By NHI Mgmt Group Editorial TeamPublished 2026-07-07Domain: Governance & RiskSource: Abnormal AI

TL;DR: MITRE ATT&CK grids are useful for research, but they do not answer the questions defenders actually ask about identity risk, exposed attack paths, or which accounts an attacker would target first, according to Abnormal AI. The real issue is that coverage language often hides practical attack exposure instead of measuring it.


At a glance

What this is: This is an Abnormal AI perspective arguing that ATT&CK-style coverage grids do not tell defenders which identity attacks they are actually exposed to.

Why it matters: It matters because IAM, PAM, and identity security teams need coverage language that maps to real attack paths, target accounts, and likely campaign outcomes rather than abstract technique cells.

👉 Read Abnormal AI's analysis of why ATT&CK coverage is not the same as identity risk


Context

Identity coverage is often described in abstract technique terms, but practitioners need to know which real attacks can succeed in their environment. A shaded matrix can describe detection coverage without answering whether a help-desk reset, account takeover path, or identity-led intrusion would actually work against specific users and privileges.

The primary identity security problem here is not a lack of terminology, but a mismatch between measurement and decision-making. If coverage is expressed only as technique-by-technique visibility, security teams can overestimate protection while missing the question that matters most: where attacker behavior intersects with their identity architecture.


Key questions

Q: How should security teams measure identity coverage against real attacks?

A: Measure coverage by campaign survivability, not by technique counts. Start with the attacks most likely to hit your environment, identify the identities they would target first, and test whether access, reset, and privilege controls would stop the sequence before material impact. A matrix is useful, but it is not a risk metric.

Q: Why do ATT&CK-style grids fail to answer practical identity risk questions?

A: They describe technique mapping, not whether a real campaign would succeed. Practitioners need to know which accounts are exposed, how far an attacker could move, and where existing controls would break. Without that context, a dense grid can create confidence without proving resilience.

Q: What do IAM and PAM teams get wrong about coverage reporting?

A: They often report visibility as if it were protection. In practice, seeing a technique does not mean the organisation can withstand the attack path, especially when social engineering, reset workflows, and privilege reuse are chained together. Coverage must be tied to the identities that matter most.

Q: What should defenders do when a coverage matrix looks complete?

A: Ask which real campaigns still work, which identities would be hit first, and which business processes could be abused to move from entry to privilege. That check reveals whether the matrix reflects actual resilience or only detection alignment.


Technical breakdown

Why attack coverage is not the same as ATT&CK matrix coverage

MITRE ATT&CK is a useful taxonomy for adversary behavior, but a taxonomy is not an assurance model. A coverage grid can show whether a control maps to a technique, yet it cannot prove that the control would stop the campaign path, account selection, or sequencing used in a real intrusion. That distinction matters in identity security because attackers do not execute isolated techniques in a vacuum. They combine social engineering, credential abuse, privilege use, and lateral movement to reach a target outcome. A matrix view can therefore create false confidence if it is treated as a risk measure instead of a research language.

Practical implication: measure identity defence against realistic attack paths, not against technique cells alone.

How real campaigns change the question for IAM and PAM teams

Identity risk becomes actionable when the unit of analysis is a campaign, not a technique. For example, a help-desk reset campaign only matters if it can reach accounts with meaningful access, bypass existing verification, and progress to privileged actions. IAM and PAM teams therefore need to understand who is in the blast radius, which identities are likely to be targeted first, and which control layers would fail in sequence. That view connects detection, privilege governance, and access design to an actual threat path instead of a generic control checklist.

Practical implication: map high-value accounts and support processes to realistic attacker paths before relying on coverage claims.

What identity coverage should tell defenders in plain language

Coverage should describe what the organisation can withstand, not just what it can observe. Plain-language risk statements are more useful than technique heatmaps because they let CISOs, IAM leads, and SOC teams align on operational exposure. The right question is not whether a tool can flag T1566 in theory, but whether it can reduce the probability that a phishing-led identity compromise becomes account takeover or privilege escalation. That standard forces security teams to evaluate coverage as an outcome tied to the business's actual identity estate.

Practical implication: rewrite coverage reporting into outcome-based statements that business and security stakeholders can both evaluate.


Threat narrative

Attacker objective: The attacker wants to convert identity access into dependable operational leverage, not just trigger one detectable technique.

  1. Entry occurs through an identity-focused campaign such as phishing or help-desk manipulation that targets a real user path rather than a technique label.
  2. Escalation follows when the attacker reaches accounts with access that can be reused, broadened, or chained into higher-value permissions.
  3. Impact arrives when the campaign reaches the finance, privileged, or administrative accounts that determine operational control or data access.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Technique coverage is not identity risk coverage. A shaded ATT&CK matrix can tell a team what a control might detect, but it does not tell them whether a real-world campaign would succeed against their users, privileges, or support workflows. The practical problem is the gap between observable technique mapping and actual attack path survivability. Security teams should treat matrix coverage as research input, not as a measure of resilience.

