TL;DR: Attackers often use legitimate credentials, orphaned accounts, shared service access, and SaaS integrations to move laterally across environments, according to Zluri. The breach path is usually created by governance decisions that were never revisited, which makes access scope and review cadence the real security variables.
NHIMG editorial — based on content published by Zluri: Security & Compliance Lateral Movement in Identity Security
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when identity governance leaves too many lateral movement paths open?
A: When identity governance leaves too many lateral movement paths open, a single compromised account can reach far more systems than its role should allow.
Q: Why do service accounts and shared credentials increase lateral movement risk?
A: Service accounts and shared credentials increase lateral movement risk because they often connect systems that users were never meant to bridge directly.
Q: How do security teams know if access accumulation is becoming a breach path?
A: Access accumulation is becoming a breach path when users or service accounts hold permissions that exceed current job need, especially across multiple domains.
Practitioner guidance
- Reduce cross-domain reach in long-lived identities Identify users and service accounts that accumulate access across engineering, cloud, SaaS, and data domains, then remove permissions that no longer match current role or function.
- Inventory shadow SaaS and connected integrations Discover applications, OAuth grants, and service-to-service links that sit outside the governed SSO catalog.
- Shorten the life of stale access paths Replace annual review cycles with control points that trigger when roles change, projects end, vendors leave, or integrations are modified.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how attackers traverse legitimate identity paths after the first foothold.
- Specific examples of how role changes, SaaS sprawl, and shared credentials build movement pathways.
- Detailed reasoning on why behavioural detection misses identity-based traversal in shadow environments.
- Practical prevention ideas for reducing the access graph before an attacker can map it.
👉 Read Zluri's analysis of identity-based lateral movement and governance gaps →
Identity-based lateral movement: what IAM teams need to know?
Explore further
Identity-based lateral movement is a governance failure before it is an attack technique. The article makes the right point that the attacker often does not need to break controls, only to reuse the access paths governance already left open. That shifts the problem from detection to entitlement design, because every extra path broadens the blast radius available to a low-value foothold. The practical conclusion is that identity governance must be judged by how much unintended reach it allows.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when lateral movement succeeds through approved access paths?
A: Accountability sits with the teams that own identity governance, access reviews, application ownership, and offboarding, because approved access paths are the control surface that enabled the traversal. Security tooling may detect the attack, but governance determines whether the path existed in the first place. That makes entitlement owners part of the breach-control chain.
👉 Read our full editorial: Identity-based lateral movement is the real breach accelerator