TL;DR: Identity-related breaches accelerated in 2022, with IDSA reporting that 84% of respondents experienced one and 96% said identity-focused solutions could have reduced the impact, according to SentinelOne and IDSA research. The practical lesson is that IAM, PAM, and IGA now need detection, telemetry, and response layered around them, not treated as standalone protection.
NHIMG editorial — based on content published by SentinelOne: identity threat detection and response for modern identity attacks
By the numbers:
- 84% of respondents experienced an identity-related breach in the past year
- 96% reported that said breaches could have been minimized or even prevented by identity-focused solutions
- 78% reported direct business impacts such as reputational damage and the cost of recovery post-breach
Questions worth separating out
Q: How should security teams detect identity compromise before lateral movement starts?
A: Start by linking authentication, privilege use, and sensitive workflow activity in one detection model.
Q: Why do traditional IAM and PAM controls miss identity attack surface risk?
A: Because they are usually implemented as separate control points rather than one integrated view of the identity estate.
Q: What do security teams get wrong about identity threat detection and response?
A: They often treat ITDR as a substitute for IAM, when it is actually complementary.
Practitioner guidance
- Correlate authentication with privilege use Link directory events, privileged workflow access, and endpoint telemetry so suspicious identity behaviour can be detected after login, not only at the login screen.
- Instrument support and admin paths Monitor password reset, account recovery, and support console actions as high-risk identity workflows because they often become the shortest route from compromise to escalation.
- Extend detection to cloud entitlements Include SaaS permissions, cloud console activity, and third-party access in the same monitoring model so abnormal entitlement use is visible across the full estate.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- Detailed examples of identity threat detection and response use cases across endpoint, cloud, and directory environments.
- Vendor-specific walkthroughs of how deception and isolation features are applied during identity attack containment.
- Expanded discussion of how the product links identity telemetry to broader XDR workflows.
- Examples of identity indicators of compromise used to drive alerting and investigation.
👉 Read SentinelOne's analysis of identity threat detection and response for modern identity attacks →
Identity threat detection and response: what IAM teams need to know?
Explore further
Identity protection without detection is a partial control model. IAM, PAM, and IGA are governance mechanisms, but they do not see credential misuse, privilege escalation, or attacker movement once access is live. That is why identity threat detection and response is now a necessary companion layer for any mature identity programme. Practitioners should stop treating access assignment as the end state and start treating behavioural visibility as part of identity control.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should own identity findings that span federal cloud and directory environments?
A: One accountable owner should coordinate remediation across IAM, infrastructure, and compliance teams, because hybrid identity issues rarely fit into a single operational silo. Shared responsibility without a single owner usually leaves findings open while teams debate scope. Clear ownership shortens time to remediation and reduces drift between environments.
👉 Read our full editorial: Identity threat detection and response is filling IAM blind spots