Workforce identity security: are help desk and hiring controls ready?

TL;DR: Phishing-resistant MFA reduces one attack path, but attackers are increasingly bypassing authentication through help desk recovery and hiring workflows, according to imper.ai and Gartner. The control problem is no longer proof of login alone, but whether workforce identity processes can resist impersonation across the employee lifecycle.

NHIMG editorial — what this means for IAM teams

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams reduce help desk account takeover risk?

A: Treat account recovery as a privileged identity workflow, not a support convenience.

Q: Why do workforce identity attacks bypass strong MFA?

A: Because MFA protects the login event, while many workforce attacks target the processes that restore or issue access.

Q: How can organisations tell if identity proofing is too weak?

A: Look for repeated reliance on one-time checks, inconsistent approvals, and recovery actions that are accepted without strong context.

Practitioner guidance

• Harden account recovery as a privileged workflow Remove agent discretion where possible, require step-up verification for reset actions, and log every recovery decision with reviewer identity, channel, and reason code.
• Instrument hiring and onboarding for impersonation signals Tie recruiter and HR workflows to repeated environment checks across multiple interactions so candidate legitimacy is assessed over time, not at a single point of proof.
• Review outsourced support paths for trust gaps Map every vendor-run or BPO help desk process that can restore access, then validate whether its controls match internal standards for approvals, evidence, and auditability.

What's in the full announcement

imper.ai's full research covers the operational detail this post intentionally leaves for the source:

• Real-world workflow patterns for help desk recovery abuse and impersonation.
• How the impersonation detection engine scores device integrity, virtualization, VPN, and geolocation signals.
• How contextual verification questions are generated from work history rather than personal trivia.
• Native integrations with ServiceNow, Microsoft Entra, Workday, Greenhouse, and other operational systems.

👉 Read imper.ai's analysis of workforce identity impersonation and account takeover →

Workforce identity security: are help desk and hiring controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →