TL;DR: Service accounts are now a prime identity compromise path, with attackers using legitimate credentials to move laterally, escalate privileges and exfiltrate data while appearing authorized at every step, according to Aembit’s analysis of machine identity risk. Static secrets, privilege creep and poor lifecycle governance make the case for workload identity urgent, not optional.
NHIMG editorial — based on content published by Aembit: Service account identity risk and the limits of legacy IAM
By the numbers:
- 79 percent of cyberattacks now rely purely on identity compromise, using legitimate credentials to move laterally, escalate privileges and exfiltrate data while appearing authorized at every step.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams replace static service account credentials safely?
A: Start with the highest-risk workloads and move them to federated or runtime-issued credentials that expire automatically.
Q: Why do service accounts create so much lateral movement risk?
A: Because they often carry broader permissions than a single workload needs and those permissions persist over time.
Q: What breaks when machine identities are not inventoried?
A: Owners cannot revoke what they do not know exists, and unused credentials continue to authenticate long after the workload has changed.
Practitioner guidance
- Inventory every service account and secret first Build a complete list across cloud IAM, Active Directory, code repositories, container registries and CI/CD systems.
- Replace reusable secrets with workload identity where possible Move high-value workloads to short-lived tokens, federated identity or runtime credential exchange so that applications no longer depend on static API keys or hardcoded passwords.
- Reduce privilege scope before changing rotation cadence Review whether each service account truly needs the permissions it currently holds, then remove broad entitlements that were granted for troubleshooting or deployment convenience.
What's in the full article
Aembit's full analysis covers the operational detail this post intentionally leaves for the source:
- Specific implementation examples for AWS IAM Roles Anywhere, Azure Workload Identity Federation and GCP Workload Identity Federation
- A deeper walkthrough of how credential injection changes application and developer workflows
- The article's full breakdown of monitoring controls, including anomaly detection and audit trail expectations
- Additional breach examples that illustrate privilege creep, secret exposure and workload persistence
👉 Read Aembit’s analysis of service account identity risk and workload identity →
Service account identity risk: are your controls keeping up?
Explore further
Service account identity risk is not a narrow secrets problem. It is a governance problem created by treating machine identities as exceptions to IAM discipline. Service accounts now sit in cloud, database and CI/CD paths where they are both operationally essential and security-critical. The result is that ownership, entitlement review and revocation are often weaker than they are for human accounts. Practitioners should treat every service account as a governed identity with a lifecycle, not a technical dependency.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
A question worth separating out:
Q: Who is accountable when a service account is compromised?
A: Accountability should sit with the system owner and the identity governance function, not with the last engineer who happened to create the account. The right model requires named ownership, documented purpose, lifecycle retirement criteria and control mapping to IAM, PAM and audit functions so that compromise does not become an ownership dispute.
👉 Read our full editorial: Service account identity risk exposes the limits of legacy IAM