.jpg)
Most security teams assume they’ll know when an identity is compromised. We got the tools. An alert will fire. A control will fail. Something will clearly signal that an attacker has gained access. In fact, 80% of defenders believe their tools provide adequate protection across hybrid, multi-cloud environments.
In practice, it rarely works that way.
One customer recently found valid corporate credentials for sale on the dark web for $6. This was not a part of a targeted intrusion. It was just one entry in a long list of harvested accounts. With attackers now using AI agents to automate credential harvesting and validation, access is continuously generated, tested, and resold at scale.
Attackers understand this dynamic. And increasingly, they exploit it.
In most environments, an identity compromise doesn’t announce itself. The biggest challenge today isn’t stopping identity-based attacks but recognizing that they’ve already happened — and recognizing them may be harder than we think.
- Fact: All hybrid attacks eventually become identity attacks. Despite millions spent on security, 90% of organizations have experienced one.
- Fact: 31% of users are service accounts with high access privileges and low visibility, and a single AD misconfiguration can introduce, on average, 109 shadow admins.
- Fact: 90% of enterprises that experience identity attacks had MFA in place.
The challenge is only getting worse.
We’re no longer just defending human identities. Non-human identities (service accounts, APIs, workloads, and increasingly AI agents) are rapidly proliferating, often outnumbering humans. They operate continuously, authenticate programmatically, and interact across systems at machine speed. At the same time, attackers are using AI to scale their attacks and blend into normal identity behavior faster than ever.
The result: more identities, less visibility, and attacks that move faster than traditional detection.
Silence is the signal of identity compromise
Limited visibility into identity activity increases the chance of missing compromise.
Modern enterprises span cloud, SaaS, network, and remote access. Identities move fluidly across all of them. Most security stacks don’t. Visibility remains fragmented, creating gaps where attackers operate undetected.
When nothing looks wrong, it doesn’t mean we’re not secure. It can mean we just can’t see what’s happening. This gap widens in AI-driven environments. As AI agents and automation pipelines continuously access systems, identity activity increases exponentially, making it harder to distinguish normal from malicious behavior. At machine speed, blind spots scale.
Identity compromise shows up after login
Security has long focused on access like passwords, MFA, and authentication flows. But attackers have adapted. Once inside, they behave like legitimate users.
The real signal isn’t the login, but what happens next.
In many incidents, the first visible signal isn’t authentication at all. It’s a user querying unfamiliar systems, accessing admin APIs, or requesting Kerberos tickets across multiple hosts. Each action is valid on its own. Together, they reveal lateral movement.
Unusual access patterns, unexpected system interactions, and sudden data access. These are indicators that matter but often fall outside traditional controls.
Malicious activity looks legitimate
Attackers don’t hack in. They log in.
In recent SaaS breaches, attackers didn’t steal passwords. They stole authentication tokens from a third-party integration and replayed them. No login prompt. No MFA. Just valid sessions.. From the system’s perspective, everything looked legitimate.
By using valid credentials, attackers blend into normal operations, leveraging existing permissions, moving through trusted pathways, and avoiding alert triggers. This is especially true for non-human identities, which often have high privileges but little behavioral monitoring. They don’t use MFA, operate continuously, and are harder to validate, which makes them easier to abuse. As AI adoption grows, so does this attack surface.
In one common pattern, attackers obtain a long-lived API key or service account tied to a data pipeline. The identity behaves as expected by pulling data, accessing storage, and calling APIs, but with subtle differences like slightly different datasets, timing, or destinations. There is no login anomaly, only behavioral changes.
“Normal” becomes the perfect disguise.
Prevention doesn’t equal detection
We rely heavily on controls like MFA and EDR. While essential, they weren’t designed to detect identity compromise, especially in AI-driven attacks.
Attackers can bypass MFA through phishing, social engineering, or compromised devices, then operate outside endpoint visibility using legitimate access.
Adversary-in-the-middle phishing kits now proxy authentication in real time. The user completes MFA, the attacker captures the session token, and immediately reuses it. From that point forward, the attacker operates as a fully authenticated user. No failed logins. No brute force. Just a valid session
The assumption that controls will make compromise obvious is flawed. In reality, they fail quietly. As attackers leverage AI to automate identity abuse, the gap between prevention and detection continues to grow.
The signals are there...but disconnected
The clues of identity compromise do exist. But they are scattered.
An authentication anomaly in one tool. Suspicious network activity in another. Cloud access patterns in a third. Without correlation, these signals remain isolated and inconclusive, creating noise instead of clarity.
This fragmentation worsens in AI-driven environments where identity spans more systems, moves faster, and generates more data than analysts can realistically correlate.
For example, a user logs in from a new location. Minutes later, that identity initiates unusual SMB traffic. Shortly after, it accesses unfamiliar cloud storage. Each event appears low-risk on its own and in separate tools. Only when connected across identity, network, and cloud does the attack become clear.
Rethinking how we detect identity compromise
The question isn’t whether identity compromise is happening. It’s whether we can see it.
In the AI enterprise, identity compromise is more common, harder to detect, and faster to execute. More identities. More automation. More speed. More opportunity for attackers to hide in plain sight.
To close this gap, we need to evolve how we approach identity detection:
- Assume compromise is inevitable and focus on finding attackers already inside
- Treat identities as behavioral entities, not just credentials
- Look for abnormal patterns and movement, not just authentication anomalies
- Connect activity across identity, network, and cloud activity into a unified view
- Prioritize high-confidence signals of attacker intent
Because the most dangerous attacker isn’t the one trying to get in. It’s the one who already has, and looks like they belong.
Learn more about Vectra AI’s approach to identity-based attacks: https://youtu.be/ytWOynLTAco