Correlate access logs, abnormal transaction patterns, entitlement changes, and off-hours activity in a shared process. If fraud analysts and IAM operators work separately, an insider can look normal in one system while behaving abnormally in another. Joint review shortens time to containment.
- Recertify high-risk access on a shorter cycle Prioritise accounts that can approve exceptions, alter financial records, or access sensitive customer data. Revalidate whether each entitlement is still needed and whether the person holding it is still the right operator for that function. This is especially important where broad access has accreted over time.
- Document response playbooks for trusted-user abuse Define who can freeze access, preserve evidence, and coordinate with legal or HR when an internal identity is suspected. Insider events often fail operationally because teams hesitate on escalation. Clear playbooks reduce confusion when the actor is still a legitimate employee or contractor.
Key takeaways
- Insider fraud exposes a governance weakness in how organisations grant and police trusted access.
- The reported $17.4 million average cost shows why broad privilege and slow containment are operational risks, not abstract concerns.
- The strongest response combines tighter privileged workflows, shared IAM-fraud review, and playbooks that can act before loss compounds.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Insider abuse is reduced by constraining privilege and reviewing access. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero Trust limits the damage a trusted user can do after authentication. |
| NIST SP 800-63 | Identity proofing and authentication context help distinguish legitimate from risky access. |
Use identity assurance signals to inform fraud and privileged-access decisions.
Key terms
- Insider Fraud: Insider fraud is the misuse of legitimate organisational access for personal gain, concealment, or harm. It differs from external intrusion because the actor already has some level of trust, which makes detection harder and containment more dependent on privilege controls, approval design, and monitoring.
- Identity Blast Radius: Identity blast radius is the amount of damage a single account can cause before controls intervene. In practice, it is shaped by privilege scope, approval power, data access, and the ability to change or disable security controls. Smaller blast radius means less loss when access is misused.
- Privileged Access: Privileged access is any elevated entitlement that can change systems, data, security settings, or business decisions. It is not limited to administrator accounts. Any account that can approve, export, alter, or suppress controls should be treated as privileged and governed accordingly.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by Sumsub: Insider Fraud: The Enemy Within. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