Identity security programmes fail when they measure visibility instead of blast radius. A tool can appear comprehensive while leaving the most valuable accounts, reset paths, and privilege chains effectively uncovered. That is why the relevant question is which identities an attacker would reach first and how far they could move once inside. Practitioners need coverage statements that connect to account classes, escalation routes, and operational consequences.

Plain-language coverage is a governance control, not a marketing preference. Executives and operational teams cannot make risk decisions from a technique grid alone because it obscures who is exposed and what would break. A better model expresses coverage in terms of campaigns, target profiles, and likely outcomes. That shifts identity security from analytical abstraction to decision support, which is where programme accountability belongs.

Identity attack coverage should be judged by the control chain that actually fails. In real intrusions, the important question is not whether one technique is represented, but whether the sequence from entry to privileged action is blocked at any point. That framing exposes where IAM, PAM, help-desk processes, and detection controls need to line up. Practitioners should evaluate coverage as end-to-end interruption potential, not as isolated detection adjacency.

From our research:

What this signals

Coverage programmes need to shift from technique inventories to campaign inventories. The practical failure mode is not a lack of ATT&CK literacy, but a reporting model that cannot tell the business which accounts or workflows are actually at risk. With two-thirds of enterprises already having endured a successful cyberattack from compromised NHIs, the case for outcome-based coverage language is already settled.

Identity teams should also separate detection visibility from governance confidence. A matrix can support analyst work, but programme owners still need a way to show which identities are exposed, which paths are interruptible, and which processes remain high-risk even when controls appear mapped. That is where the Ultimate Guide to NHIs becomes useful as a governance reference rather than a checklist.

Identity blast radius: the real unit of account is which accounts, support paths, and privilege chains remain reachable after an attacker gets in. Teams that cannot express blast radius in plain language will continue to overstate coverage and understate campaign risk.


For practitioners

  • Reframe coverage reporting around attack paths Replace technique-only summaries with statements that describe the real campaigns your environment can stop, the identities they would target, and the likely business impact if they succeed.
  • Inventory identities by attacker value List the users, support roles, finance accounts, and privileged identities most likely to be targeted first, then test coverage against those paths rather than against a generic matrix.
  • Test help-desk and reset workflows as attack entry points Validate whether phishing, social engineering, or account-recovery abuse could move from entry to control of an account with material privileges before detection or approval breaks the chain.
  • Translate ATT&CK mapping into outcome-based language Write coverage in terms of what the organisation can withstand, such as account takeover, privilege escalation, or lateral movement, so security leaders can compare control reality with campaign risk.

Key takeaways

  • A technique matrix can support research, but it cannot by itself prove that identity attacks are contained or unlikely to succeed.
  • Real-world risk depends on whether campaigns can reach high-value identities, abuse reset workflows, and progress into privilege.
  • Identity programmes should report coverage in terms of outcomes, exposed accounts, and interruptible attack paths rather than abstract cells.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0004 , Privilege EscalationThe article critiques technique-based coverage and highlights real attack sequencing.
NIST CSF 2.0PR.AC-4Identity coverage must be tied to access management and privilege containment.
NIST SP 800-53 Rev 5AC-6Least privilege is central to limiting attacker movement after identity compromise.
OWASP Non-Human Identity Top 10NHI-01The article's core problem is governance of exposed non-human identity paths.

Map real identity campaigns to ATT&CK tactics, then validate where controls break in sequence.


Key terms

  • Attack-path coverage: Attack-path coverage is a way of measuring whether real intrusion sequences can be stopped, not just whether individual techniques are visible. It links detection and prevention to the actual identities, workflows, and privilege transitions an attacker would use to turn access into impact.
  • Identity blast radius: Identity blast radius is the amount of access, systems, and business process exposure an attacker can reach after compromising one identity. It is more useful than abstract coverage counts because it shows how far a compromise can travel before controls interrupt it.
  • Campaign-level risk: Campaign-level risk is the likelihood that a coordinated attack pattern will succeed against a specific environment. It reflects the whole sequence, from entry through privilege use, rather than evaluating each technique in isolation or assuming matrix coverage equals resilience.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

  • How the vendor translates ATT&CK coverage into attack-path language for security teams that need decision-ready reporting.
  • Examples of the specific identity campaigns the vendor believes matter most for enterprise defenders.
  • The practical distinctions between visibility, detection coverage, and real-world attack resilience.
  • The vendor's own framing for which users and accounts attackers would target first.

👉 The full Abnormal AI post expands on the attack-path framing, coverage limitations, and defender questions.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org