Cheap intelligence and the identity controls attackers now test

TL;DR: Cheap AI is collapsing attacker economics by compressing recon, exploit development, phishing, and command-and-control work to model speed and cent-per-million-token cost, according to Netwrix and cited industry research. The result is not the end of defense, but a shift toward predicting intent from behaviour before an identity or token is abused.

NHIMG editorial — based on content published by Netwrix: Mythos and the cost of attacking

Questions worth separating out

Q: How should security teams reduce the value of stolen credentials in fast-moving attacks?

A: Reduce the value of stolen credentials by narrowing scope, shortening session lifetime, and forcing re-validation when access patterns change.

Q: Why do cheap AI-driven attacks change IAM and PAM priorities?

A: They change priorities because attackers can test more paths in less time than defenders can manually review.

Q: What do security teams get wrong about access reviews in machine-speed attack scenarios?

A: They often assume review cadence alone will catch abuse.

Practitioner guidance

• Instrument identity-change to data-access correlation Join entitlement changes, privileged session activity, and first-time access to sensitive data in one detection path so suspicious combinations can trigger before exfiltration.
• Shorten token and session blast radius Reduce the operational value of a stolen token by narrowing scope, limiting session lifetime, and forcing re-validation for sensitive object access.
• Treat unusual access combinations as intent signals Escalate review when an identity touches a data class it has never accessed before, especially after a recent permission increase or role change.

What's in the full article

Netwrix's full article covers the operational detail this post intentionally leaves for the source:

• The historical framing behind cost-based defence and how the doctrine evolved over two decades.
• The specific examples cited from Anthropic, Mandiant, and Aisle that support the argument about AI-speed attacker iteration.
• The product and telemetry changes Netwrix describes across identity governance, privileged access, directory security, and DSPM.
• The detailed pattern Netwrix uses to distinguish permitted access from access that signals intent.

👉 Read Netwrix's analysis of how cheap AI is changing cyber defence economics →

Cheap intelligence and the identity controls attackers now test?

Explore further

View Full Forum →  |  NHI Foundation Course →