By NHI Mgmt Group Editorial TeamPublished 2026-04-21Domain: Governance & RiskSource: Enzoic

TL;DR: SANS data shows 35% of organisations cite credential phishing or stolen credentials in identity attacks, 24% report brute force or credential stuffing, and 47% still rely on on-premises Active Directory or legacy applications for critical identities, according to Enzoic. The login workflow is now a control surface, not just a checkpoint, because compromised credentials can satisfy authentication while already being unsafe.


At a glance

What this is: This analysis argues that identity attacks are increasingly succeeding before authentication, when exposed credentials are ready to be used.

Why it matters: It matters because IAM, PAM, and NHI programmes still built around post-login detection will miss the point where credential compromise has already determined the outcome.

By the numbers:

👉 Read Enzoic's analysis of pre-authentication risk in the login workflow


Context

Pre-authentication risk means the credential has already been exposed before the login attempt begins. The core failure is that many identity programmes still treat authentication as the primary security event, when in practice it is often only the point at which prior compromise becomes visible.

That distinction matters for IAM and NHI governance because a valid credential is not the same as a safe credential. For teams managing service accounts, API keys, workforce identities, and hybrid Active Directory estates, the trust problem now starts before session creation and continues through the login workflow.

The article’s starting position is typical: most enterprises have invested more in detecting suspicious activity after access is granted than in determining whether the credential should have been trusted at all.


Key questions

Q: How should security teams reduce pre-authentication risk in login workflows?

A: Start by checking whether the credential is already exposed before the session is accepted. Combine exposure intelligence, password reset controls, and login-risk scoring so the authentication layer can reject unsafe credentials rather than only detecting suspicious behaviour after access is granted.

Q: Why do exposed credentials make MFA less effective on its own?

A: MFA still matters, but it does not remove the fact that the first factor may already belong to an attacker. If the primary credential has been harvested or reused, MFA becomes a second line of defence rather than a prevention control, especially when token theft or session compromise is in play.

Q: What do organisations get wrong about credential stuffing?

A: They often treat it as a brute-force problem instead of a credential provenance problem. The real issue is that attackers are using valid login data already exposed elsewhere, which means rate limiting alone cannot solve the underlying trust failure.

Q: Who is accountable when compromised credentials are accepted as legitimate logins?

A: Accountability sits with the identity and security owners who control authentication policy, exposure monitoring, and account recovery. If those processes do not screen for known compromised credentials, the organisation is effectively accepting pre-authentication compromise as normal login behaviour.


Technical breakdown

Why exposed credentials turn authentication into a control surface

Authentication systems answer whether a credential matches what is on record, not whether the credential has already been compromised elsewhere. That is why phishing, infostealer malware, breach dumps, and password reuse are so effective: the attacker is not breaking the login process, they are arriving with material that the login process is designed to accept. In identity terms, the security decision has already been lost before the user submits the password. This is a control-surface problem, not a pure detection problem. The practical reality is that credential provenance now matters as much as credential correctness.

Practical implication: shift from treating login as a binary gate to checking credential safety at the point of use.

How credential stuffing exploits normal login behavior

Credential stuffing succeeds because it stays inside expected authentication behavior. Attackers reuse known username and password pairs at scale, and the system sees repeated valid login attempts rather than obvious exploitation. Password reuse is what converts exposure in one service into access in another. In a mature identity environment, this means the defensive question is not simply whether MFA exists, but whether exposed credentials are being identified fast enough to block reuse before login succeeds. The mechanism is repetitive, inexpensive, and highly scalable.

Practical implication: pair login-rate monitoring with exposure checking so reused credentials are blocked before successful authentication.

Why legacy Active Directory keeps pre-authentication risk high

Active Directory remains the backbone for many enterprise identity workflows, especially in hybrid estates with long-lived credentials, service accounts, and legacy integrations. That creates a large pre-authentication attack surface because valid credentials can still be accepted by systems that support lateral movement and privilege escalation after login. The issue is not that AD is uniquely broken. It is that it often contains the most consequential identities and the weakest visibility into whether those identities have already been exposed. That makes compromise easier to operationalise.

Practical implication: inventory the identities that still depend on AD and treat their exposure risk as a front-end authentication control problem.


Threat narrative

Attacker objective: The attacker’s objective is to turn previously exposed credentials into successful authentication and then use that access to move deeper into enterprise systems.

  1. Entry begins when attackers obtain already-exposed credentials through phishing, infostealer malware, breach data, or password reuse. Credential stuffing then converts that exposure into repeated login attempts across enterprise and customer authentication surfaces.
  2. Escalation occurs when valid credentials satisfy the login check and grant access into Active Directory or other legacy systems that still carry broad entitlements. From there, attackers can pursue lateral movement, persistence, or privilege expansion without needing to break the authentication layer itself.
  3. Impact follows when the attacker uses legitimate access to reach systems, data, or administrative paths that the organisation assumed were protected by post-login monitoring. The security boundary fails because the compromise happened before the session was created.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Pre-authentication risk is an identity governance problem, not just a login problem. The article correctly shows that the security decision is increasingly made before the authentication event is visible to session monitoring or ITDR. That means governance must account for credential provenance, not just successful authentication. Teams that measure identity risk only after login are already behind the failure point.

Credential correctness and credential safety are different governance states. A password can be technically valid and still operationally untrustworthy because it has already appeared in phishing kits, infostealer logs, or breach datasets. That distinction matters for IAM and NHI programmes alike, because service accounts, API keys, and workforce credentials can all be valid while being unsafe. Practitioners should treat compromise visibility as part of identity assurance, not as a separate security silo.

Login workflows now carry the burden of pre-authentication trust decisions. When controls move earlier into the workflow, authentication becomes a place where exposure intelligence, password safety checks, and account-level risk signals converge. This is not a cosmetic shift. It changes where teams must invest if they want to stop treating access grants as the start of the problem. The practical conclusion is that login has become a policy enforcement point.

Standing access assumptions fail when exposure is external to the enterprise. The control model was built around the idea that credentials remain safe unless the organisation itself changes them. That assumption fails when credentials are harvested outside the perimeter and reused before the defender knows they exist. The implication is that identity governance must stop assuming that possession equals trust.

Identity blast radius is now determined before the first successful session. Once exposed credentials are available, the attacker’s cost falls and the defender’s response window narrows dramatically. That is why pre-authentication controls matter across human IAM, privileged workflows, and NHI estates that rely on long-lived secrets. Practitioners should re-evaluate which identities can be safely left to post-login detection alone.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
  • That visibility gap is one reason pre-authentication controls must extend beyond workforce login to workload, app, and third-party identity paths, as explored in Top 10 NHI Issues.

What this signals

Credential-safety checks will become a baseline control for both human IAM and NHI programmes. The more identities depend on externally exposed credentials, the less useful it is to wait for anomalous sessions to appear. Teams should expect login workflow controls to absorb more trust decisions that used to sit in detection layers.

Pre-authentication risk also changes how organisations should think about NHI governance. Service accounts and workload secrets that are valid but exposed behave like compromised human passwords: they are technically authentic and operationally unsafe. That makes exposure intelligence and secret lifecycle discipline inseparable from identity assurance.

As identity teams rework their control stack, the practical question is not whether authentication still matters. It is whether the programme can prove that a credential was safe before it was accepted, not merely that the login succeeded.


For practitioners

  • Screen credentials before authentication succeeds Integrate exposure checking into sign-in, password reset, and account recovery workflows so compromised credentials are flagged before a session is created. Prioritise high-value users, privileged operators, and identities tied to legacy authentication paths.
  • Map the accounts most exposed to credential stuffing Identify internet-facing login paths, high-reuse customer accounts, and any workforce identities protected only by password plus MFA. Use that map to target rate-limiting, anomaly thresholds, and exposure intelligence where they reduce risk fastest.
  • Treat Active Directory as a pre-authentication risk domain Review which critical identities still rely on on-premises Active Directory or legacy apps, then determine whether those paths can accept exposed credentials without a separate safety check. The goal is to move exposure detection ahead of directory acceptance, not after authentication succeeds.
  • Reduce password reuse as an attack multiplier Focus on the identities where reuse is most likely to turn one breach into many login attempts. Pair user education with technical controls that block known compromised secrets and surface repeated reuse patterns across environments.
  • Shift success metrics from login detection to credential safety Track how often exposed credentials are identified before use, how quickly risky accounts are remediated, and how many high-value identities still bypass pre-authentication checks. Those measures show whether the programme is addressing the actual failure point.

Key takeaways

  • Pre-authentication risk shifts identity security from post-login detection to credential trust before access is granted.
  • The evidence points to a familiar failure pattern: exposed credentials, reused passwords, and legacy identity paths still drive successful account takeover.
  • Practitioners should move exposure checks into the login workflow and treat credential safety as a first-class identity control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Pre-authentication trust and credential validation map to identity proofing and access control.
NIST SP 800-53 Rev 5IA-5Authenticator management is central to preventing reused or exposed credentials from being accepted.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous verification instead of assuming login success equals trust.
OWASP Non-Human Identity Top 10NHI-03Credential rotation and secret hygiene are relevant where non-human identities rely on exposed secrets.
MITRE ATT&CKTA0006 , Credential Access; TA0001 , Initial AccessThe article focuses on stolen credentials and stuffing as the path to entry.

Review NHI secret exposure and rotation against NHI-03 for accounts that still use long-lived credentials.


Key terms

  • Pre-authentication risk: The exposure condition that exists before a login attempt is made, when a credential has already been compromised outside the enterprise. In practice, the risk is that a valid credential is also a dangerous one, because authentication can still accept it even after it has been harvested or reused elsewhere.
  • Credential stuffing: A login abuse technique where attackers use previously exposed username and password combinations against many sites or applications. The technique works because password reuse is common and the login process often cannot distinguish a legitimate user from an attacker using stolen, technically valid credentials.
  • Credential provenance: The history of where a credential came from and whether it has been exposed, reused, or leaked before being used for access. Provenance matters because authentication systems usually verify correctness, while governance teams need to know whether the credential should be trusted at all.
  • Login workflow: The sequence of identity checks that begins before a session is created and continues through password entry, MFA, reset, and recovery. For identity teams, the workflow is now a control surface where exposure signals, risk scoring, and access decisions can be applied earlier than traditional post-login monitoring.

What's in the full article

Enzoic's full post covers the operational detail this analysis intentionally leaves at the strategy level:

  • Workflow-level options for checking whether a password or credential has already been exposed before authentication succeeds
  • Operational trade-offs between manual breach-data investigation and real-time exposure screening across login paths
  • How organisations can layer password safety checks into reset, recovery, and sign-in journeys without adding blanket friction
  • Why legacy Active Directory and hybrid identity estates make pre-authentication controls harder to enforce consistently

👉 The full Enzoic post covers identity attack patterns, login workflow control points, and the operational response in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org