TL;DR: Authentication-only programmes leave the identity attack surface materially under-governed, and Widefield Security raised $11.3 million in Series A funding to expand its platform for securing human, machine, and AI identities across the full identity lifecycle, with an emphasis on post-authentication threats such as session hijacking and token theft, according to Widefield Security.
NHIMG editorial — based on content published by WideField Security: WideField Security Raises $11.3M Series A to Secure the Full Identity Lifecycle
By the numbers:
- WideField Security raised $11.3 million in Series A funding led by Crosspoint Capital Partners.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should security teams reduce risk when authentication is no longer the main attack boundary?
A: Security teams should move from sign-in-centric controls to lifecycle-centric controls.
Q: Why do machine identities create different governance problems from human accounts?
A: Machine identities often have broad, persistent permissions and no natural user to receive prompts or alerts.
Q: When should organisations prioritise token and session governance over more MFA rollout?
A: Organisations should prioritise token and session governance when they already have MFA coverage but still lack visibility into what happens after authentication.
Practitioner guidance
- Map post-authentication control points Identify where your current stack can observe and revoke access after login, including active sessions, delegated permissions, and long-lived tokens.
- Separate machine identities from human IAM reviews Build a distinct inventory for service accounts, API keys, certificates, and workload credentials, then review ownership, expiry, and revocation independently from human accounts.
- Add third-party token offboarding to lifecycle workflows Require explicit offboarding for vendor-issued tokens and integrations when contracts, permissions, or business need change, so trust does not outlive the relationship.
What's in the full analysis
WideField Security's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's explanation of how its platform maps identity attributes, privileges, and relationships across cloud, SaaS, and on-premises environments.
- The specific post-authentication threat signals it uses to detect session hijacking and third-party token theft.
- The customer example that shows how visibility into machine identities changed day-one triage.
- The company background and funding context that frame its go-to-market expansion plans.
👉 Read WideField Security's Series A announcement on full identity lifecycle security →
Full identity lifecycle security: what changes for IAM teams?
Explore further
Authentication-only security is now a broken operating model. The funding points to a structural gap: many programmes still treat login as the security boundary, even though the highest-risk abuse happens after the session is established. That leaves token theft, session hijacking, and delegated access outside the primary control loop. The implication is that identity governance must be measured by what remains controllable after authentication, not by sign-in success rates.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: What is the difference between authentication control and identity lifecycle control?
A: Authentication control decides whether an identity can get in. Identity lifecycle control decides how that identity is created, used, monitored, delegated, and eventually removed. In practice, lifecycle control is what limits the damage after access exists, especially for machine identities, integrations, and vendor tokens that persist across systems.
👉 Read our full editorial: Series A funding puts full identity lifecycle security in focus