Identity threat detection and response: are access controls keeping up?

TL;DR: Credential compromise drives most breaches, according to Imprivata, which cites Verizon, IBM, and FBI data to argue that identity threat detection and response is now essential for continuous risk assessment across the access lifecycle. The real issue is that login friction and endpoint-originated attacks expose the limits of perimeter-first controls and static IAM models.

NHIMG editorial — based on content published by Imprivata: As Credential-Based Attacks Soar, Identity Threat Detection and Response Becomes Critical to Secure Access

By the numbers:

• 80% of breaches stem from compromised credentials.
• 90% of successful cyberattacks and 70% of data breaches originate at endpoint devices.
• The FBI reports a 9% increase in ransomware attacks against critical infrastructure in 2024.

Questions worth separating out

Q: How should security teams implement identity threat detection in IAM programmes?

A: Start by connecting authentication, session, device, and privilege telemetry so access decisions can be evaluated continuously rather than only at sign-in.

Q: Why do compromised credentials still cause so many breaches?

A: Compromised credentials are powerful because they often look legitimate to traditional controls.

Q: What do organisations get wrong about access friction and identity security?

A: They often treat friction as a user experience issue instead of a control failure.

Practitioner guidance

• Instrument identity telemetry beyond authentication Collect session, privilege, device, and behavioural signals so anomalous access can be evaluated after sign-in rather than only at login.
• Reduce friction that drives credential workarounds Map where users share credentials, bypass MFA, or seek repeated exceptions, then redesign those flows with simpler authentication, fewer manual resets, and clearer access paths.
• Connect identity risk to endpoint context Treat endpoint posture and device trust as part of access governance so compromised endpoints do not receive the same confidence as healthy ones.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• The vendor's own framing of how ITDR fits into its broader access management roadmap and product direction.
• The specific acquisition context and integration claims around Verosint's risk engine.
• The full set of cited breach and threat statistics used to justify the move toward identity-centric security.
• The press-release level description of passwordless access ecosystem integration and platform scope.

👉 Read Imprivata's analysis of identity threat detection and response for secure access →

Identity threat detection and response: are access controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →