Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cheap intelligence and the identity controls attackers now test


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Cheap AI is collapsing attacker economics by compressing recon, exploit development, phishing, and command-and-control work to model speed and cent-per-million-token cost, according to Netwrix and cited industry research. The result is not the end of defense, but a shift toward predicting intent from behaviour before an identity or token is abused.

NHIMG editorial — based on content published by Netwrix: Mythos and the cost of attacking

Questions worth separating out

Q: How should security teams reduce the value of stolen credentials in fast-moving attacks?

A: Reduce the value of stolen credentials by narrowing scope, shortening session lifetime, and forcing re-validation when access patterns change.

Q: Why do cheap AI-driven attacks change IAM and PAM priorities?

A: They change priorities because attackers can test more paths in less time than defenders can manually review.

Q: What do security teams get wrong about access reviews in machine-speed attack scenarios?

A: They often assume review cadence alone will catch abuse.

Practitioner guidance

What's in the full article

Netwrix's full article covers the operational detail this post intentionally leaves for the source:

  • The historical framing behind cost-based defence and how the doctrine evolved over two decades.
  • The specific examples cited from Anthropic, Mandiant, and Aisle that support the argument about AI-speed attacker iteration.
  • The product and telemetry changes Netwrix describes across identity governance, privileged access, directory security, and DSPM.
  • The detailed pattern Netwrix uses to distinguish permitted access from access that signals intent.

👉 Read Netwrix's analysis of how cheap AI is changing cyber defence economics →

Cheap intelligence and the identity controls attackers now test?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cheap intelligence exposes an identity governance timing problem, not just a detection problem. When attackers can probe, adapt, and retry at model speed, the defender’s access review cycle becomes too slow to influence the attack path. That means the limiting factor is no longer how many alerts you can see, but whether identity telemetry can trigger action before the attacker completes a second iteration. Practitioners need to treat time-to-decision as an identity control metric.

A few things that frame the scale:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.

A question worth separating out:

Q: Who should own response when identity behaviour suggests attacker intent?

A: Ownership should sit with the identity, SOC, and platform teams together, because the signal spans entitlements, telemetry, and containment. In practice, the fastest response is the one that can revoke access, isolate the session, and preserve evidence before the attacker completes the next iteration.

👉 Read our full editorial: Cheap intelligence is reshaping cyber defense economics



   
ReplyQuote
Share: