TL;DR: Identity-based attacks account for 30% of total intrusions and the average data breach cost reached $4.88 million in 2024, according to IBM Threat Intelligence Index and Verizon DBIR data cited in the source. Proactive identity attack surface management matters because traditional IAM and PAM tools still miss shadow identities, overprivileged accounts, and exposed credentials.
NHIMG editorial — based on content published by Hydden: identity attack surface management and the ROI of invisible identity risk
By the numbers:
- Identity-based attacks make up 30% of total intrusions.
- The average cost of a data breach reached $4.88 million in 2024.
- Exposure of secrets on public repositories had a median remediation time of 94 days for leaked credentials.
Questions worth separating out
Q: How should security teams find the identities that traditional IAM tools miss?
A: Use continuous discovery across cloud, SaaS, on-premises, and directory sources, then correlate each identity with ownership, entitlements, and last activity.
Q: Why do exposed secrets create such a large identity risk?
A: Because a secret is an active credential, not just a leaked artifact.
Q: What do organisations get wrong about identity security metrics?
A: They often count audit completion, certification volume, or tool coverage and assume those numbers equal control.
Practitioner guidance
- Inventory identities continuously across all environments Replace periodic account reviews with always-on discovery that spans cloud, SaaS, on-premises, federated accounts, and service identities.
- Prioritise exposed secrets as access events When a JWT, API key, or cloud credential is found in a public repo or log, trigger ownership lookup, revocation, and rotation in the same workflow.
- Measure attack path reduction, not tool coverage Track how many high-risk identities, toxic entitlement chains, and privileged paths are removed each month.
What's in the full article
Hydden's full article covers the operational detail this post intentionally leaves for the source:
- The ROI model inputs used to estimate breach avoidance, labour savings, and license reclamation.
- The sample calculations behind the 15-30% identity discovery gap and the 30-50% access review time reduction.
- The specific KPI set the vendor recommends for measuring identity attack surface reduction over time.
- The way the article maps IASM outputs into existing IAM, PAM, SIEM, and SOAR workflows.
👉 Read Hydden's analysis of identity attack surface management ROI →
Identity attack surface management: what IAM teams need to measure?
Explore further
Identity attack surface management is becoming the missing control plane between visibility and governance. IAM, PAM, and IGA were built to enforce policy over known identities, but the real risk sits in the identities that were never fully discovered, connected, or retired. That gap spans human, NHI, and workload access, which is why identity governance now needs continuous discovery as a first-class control. Practitioners should treat unowned identity inventory as a programme defect, not an edge case.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Another finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, with inadequate monitoring and logging and over-privileged accounts both at 37%.
A question worth separating out:
Q: How can teams tell whether identity attack surface management is working?
A: It is working when the number of high-risk identities falls, exposed credentials are retired faster, and reachable privileged paths shrink over time. A good programme changes what attackers can reach, not just what administrators can report. That is the practical test for measurable identity risk reduction.
👉 Read our full editorial: Identity attack surface management and the cost of invisible risk