Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity threat detection and response: are access controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Credential compromise drives most breaches, according to Imprivata, which cites Verizon, IBM, and FBI data to argue that identity threat detection and response is now essential for continuous risk assessment across the access lifecycle. The real issue is that login friction and endpoint-originated attacks expose the limits of perimeter-first controls and static IAM models.

NHIMG editorial — based on content published by Imprivata: As Credential-Based Attacks Soar, Identity Threat Detection and Response Becomes Critical to Secure Access

By the numbers:

Questions worth separating out

Q: How should security teams implement identity threat detection in IAM programmes?

A: Start by connecting authentication, session, device, and privilege telemetry so access decisions can be evaluated continuously rather than only at sign-in.

Q: Why do compromised credentials still cause so many breaches?

A: Compromised credentials are powerful because they often look legitimate to traditional controls.

Q: What do organisations get wrong about access friction and identity security?

A: They often treat friction as a user experience issue instead of a control failure.

Practitioner guidance

  • Instrument identity telemetry beyond authentication Collect session, privilege, device, and behavioural signals so anomalous access can be evaluated after sign-in rather than only at login.
  • Reduce friction that drives credential workarounds Map where users share credentials, bypass MFA, or seek repeated exceptions, then redesign those flows with simpler authentication, fewer manual resets, and clearer access paths.
  • Connect identity risk to endpoint context Treat endpoint posture and device trust as part of access governance so compromised endpoints do not receive the same confidence as healthy ones.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

  • The vendor's own framing of how ITDR fits into its broader access management roadmap and product direction.
  • The specific acquisition context and integration claims around Verosint's risk engine.
  • The full set of cited breach and threat statistics used to justify the move toward identity-centric security.
  • The press-release level description of passwordless access ecosystem integration and platform scope.

👉 Read Imprivata's analysis of identity threat detection and response for secure access →

Identity threat detection and response: are access controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity risk is now a control plane problem, not an authentication problem. The article is right to shift attention from the login event to the full access lifecycle because most compromise now begins with valid credentials and then moves through misuse, not brute-force failure. That means identity telemetry, entitlement context, and response logic belong in the security control plane alongside authentication. Practitioners should stop treating access as a binary state and start treating it as a live risk condition.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.

A question worth separating out:

Q: Who is accountable when identity threat detection fails to stop abuse?

A: Accountability sits with both IAM owners and security operations because the problem spans entitlement design, detection coverage, and incident response. If access risk is not visible during the session, then the programme has not only an authentication gap but also an operational response gap that must be owned end to end.

👉 Read our full editorial: Identity threat detection is becoming central to secure access



   
ReplyQuote
Share: