Runtime identity risk is the new battleground after login

At a glance

What this is: This article argues that the real IAM battle now happens after login, where tokens, cookies, and session behavior can be abused without breaking authentication.

Why it matters: It matters because IAM, PAM, and identity security teams need to watch runtime access patterns, not just authentication, across human users, service identities, and emerging agentic workflows.

By the numbers:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Unosecur's analysis of runtime identity risk after login

Context

Identity security does not end at authentication. Once a user or workload receives a token, cookie, or assertion, the real risk shifts to how that possession artifact is used, whether it is replayed, and whether the surrounding behavior still matches the original trust context.

That gap matters across IAM, PAM, and NHI programmes because post-login compromise can bypass strong MFA entirely. Runtime analysis has become the missing control plane for detecting valid identities behaving badly, whether the subject is a person, a service account, or a delegated access path.

Key questions

Q: How should security teams detect post-authentication identity compromise?

A: They should monitor what happens after login, not just whether login succeeded. The strongest signals are token reuse, abnormal session location changes, access scope drift, unusual account recovery activity, and long-lived token spikes. A post-login control model works best when these signals are correlated into one runtime risk view rather than reviewed as isolated alerts.

Q: Why do strong MFA controls still leave organisations exposed to session hijacking?

A: Because MFA validates the login event, but downstream systems trust the session artifact that follows it. If an attacker steals a token, cookie, or assertion, they can reuse that artifact without redoing authentication. The risk is therefore not only credential theft, but the abuse of trusted possession after the fact.

Q: What do security teams get wrong about identity protection after login?

A: They often assume authentication is the main control boundary and treat post-login activity as secondary. In practice, many of the most damaging attacks happen after the gate is crossed, where valid accounts, manipulated tokens, and changed access patterns can operate under normal trust assumptions. That is where detection and response must focus.

Q: Who should own controls for runtime identity risk and session abuse?

A: Ownership should sit across IAM, PAM, and detection teams because runtime identity risk crosses all three. IAM defines the trust context, PAM constrains sensitive access, and detection teams spot deviation after issuance. If those functions are isolated, the session layer becomes the blind spot where compromise is most likely to persist.

Technical breakdown

Session tokens and possession artifacts after authentication

After login, systems commonly issue possession-factor artifacts such as OAuth2 access tokens, SAML assertions, OIDC ID tokens, or browser cookies. These artifacts become the practical proof of identity for downstream systems, which means whoever controls them can often act as the authenticated subject without re-entering the login flow. That is why browser malware, adversary-in-the-middle attacks, XSS, and local storage theft remain effective. The authentication event may be sound, but the session becomes the new trust boundary.

Practical implication: monitor token issuance, token reuse, and session binding instead of treating MFA as the end of the control path.

Why post-authentication behavior matters more than login signals

Login telemetry shows who passed the gate, not whether the identity is still behaving normally once inside. Post-authentication analysis compares current access context with historical patterns, device state, account activity, and authorization scope. This is where identity threat detection and response adds value, because valid credentials can be used for lateral movement, account manipulation, or token replay without triggering classic authentication alarms. The relevant question becomes whether the session still fits the expected behavior model.

Practical implication: build detection around scope drift, unusual consent patterns, and access changes rather than failed login events alone.

Composite identity risk scoring for runtime access

Rule-based indicators alone are brittle because attackers can change user agents, IPs, and malware tooling while keeping the same stolen session. A composite approach weighs multiple identity and behavior signals together, including device enrollment changes, new admin account creation attempts, long-lived token spikes, dormant account reactivation, and unusual OAuth consent volume. This makes the detection model more resilient and closer to how real compromise unfolds across the identity lifecycle. Runtime risk should be treated as a pattern, not a single event.

Practical implication: use layered behavioral thresholds so one weak signal does not determine the response.

Threat narrative

Attacker objective: The attacker wants to act as a trusted identity inside downstream systems without having to defeat authentication again.

1. Entry occurs after a legitimate authentication event when an attacker steals or reuses a session token, cookie, or assertion rather than breaking the login flow.
2. Escalation follows when the attacker reuses the possession artifact to manipulate accounts, request more access, or move laterally under a valid identity.
3. Impact lands through session hijacking, valid-account abuse, and downstream data access that bypasses MFA and other login-bound controls.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Login-centric IAM is the wrong mental model for modern compromise: authentication is only the entry condition, not the security boundary that matters most. Once a possession artifact exists, the attacker can operate inside the trusted session without returning to the login flow. The implication is that identity programmes must treat runtime behavior as the real control surface.

Post-authentication is where valid identity turns into valid abuse: the article correctly frames token replay, session hijacking, and access token manipulation as core adversarial paths. This is the same failure pattern NHIMG sees across human identity and NHI governance: downstream privilege becomes exploitable once the trust event is detached from ongoing verification. Practitioners should stop assuming that successful authentication equals controlled access.

Runtime identity risk is a governance gap, not just a detection gap: static authentication controls were designed for a world where access could be assumed stable after login. That assumption breaks when identities can be hijacked, replayed, or manipulated after issuance. The practical conclusion is that IAM, PAM, and NHI oversight must cover session behavior, not merely login outcomes.

Unified identity fabric is the right conceptual frame for this problem: the article’s pre-authentication, authentication, post-authentication, authorization, and authorized stages map to a more realistic operating model than a simple login gate. That model matters because the same downstream abuse pattern affects humans, workloads, and delegated access paths. Teams that only instrument the front door will continue missing the real compromise path.

Identity blast radius now depends on session quality as much as privilege level: a stolen token with narrow scope can still become a foothold if the session persists, is reused across contexts, or is trusted by downstream services. That is why the important question is not just who authenticated, but how far that authenticated state can travel before it is revalidated. Practitioners should govern the blast radius of possession artifacts as tightly as standing privilege.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Another finding from the same research shows that 97% of NHIs carry excessive privileges, which makes post-authentication abuse far easier to sustain once access is granted.
• For a deeper lifecycle lens, see NHI Lifecycle Management Guide, which covers provisioning, rotation, and offboarding controls that reduce downstream identity exposure.

What this signals

Runtime control will become the differentiator in identity programmes. Organisations that only measure login success will miss the session-layer abuse that now drives much of identity compromise. The programme implication is clear: security teams need telemetry that spans token issuance, session reuse, and authorization drift, not just authentication logs.

Session binding is becoming a practical governance concept, not just a technical detail. When a possession artifact can travel too far across devices, browsers, and applications, the identity programme has lost containment. Teams should watch for places where downstream systems still trust a session long after the original context has changed, because that is where policy becomes fiction.

80% of identity breaches involved compromised non-human identities such as service accounts and API keys. That pattern reinforces the article's core lesson: the post-authentication problem is broader than human login, and runtime monitoring needs to cover workload and delegated identities as well as users. For deeper lifecycle context, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the right reference point.

For practitioners

• Instrument runtime session monitoring Track token reuse, session hijacking indicators, and access scope drift after authentication completes. Feed these signals into identity threat detection and response so downstream abuse is visible before the session is exhausted.
• Bind possession artifacts to environment context Compare the original authentication context with device state, location, browser, and historical access patterns. Treat sudden changes in those signals as a verification failure, not a harmless anomaly.
• Harden high-value sessions against replay Reduce the lifetime and reuse value of long-lived tokens, and isolate privileged sessions so one stolen artifact cannot be reused across unrelated systems or administrative actions.
• Review downstream authorization paths Map where valid identities can still create accounts, manipulate privileges, or trigger sensitive workflows after login. Those paths need separate detection and control points because MFA does not protect them.

Key takeaways

• Authentication is only the entry point.** The harder problem begins after login, when tokens, cookies, and assertions can be stolen, replayed, or reused under a trusted session.
• Runtime compromise often bypasses MFA entirely.** If the session artifact is abused, classic login controls may never see the attack, which is why post-authentication telemetry matters.
• Identity teams should govern behavior, not just access grants.** Session binding, scope drift detection, and downstream authorization monitoring are now core controls, not advanced extras.

Key terms

• Possession-factor artifact: A credential issued after authentication that proves a trust event occurred, such as a token, assertion, or session cookie. These artifacts are treated as proof of identity by downstream systems, which means theft or replay can bypass the login flow even when MFA was correctly completed.
• Post-authentication risk: The security exposure that begins after a user or workload has already passed the login boundary. It includes session hijacking, token replay, access drift, and account manipulation, all of which can occur without re-triggering authentication controls.
• Runtime identity detection: Monitoring identity behavior during active sessions rather than only at sign-in. It focuses on how tokens are used, whether access patterns shift, and whether downstream activity matches the original trust context.
• Session binding: The practice of tying a possession artifact to the device, browser, or environmental context in which it was issued. When binding weakens, stolen tokens become easier to replay across contexts and the session boundary stops providing meaningful containment.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• MITRE ATT&CK mapping for post-authentication techniques, including valid accounts and session hijacking
• A fuller breakdown of the ten runtime indicators used to spot suspicious identity behavior
• Examples of how browser malware, AiTM, and XSS target session artifacts in practice
• The article's identity lifecycle framing from pre-authentication through authorized activity

👉 Unosecur's full post covers session hijacking patterns, token abuse, and runtime detection signals

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.