Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Insider threat convergence is the governance gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Insider and external attacks are converging in 2025 as adversaries recruit insiders for privileged access, credential tampering, and stealthy exfiltration, while cloud fragmentation and behavioral blind spots weaken traditional controls, according to Gurucul. The decisive shift is that trust is now an attack surface, not a boundary.

NHIMG editorial — based on content published by Gurucul: Insider Threat Bridging the Gap Between Insider and External Threats, A Unified Security Strategy for 2025

By the numbers:

Questions worth separating out

Q: What breaks when insider threat and external attack are treated as separate problems?

A: Organizations miss the blended attack path where legitimate access becomes the delivery mechanism for compromise.

Q: Why do cloud environments make insider-assisted attacks harder to stop?

A: Cloud environments fragment policy, logging, and access governance across multiple systems, so one user can create keys, move data, or use unsanctioned apps without a single control plane seeing the whole picture.

Q: How do security teams know when trusted access has become attack enablement?

A: They look for behavioral deviation, not just access success.

Practitioner guidance

  • Correlate identity, cloud, and endpoint telemetry Build detection logic that joins authentication, API activity, data movement, and device context so one trusted action cannot be evaluated in isolation.
  • Flag unusual privileged actions as governance events Escalate new key creation, atypical access timing, and cross-service data movement for manual review when they depart from user baseline behavior.
  • Map and restrict Shadow IT data paths Inventory unsanctioned apps and cross-cloud integrations, then remove any route that cannot be monitored, audited, and attributed end to end.

What's in the full article

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • How the REVEAL platform correlates identity, device, cloud, and asset context into a single behavioral risk view
  • Examples of anomaly patterns such as off-hours access, unusual downloads, and privilege escalation across cloud estates
  • The specific way agentic AI is used to prioritize events and trigger containment workflows without manual triage
  • A real-world case of coordinated cloud application misuse that led to source code and customer data exfiltration

👉 Read Gurucul's analysis of insider and external threat convergence in 2025 →

Insider threat convergence is the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Trust is now the attack surface, not the boundary. Insider and external threat models are collapsing because attackers no longer need to choose between them. They can buy, coerce, or compromise legitimate access and then operate inside the control plane that IAM and PAM were built to protect. The implication is that identity programmes must judge behavior, not just entitlement.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.

A question worth separating out:

Q: Who is accountable when an insider collaborates with an external attacker?

A: Accountability usually spans identity governance, security operations, and the business owner of the access, because the failure is often shared across provisioning, monitoring, and response. Frameworks such as NIST CSF and IAM governance models expect clear ownership of access, logging, and corrective action when trusted identities are abused.

👉 Read our full editorial: Insider and external threat convergence is changing 2025 security



   
ReplyQuote
Share: