Identity threat detection across human, NHI, and AI agent activity

TL;DR: Identity threat detection and response is shifting from login control to post-authentication behaviour across human users, service accounts, and AI agents, according to Permiso Security’s award write-up. The core governance problem is that access tools stop at the front door, while attacks increasingly hide inside valid sessions and identity activity.

NHIMG editorial — based on content published by Permiso Security: Permiso wins Best Identity Threat Detection and Response Platform at the 2026 Cybersecurity Stars Awards

By the numbers:

• The platform ships with more than 1,500 detection signals, each tied to real attacker behavior rather than a static rule.

Questions worth separating out

Q: How should security teams detect identity compromise after authentication?

A: They should monitor what each identity actually does after login, including privilege use, command patterns, unusual data access, and cross-system movement.

Q: Why do service accounts and AI agents create more identity risk?

A: They expand the attack surface because they often hold credentials, operate continuously, and perform actions without the human review loops that catch misuse quickly.

Q: What do security teams get wrong about identity threat detection?

A: They often treat it as a substitute for IAM or PAM rather than a layer that complements them.

Practitioner guidance

• Instrument post-authentication telemetry for all identities Capture actions after sign-in, including privilege use, command sequences, data access, and cross-environment movement.
• Attribute every machine action to a specific executor Tie service accounts, API keys, workload identities, and AI agents back to a named identity record so investigations can distinguish expected behaviour from shadow activity, stolen credentials, or over-permissioned automation.
• Use identity graphs to shorten investigations Correlate human, NHI, and AI agent activity across cloud and hybrid systems so analysts can trace lateral movement, reuse of credentials, and related identities in a single investigative path.

What's in the full article

Permiso Security's full post covers the operational detail this post intentionally leaves for the source:

• How Permiso describes its detection coverage across human users, service accounts, and AI agents in cloud and on-premises environments.
• How the Universal Identity Graph is used to connect identities, actions, and investigations across environments.
• How P0 Labs informs detection content with real-world identity attack research.
• What the award judges specifically highlighted about identity behaviour after authentication.

👉 Read Permiso Security's post on its Cybersecurity Stars award for ITDR →

Identity threat detection across human, NHI, and AI agent activity?

Explore further

View Full Forum →  |  NHI Foundation Course →