Identity compromise and hidden accounts: what IAM teams are missing

TL;DR: Identity compromise now drives more than 80% of breaches, and attackers are increasingly exploiting dormant accounts, machine identities, MFA abuse, and hidden privilege paths to stay below the radar, according to Hydden. The governing assumption that periodic reviews can keep pace with continuously changing identity behavior is no longer reliable.

NHIMG editorial — based on content published by Hydden: identity compromise, machine identities, and early breach signals

By the numbers:

• More than 80% of breaches now involve some form of identity compromise.
• With 50-80x more machine identities than human ones, attackers exploit poor visibility and governance over them.
• A user account that hasn’t logged in for 90+ days suddenly accesses sensitive systems or resources.

Questions worth separating out

Q: How should security teams detect identity compromise before an attacker spreads?

A: Use continuous identity telemetry rather than periodic access review alone.

Q: Why do machine identities increase breach risk so quickly?

A: Machine identities multiply the number of credentials defenders must govern and often lack the ownership, lifecycle discipline, and monitoring applied to human users.

Q: What do security teams get wrong about quarterly access reviews?

A: They treat periodic certification as proof that access is under control, even though attacker activity can appear and disappear between review cycles.

Practitioner guidance

• Build continuous identity discovery into your control stack Replace point-in-time scans with continuous discovery for human, machine, and privileged identities, including cloud admin accounts, API tokens, local accounts, and certificates.
• Correlate identity events with vulnerability signals When a CVE is exploited on a system, immediately inspect whether the incident created new accounts, dumped credentials, or altered privileged access paths.
• Baseline identity behaviour, not just entitlements Track time of access, frequency, device, and resource patterns for accounts that matter most, then alert on anomalies such as dormant accounts waking up, unusual MFA prompts, or privileged sessions lacking a clear workflow trigger.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance for spotting early compromise signals across human and machine identities.
• Specific examples of identity telemetry patterns that indicate account abuse or privilege drift.
• Practical recommendations for building continuous discovery and behaviour-based monitoring into IAM and PAM.
• How Hydden frames the relationship between vulnerability exploitation and identity compromise.

👉 Read Hydden's analysis of identity compromise and early breach signals →

Identity compromise and hidden accounts: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →