Notifications
Clear all
Topic starter
25/06/2026 2:47 pm
TL;DR: As 80% of breaches involve compromised credentials and 47% of organisations have seen a third-party-related incident in the past year, identity threat detection and response is becoming the practical control plane for modern defence, according to Imprivata. Static IAM logs are no longer enough; continuous identity telemetry is now the difference between detection and delay.
NHIMG editorial — based on content published by Imprivata: identity threat detection and response as a foundation for modern cybersecurity
By the numbers:
- 80% of breaches stem from compromised credentials.
- 47% of organisations have experienced a breach or cyberattack over the past 12 months that involved a third-party accessing the network.
Questions worth separating out
Q: How should security teams use identity telemetry for detection?
A: Security teams should treat identity telemetry as operational security data, not just audit evidence.
Q: Why do compromised credentials remain such a persistent enterprise risk?
A: Compromised credentials remain dangerous because they often look legitimate to control systems.
Q: How do teams know whether identity threat detection is actually working?
A: The clearest signal is whether identity events lead to faster, better decisions.
Practitioner guidance
- Promote identity events into security telemetry Feed login, session, MFA, and privilege-change events into detection workflows so identity data is analysed in near real time rather than stored for later review.
- Baselinenormal access behaviour across critical identities Build behavioural profiles for users, vendors, and service accounts so unusual location, timing, device, or access sequences can trigger review and containment.
- Verify every third-party and machine access path continuously Apply Zero Trust checks to vendor access, AI-mediated access, and other non-standard workflows instead of assuming initial authentication is sufficient for the whole session.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How identity threat detection and response is positioned for mission-critical environments such as healthcare and manufacturing
- The role of behavioural analytics in building live profiles of normal identity activity
- The article's practical guidance on passwordless authentication, badges, biometrics, and device-bound passkeys
- How ITDR is framed as a complement to Zero Trust network access and workflow usability
👉 Read Imprivata's analysis of identity threat detection and response →
Identity threat detection and response: is IAM now the control plane?
Explore further
25/06/2026 3:56 pm
Identity telemetry is now a security control, not an audit by-product. The article reflects a broader shift that many programmes still resist: identity data only matters when it drives a decision in motion. Log collection alone cannot stop credential abuse, lateral movement, or suspicious privilege changes. The practical conclusion is that IAM teams have to own detection relevance, not just compliance completeness.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when third-party access is abused?
A: Accountability should sit with the teams that own the access path, the detection logic, and the response workflow. Third-party access is not a special exception to identity governance; it is a high-risk access category that needs explicit ownership, monitoring, and containment rules. Without that clarity, the organisation can see the event but fail to respond decisively.
👉 Read our full editorial: Identity threat detection and response is becoming the new control plane
