Identity-first threat detection across human, NHI and AI identities

TL;DR: Identity-based attacks increasingly begin with stolen credentials, compromised service accounts, or hijacked sessions, and Permiso Security’s SC Award recognition reflects growing demand for detection that follows identity across cloud, SaaS, CI/CD, and on-premises environments. The governance issue is no longer point detection, but whether identity programmes can see behaviour across human, non-human, and AI actors before attackers pivot.

NHIMG editorial — based on content published by Permiso Security: Permiso Security Wins 2026 SC Award for Best Threat Detection Technology

Questions worth separating out

Q: How should security teams detect attacks that move across human, NHI, and AI identities?

A: They should use a single identity model that links entitlements, relationships, and runtime behaviour across all actor types.

Q: Why do service accounts and tokens create blind spots for threat detection?

A: Service accounts and tokens often carry valid access without a human interaction point, so network or endpoint tools may not explain whether the activity is expected.

Q: How do teams know whether identity-based detection is working?

A: Look for detections that correlate identity, behaviour, and privilege changes across environments, not just isolated alerts.

Practitioner guidance

• Unify identity inventories across actor types Build a single inventory for human users, service accounts, API keys, OAuth tokens, IAM roles, and AI agents so pivot paths can be traced across systems, not guessed after the fact.
• Instrument runtime identity behaviour Track what each identity does at runtime, not just what it was granted at provisioning, and flag pivots from one identity type to another as detection-worthy events.
• Tie detections to known identity attack paths Prioritise detections that match common credential theft, session hijack, and service-account pivot patterns rather than relying only on generic anomaly thresholds.

What's in the full analysis

Permiso Security's full article covers the operational detail this post intentionally leaves for the source:

• The SC Award context and judging criteria that explain why identity-first detection was recognised this year.
• The Universal Identity Graph model and how it connects human, machine, and AI identities across environments.
• The role of P0 Labs in producing detection signals from breach response and adversary research.
• The platform positioning around identity-first visibility that is omitted here in favour of independent analysis.

👉 Read Permiso Security's SC Award profile on identity-first threat detection →

Identity-first threat detection across human, NHI and AI identities?

Explore further

View Full Forum →  |  NHI Foundation Course →