Notifications
Clear all
Topic starter
27/06/2026 1:08 pm
TL;DR: AI is helping attackers automate phishing, vulnerability discovery, and targeted intrusions faster than public sector teams can adapt, while trust-based channels and personal devices are being used to steal credentials without legacy alerts, according to Abnormal AI. Signature-driven defence is losing ground, and behaviour-based detection plus faster response are now the practical baseline.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams defend against AI-assisted phishing and credential theft?
A: Teams should move beyond signature matching and focus on identity behaviour, device context, and abnormal access sequences.
Q: Why do trusted channels and personal devices increase identity risk?
A: They increase risk because they often sit outside the telemetry and policy enforcement of managed systems.
Practitioner guidance
- Move detection from signatures to identity behaviour Tune alerting for unusual access sequences, anomalous device context, and new trust relationships rather than relying mainly on known phishing indicators or malicious hashes.
- Extend controls to personal-device and trusted-channel workflows Review how credentials are requested, shared, and approved outside managed systems, especially on mobile devices, messaging apps, and remote collaboration channels.
- Automate identity containment steps Pre-stage response actions for credential reset, session revocation, and access suspension so they can execute as soon as identity anomalies cross a threshold.
What to expect at the briefing
Abnormal AI's full session covers the operational detail this post intentionally leaves for the source:
- How the session frames AI-enabled phishing, vulnerability discovery, and targeted intrusion patterns in practical attacker terms.
- The specific behaviour-based detection examples discussed for government and public sector environments.
- The reasoning behind prioritising faster, more automated response for identity-related anomalies.
- The session's discussion of how controlled AI use cases can be introduced without widening exposure.
👉 Watch Abnormal AI's on-demand session on AI-driven attacks and behaviour-based defence →
AI-powered attacks and behaviour-based defence: what teams should do?
Explore further
27/06/2026 2:20 pm
Behaviour-based defence is becoming an identity control problem, not just a detection problem. When adversaries can vary phishing lures, discovery steps, and intrusion sequences at machine speed, pattern-based security loses reliability. That shifts practical authority toward identity-linked behavioural analytics, because the control plane has to reason over who or what is acting, not only what artifact is present. Practitioners should treat this as a governance change in detection design.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 23.5% of security professionals are unsure about the biggest threat to their non-human identities, indicating a significant awareness gap.
A question worth separating out:
Q: Who is accountable when AI-driven attacks exploit identity gaps in public sector environments?
A: Accountability sits with the teams that govern identity, detection, and response together. If access is stolen through a trust channel, the failure is rarely isolated to one control. It usually reflects a programme gap across user behaviour, monitoring coverage, and response automation, so ownership should be shared across IAM, security operations, and incident response.
👉 Read our full editorial: AI-powered attacks are outpacing government defensive controls
