Notifications
Clear all
Topic starter
22/06/2026 1:44 pm
TL;DR: Identity-based intrusions rose 156% between 2024 and Q1 2025 and now account for 59% of confirmed incidents, according to eSentire and Cybersecurity Intelligence, while phishing kits and infostealer malware make valid credential theft faster and cheaper. Identity hygiene is no longer cleanup work; it is the control plane for reducing blast radius and proving least privilege.
NHIMG editorial — based on content published by SPHERE Technology Solutions: Identity hygiene and identity-driven cyber threats
By the numbers:
- Identity-based intrusions soared 156% between 2024 and Q1 2025.
- Identity-based intrusions now account for 59% of all confirmed incidents.
Questions worth separating out
Q: How should security teams reduce the impact of stolen credentials in cloud and SaaS environments?
A: They should focus on shrinking standing access before compromise happens.
Q: Why do orphaned and dormant accounts create more risk than active accounts?
A: Orphaned and dormant accounts are often forgotten, poorly monitored, and more likely to keep outdated permissions.
Q: What do security teams get wrong about identity hygiene?
A: They often treat identity hygiene as a cleanup exercise instead of an operating model.
Practitioner guidance
- Inventory every identity class and owner Build a complete inventory of human, privileged, service, and dormant accounts, then assign a named business owner for each one so access reviews have a decision-maker.
- Remove standing privilege from dormant access paths Identify accounts with no recent use or no current business purpose, then disable or deprovision them before they become quiet attacker footholds.
- Shift from annual certification to continuous review Use automated monitoring and risk scoring to detect permission drift, excessive access, and suspicious identity behaviour between formal review cycles.
What's in the full article
SPHERE Technology Solutions' full article covers the operational detail this post intentionally leaves for the source:
- Risk scoring logic for prioritising identity remediation across large estates
- Platform workflow detail for one-click cleanup of orphaned accounts and excess permissions
- Reporting mechanics that turn identity evidence into auditor-friendly outputs
- Implementation examples for unified discovery across directories, privileged systems, and unstructured data
👉 Read SPHERE Technology Solutions' analysis of identity-driven intrusion and identity hygiene →
Identity hygiene and credential intrusions: what IAM teams need now?
Explore further
This topic was modified 3 hours ago by Mr NHI
22/06/2026 1:50 pm
Identity hygiene has become the practical control layer for modern access risk. The article is right to frame identity as the primary battleground because attackers increasingly win through valid accounts, not novel exploits. In that environment, hygiene means discovery, ownership, privilege reduction, and continuous monitoring across human, privileged, and machine identities. The practitioner conclusion is simple: if identity cannot be continuously seen, it cannot be continuously governed.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, a pattern that shows identity issues rarely stay isolated.
A question worth separating out:
Q: How do you know if least privilege is actually working?
A: You should see fewer accounts with broad access, fewer dormant permissions, and faster removal of access that no longer has a business purpose. If reviews keep finding the same excessive entitlements, least privilege is not operating as a control. The best signal is that privileged access is both limited and actively maintained.
👉 Read our full editorial: Identity hygiene is now the core defense against credential intrusions
