TL;DR: Attackers are evolving tactics faster than many traditional defenses can absorb, while social engineering remains a dominant entry method and defender lesson source, according to Abnormal AI’s Innovate 2025 webinar with Sherrod DeGrippo. The practical takeaway is that security programmes must treat human decision paths, not just technical controls, as part of the attack surface.
At a glance
What this is: This on-demand webinar explores how attacker tactics are changing, why social engineering remains effective, and what defender strategy needs to account for next.
Why it matters: It matters to IAM and security teams because identity controls only reduce risk when they account for human judgment, trust manipulation, and the social paths attackers exploit across human and machine environments.
👉 Watch Abnormal AI's on-demand webinar on social engineering and attacker adaptation
Context
Social engineering is the exploitation of trust, urgency, and routine decision-making to get people to reveal information, approve actions, or bypass controls. In identity programmes, that means the attack surface is not only authentication and access policy, but also the human behaviours that determine whether controls are followed or overridden.
This webinar uses a threat-intelligence lens to examine how attackers keep adapting and why defenders need to understand adversary mindset, not just adversary tooling. For IAM, IGA, PAM, and security leaders, the key issue is that a control can be technically sound and still fail if users or operators are manipulated into creating the exception path.
Key questions
Q: How should security teams reduce social engineering risk in identity workflows?
A: Security teams should remove unnecessary human discretion from identity-critical processes such as recovery, approval, and escalation. Where people must still intervene, add stronger proofing, dual validation, and clear refusal paths so attackers cannot convert a single manipulated conversation into access.
Q: Why do social engineering attacks keep working against modern IAM controls?
A: They keep working because many IAM controls still depend on a person making the right decision under pressure. If the attacker can influence help-desk staff, approvers, or end users, the technical control may remain intact while the access path is bypassed.
Q: What do organisations get wrong about social engineering defence?
A: They often treat it as an awareness problem instead of a workflow problem. Training helps, but the stronger fix is to redesign the identity path so that one mistaken approval, reset, or exception cannot complete a high-risk action.
Q: How can teams tell whether identity processes are too easy to manipulate?
A: Look for repeatable manual steps, permissive recovery flows, and approvals that can be rushed without independent verification. If an attacker can predict the sequence from persuasion to access, the process is too dependent on trust and too lightly governed.
Background and context
How social engineering bypasses identity controls
Social engineering works by shifting the point of failure from cryptographic strength or policy design to human decision-making. Attackers do not need to break authentication if they can persuade an employee to approve a login, reveal a code, reset a credential, or authorize an unsafe workflow. In identity terms, the exploit lands in the gap between policy intent and user action. That is why identity controls that rely on a person making the correct choice under pressure are always weaker than controls that remove the decision altogether.
Practical implication: reduce the number of identity actions that depend on user judgment at the moment of attack.
Why attacker adaptation defeats static defence models
A static defence model assumes the threat stays broadly the same while controls are tuned around it. The webinar’s core message is that attackers continuously adapt their lures, timing, and delivery channels until the control environment becomes predictable. That matters for identity because phishing-resistant authentication, approval workflows, and help-desk processes can all be targeted once the attacker understands where trust is easiest to manipulate. Security teams need to treat attacker adaptation as a design input, not an occasional exception.
Practical implication: review identity workflows for predictable human fallback paths that attackers can learn and reuse.
Hacker mindset as a defender planning tool
Studying hacker mindset is not about imitation, it is about anticipating which assumptions attackers will test first. In practice, that means asking where a defender expects compliance, where a user is likely to defer, and which operational process can be turned into a shortcut. This perspective is especially useful in IAM, where access governance often depends on timely reporting, accurate approval, and consistent enforcement. If an attacker can predict how a team responds, they can shape the next move around that response.
Practical implication: test identity processes from the attacker’s point of view, not just the policy owner’s point of view.
NHI Mgmt Group analysis
Social engineering is an identity governance failure, not just a user-awareness problem. When attackers can influence approval, reset, or delegation decisions, the control failure sits inside the identity process itself. That makes IAM, PAM, and service desk workflows part of the threat model, not merely adjacent support functions. Practitioners should treat social engineering as a governance issue that must be designed out where possible.
Hacker mindset analysis is valuable because it exposes the control path attackers will test first. Security teams often instrument the technical stack more deeply than they instrument the human decision chain. The result is that adversaries can keep using the same pressure points, from MFA fatigue to help-desk impersonation, until one request lands. Practitioners should use adversary thinking to find the fastest trust edge, then remove it.
Social engineering remains durable because identity programmes still rely on exception handling. Every manual approval, fallback reset, and delegated verification step creates a place where policy can be bent under pressure. That is why identity security is strongest when the number of human-mediated exceptions is minimal. Practitioners should measure how often access depends on someone choosing correctly in a live interaction.
Named concept: trust-path exposure. The real risk is not merely that users can be tricked, but that identity workflows expose a predictable path from persuasion to access. Once that path is known, attackers can repeat it across help desks, approvals, and account recovery. Practitioners should map and reduce the trust path as aggressively as they map technical attack paths.
From our research:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which shows how often human behaviour still undermines technical controls.
- For a broader identity lens, read Top 10 NHI Issues for the governance patterns that emerge when trust, access, and lifecycle controls break down.
What this signals
Trust-path exposure: security programmes need to inventory every place where a person can be persuaded into granting access, because those paths are now first-class attack surfaces. The operational question is not whether users are educated, but whether the workflow still allows a single manipulated request to succeed.
The identity team should expect more attacks that target the seam between policy and human exception handling. That makes help-desk controls, delegated approvals, and recovery procedures just as important as authentication strength, especially when they sit beside privileged access and lifecycle processes.
For practitioners building a broader programme, social engineering reinforces the case for tighter governance around exception paths and recovery authority. The more an access decision depends on one live human judgment, the more attractive it becomes as an attacker entry point.
For practitioners
- Map human decision points in identity workflows Identify every approval, reset, escalation, and exception path where a person can be persuaded to grant access or reveal a secret. Remove unnecessary manual steps and add secondary verification where human intervention cannot be eliminated.
- Harden help-desk and reset procedures Require stronger identity proofing before account recovery, password reset, or MFA re-enrolment. Treat these flows as privileged access paths, because attackers frequently target them when direct authentication fails.
- Limit approval-based access by default Use policy and workflow design to reduce real-time approval dependency for sensitive access. Where approvals are unavoidable, separate requester, approver, and verifier roles so a single manipulated interaction cannot complete the change.
- Rehearse social engineering scenarios with IAM and service desk teams Run simulations that include impersonation, urgency, and delegated authority abuse, then measure how quickly staff escalate suspicious requests. Use the results to refine identity controls, not just awareness messaging.
Key takeaways
- Social engineering remains effective because it attacks the human layer that identity controls still depend on.
- Attacker adaptation matters because static controls can be learned, mapped, and bypassed through predictable trust paths.
- The strongest response is to redesign recovery, approval, and exception workflows so that persuasion cannot easily become access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | Awareness and training matter, but only as part of a broader governance response to social engineering. |
| NIST SP 800-63 | AAL2 | Phishing-resistant authentication reduces the value of credential theft after social engineering. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Access decisions should not rely on trust in a single human interaction. |
Use phishing-resistant authenticators where identity workflows are exposed to impersonation and account takeover risk.
Key terms
- Social Engineering: Social engineering is the use of deception, urgency, or authority to influence a person into taking an unsafe action. In identity programmes, it targets approvals, resets, and disclosures, making human decision paths part of the attack surface alongside technical controls.
- Trust Path: A trust path is the sequence of people, systems, and approvals an attacker can exploit by persuading someone to open an access route. It matters because the shortest path from conversation to credential or authorization is often the weakest governed path in the identity workflow.
- Identity Workflow: An identity workflow is the operational process that handles authentication, approval, recovery, escalation, and access change. It becomes a security control when it is designed to limit who can act, when they can act, and what exceptions are allowed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: an Innovate 2025 on-demand webinar on attacker adaptation, hacker mindsets, and social engineering. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
