Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity-based threats and AI in the SOC: are your controls keeping up?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Security leaders rank social engineering and phishing at 78% and identity-based threats at 73%, while 67% say they still lack sufficient visibility into access behavior and lateral movement, according to Gurucul’s 2025 Pulse of the AI SOC report. The operational gap is not more alerts but better identity context, because credentialed attacks now blend into normal access patterns.

NHIMG editorial — based on content published by Gurucul: SOC 2025 Pulse of the AI SOC, Chapter 1, The Evolving Threat Landscape

By the numbers:

Questions worth separating out

Q: What breaks when identity attacks are not visible across cloud and SaaS systems?

A: When access behaviour is fragmented across tools, attackers can keep using legitimate credentials without standing out.

Q: Why do identity-based threats remain hard to detect even with mature SOC tooling?

A: Because mature tooling still often expects obvious malicious signatures, while identity attacks look like normal logins and normal application use.

Q: How can security teams tell whether identity threat detection is actually working?

A: They should measure whether the organisation can reconstruct who accessed what, when privilege changed, and how movement spread across systems.

Practitioner guidance

  • Instrument access behaviour end to end Correlate authentication, privilege changes, application access, and lateral movement signals so investigators can reconstruct identity misuse across cloud and SaaS systems.
  • Prioritise detections that model sequence Build alerts around chains of behaviour such as login, privilege escalation, and unusual resource access rather than isolated events that can look harmless on their own.
  • Test AI-resistant phishing controls Run simulations that use varied wording, timing, and volume to see whether your MFA, behavioural analytics, and user reporting still catch AI-generated lures.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • The chapter-level findings behind the 78% phishing concern and 73% identity-threat priority figures.
  • The report's explanation of why 67% visibility gaps persist in hybrid and cloud environments.
  • Examples of how AI is being used to scale phishing, reconnaissance, and low-noise credential abuse.
  • The broader SOC maturity themes discussed in the 2025 AI-powered SOC report.

👉 Read Gurucul's analysis of identity-driven threats in the AI-powered SOC →

Identity-based threats and AI in the SOC: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Identity visibility gaps are now a governance failure, not just a monitoring problem. When 67% of organisations still cannot see access behaviour and lateral movement clearly, the issue is broader than tooling quality. IAM, SOC, and identity governance programs are all relying on the same incomplete picture, which means compromised access can remain trusted long after the initial login. The practitioner conclusion is that visibility must be treated as an identity control objective, not only a SOC output.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.

A question worth separating out:

Q: Who is accountable when stolen credentials are used to move laterally?

A: Accountability sits with both the identity owners and the security functions that govern detection and response. IAM sets the access conditions, while SOC teams must identify abnormal use before it expands. When those responsibilities are split, organisations often discover compromise only after the attacker has already blended into ordinary activity.

👉 Read our full editorial: Identity-based threats are outpacing SOC visibility and response



   
ReplyQuote
Share: