97% of identity-based attacks use compromised passwords. Microsoft blocked 7,000 password attacks every second in 2025. Organisations with comprehensive MFA deployment stop 99.9% of those attacks in their tracks. The gap between knowing this and actually implementing it across your entire environment is where the vast majority of enterprise security risk now lives.
The network perimeter — the idea that an organisation's security could be defined by a boundary between inside and outside, with trusted users inside and threats outside — was already a fiction before the pandemic accelerated remote work, cloud adoption, and the proliferation of devices that sit permanently outside any defined corporate boundary. In 2025, most security professionals understand this intellectually. The problem is that their controls, their tooling, and their investment allocation still reflect the architecture they understand to be obsolete. The most consequential shift in enterprise security right now is not about adopting new technology. It is about genuinely accepting that the user's identity has replaced the network boundary as the primary line of defence — and building security programmes that treat it accordingly.
The data makes the stakes concrete in ways that are difficult to dismiss. Microsoft's 2025 Digital Defense Report documented more than 600 million identity attacks per day — an average of nearly 7,000 every second. Identity-based attacks, overwhelmingly driven by password compromise rather than sophisticated technical exploitation, accounted for the initial access vector in the majority of security incidents across the organisations in Microsoft's telemetry. IBM's X-Force data showed a 32 percent surge in identity attacks year over year. The Verizon Data Breach Investigations Report consistently finds that stolen credentials are involved in the majority of breaches, a pattern that has held for years and shows no sign of changing.
The uncomfortable truth underneath all of this data is that most of these attacks succeed not because the attackers are particularly sophisticated but because the targets have not implemented controls that have been available and proven effective for years. This is not a technology gap. It is an implementation gap — and closing it is both more achievable and more urgent than most security conversations acknowledge.
Identity has replaced the network perimeter as the primary security boundary in modern enterprise environments — but most organisations' security controls still reflect the old perimeter-centric model they have conceptually abandoned. Image: Unsplash (free for commercial use — download and host locally before publishing).
Why Identity Became the Primary Attack Surface
The shift from network-perimeter attacks to identity attacks is not primarily a story about attacker sophistication. It is a story about attacker rationality. Breaking through a well-configured firewall, exploiting a patched vulnerability, or navigating endpoint detection systems requires real technical capability and carries meaningful risk of detection. Buying a valid set of credentials from an infostealer malware campaign, trying a list of common passwords against a cloud email portal, or social engineering a help desk employee into resetting a password requires far less. And the results are equivalent — valid credentials that grant legitimate-looking access to the systems the attacker wants to reach.
The economics of identity attacks have improved dramatically for attackers over the past five years. Infostealer malware — software that silently harvests saved passwords and session tokens from infected devices and transmits them to criminal infrastructure — is widely available as a service for negligible cost. IBM X-Force observed the exposure of more than 300,000 AI platform credentials through infostealer campaigns in 2025 alone. Dark web marketplaces where harvested credentials are sold operate at scale, with prices for corporate email credentials from specific industries or geographies available on what amounts to a commodity market. A determined attacker no longer needs to break in — they can buy the keys.
The proliferation of cloud applications and remote work has expanded the credential attack surface in ways that most organisations have not fully mapped. Every SaaS application an employee uses is a potential credential target. Every personal device used for work is a potential infostealer host. Every third-party partner with access to corporate systems is a potential entry point for credential compromise that bypasses internal controls entirely. The attack surface that identity attacks can exploit is significantly larger than the one that network attacks could reach — and it grows every time a new application is added to the environment without a commensurate review of the authentication controls protecting it.
The Service Account Blind Spot
One of the most consistently exploited gaps in enterprise identity security is the management of non-human identities — service accounts, API keys, automation credentials, and the machine-to-machine authentication tokens that modern application architectures generate at scale. These identities typically outnumber human user accounts by a significant margin in complex enterprise environments, and they are frequently managed with significantly less rigour than human accounts.
Service accounts are often created for a specific purpose, granted permissions that are broader than strictly necessary, and then forgotten as the system or integration they support evolves. Their credentials are rarely rotated. They frequently do not appear in identity governance processes designed for human users. And when they are compromised — through an exposed configuration file, a leaked API key in a code repository, or a misconfigured cloud storage bucket — they can provide persistent, broadly privileged access that attackers can leverage without triggering the behaviour-based detection systems tuned to human user patterns. CrowdStrike's 2025 threat intelligence data highlighted service account compromise as one of the most significant and underaddressed identity risks in enterprise environments.
Identity and Access Management programmes that cover human users but leave non-human identities — service accounts, API keys, automation credentials — unmanaged are securing one part of the attack surface while leaving another systematically exposed. Image: Unsplash (free for commercial use — download and host locally).
The MFA Gap: Why Implementation Coverage Matters More Than MFA Adoption
Multi-factor authentication is the single most effective control available for reducing identity attack success rates. Microsoft's data shows that MFA blocks more than 99.9 percent of automated credential attacks — the brute force, credential stuffing, and password spray attacks that account for the vast majority of identity compromise attempts. This figure is widely cited and genuinely accurate. It is also genuinely misleading in isolation, because it describes the protection available from MFA when it is in place — and the actual protection an organisation receives depends entirely on the coverage of that deployment.
Partial MFA deployment is one of the most common and most dangerous security postures in enterprise environments. An organisation that has deployed MFA for its primary enterprise applications but left it absent on VPN access, legacy systems, partner portals, or specific user populations — contractors, part-time staff, senior executives who were exempted from the rollout — has created precisely the gaps that attackers will find and use. The attacker's approach to an MFA-protected environment is not to defeat MFA where it exists. It is to find the accounts and entry points where it does not. Incomplete coverage is not partial protection — it is a map of the unprotected paths into the environment.
Phishing-resistant MFA — specifically FIDO2 hardware security keys and passkeys — represents a meaningful advance beyond the push notification and SMS-based MFA that most organisations have deployed. Traditional MFA can be defeated through real-time phishing attacks, where an attacker captures both the password and the MFA code in a session that proxies the victim to the legitimate site, and through SIM swapping attacks on SMS-based authentication. Phishing-resistant MFA methods are designed to be immune to these techniques by binding the authentication to the specific legitimate site rather than transmitting a code that can be intercepted. CISA has formally recommended phishing-resistant MFA as the baseline for high-value targets, and the organisations that have implemented it for privileged accounts and remote access are measurably better protected against the social engineering attacks that have successfully defeated push-notification MFA in high-profile incidents.
The Privileged Access Problem
Within the broader identity security challenge, privileged access — the accounts and credentials that carry elevated permissions to modify systems, access sensitive data, or administer security controls — represents the category where compromise is most consequential and where controls need to be most rigorous. A compromised standard user account gives an attacker a foothold. A compromised privileged account can give them control of the environment.
Privileged Access Management — the discipline of inventorying, securing, and monitoring privileged credentials — has been a recognised security priority for years. The gap between its recognised importance and its actual implementation in most organisations reflects the operational complexity of retrofitting PAM controls onto environments with large numbers of privileged accounts, many of which were created without the oversight that PAM programmes require. The organisations that have implemented PAM comprehensively — including for service accounts and cloud infrastructure credentials, not just human administrator accounts — have materially reduced their exposure to the lateral movement and privilege escalation techniques that turn an initial compromise into a full breach.
AI Is Making Identity Attacks Smarter — and Defence Harder
The intersection of AI and identity security is one of the most consequential developments in the threat landscape of 2025. Attackers are using AI to make credential attacks more effective at every stage of the attack chain — from the initial reconnaissance that identifies high-value targets, through the social engineering that bypasses human judgement, to the lateral movement that maximises the value extracted from a compromised credential.
AI-generated phishing content — personalised, grammatically correct, and contextually relevant in ways that generic phishing templates never achieved — has materially increased the success rate of social engineering campaigns against even security-aware users. The FBI issued specific alerts in 2025 about AI-generated voice and video content being used to impersonate executives in business email compromise and vishing campaigns. Deepfake video calls purporting to be from senior leadership, convincing enough to deceive financial controllers and IT administrators, have resulted in documented significant financial losses and credential compromises. The social engineering attacks that were previously detectable through poor grammar, generic content, or slight visual inconsistencies are becoming increasingly difficult to distinguish from legitimate communications.
On the defensive side, AI is equally important and increasingly deployed. Behavioural analytics systems that learn the normal patterns of individual user activity — login times, locations, application usage, data access patterns — and flag deviations in real time are significantly more effective at detecting credential misuse than threshold-based rules that generate false positives at volumes that overwhelm security operations teams. An attacker using valid credentials but exhibiting behaviour patterns inconsistent with the account owner — accessing systems at unusual hours, querying data outside normal usage patterns, moving laterally to systems the account does not typically touch — can be flagged and investigated before the compromise escalates. The effectiveness of these systems depends on the quality of the baseline they have learned, which takes time to establish and requires ongoing maintenance as normal user behaviour evolves.
Identity Governance: The Foundation Most Security Programmes Skip
Identity security conversations tend to focus on authentication — the controls that verify who someone is when they try to access a system. Less attention goes to identity governance — the processes that determine what access each identity should have, ensure that access is appropriate, and revoke it promptly when it is no longer needed. This is a significant oversight, because excessive and stale access permissions are one of the most exploitable conditions that a compromised credential creates.
Access creep — the accumulation of permissions over time as users change roles, join projects, and request additional access — is endemic in most enterprise environments. A user who has been with an organisation for several years may have accumulated access to dozens of systems beyond those required for their current role, through permissions granted for past projects, temporary assignments, or requests never formally revoked. If that user's credentials are compromised, the attacker inherits access to all of those systems — a blast radius significantly larger than the attacker could have anticipated from targeting the individual based on their current role.
Identity governance programmes that enforce least-privilege access — ensuring every identity has only the access genuinely required for its current function — and that conduct regular access reviews that remove stale permissions reduce this blast radius systematically. They are not glamorous controls. They require sustained operational attention, process discipline, and the kind of cross-functional cooperation between IT, HR, and business units that does not happen without deliberate programme management. They are also among the highest-impact controls available for reducing the consequences of the identity compromises that, despite every preventive control, will still occasionally occur.
Identity governance — ensuring every account has only the access it genuinely needs, and removing stale permissions systematically — reduces the blast radius of credential compromise and is among the highest-impact security investments available to most organisations. Image: Unsplash (free for commercial use — download and host locally).
Building an Identity Security Programme That Actually Moves the Needle
For security leaders assessing where identity security investment will deliver the most risk reduction in their specific environment, the sequencing of controls matters considerably. The organisations that have made the most progress on identity security have generally followed a pragmatic sequence that prioritises the controls with the broadest impact first, rather than pursuing comprehensive coverage of a long capability list simultaneously.
Comprehensive MFA deployment is the first and most impactful priority. Not MFA for the primary enterprise applications — most organisations have that. MFA for every externally accessible system, every remote access method, every privileged account, and every user population including contractors and part-time staff who are frequently omitted from initial deployments. Getting to genuinely complete coverage requires an inventory of all authentication points in the environment — an exercise that consistently reveals gaps organisations were not aware of — and a programme to remediate them in priority order based on risk exposure.
Privileged access management for human administrator accounts comes next, followed by service account inventory and credential rotation programmes. Both of these require sustained operational effort rather than one-time implementation — which is why they are frequently deferred despite being well understood. Building the operational processes to maintain them requires investment in tooling, in process, and in the organisational accountability structures that ensure the work actually happens continuously rather than once and then gradually decays.
Identity threat detection — the behavioural analytics and anomaly detection capabilities that identify credential misuse in real time — closes the loop by addressing the inevitable instances of compromise that preventive controls do not stop. No identity security programme eliminates breach risk entirely. The ones that limit breach impact most effectively are those that detect unusual credential behaviour quickly, investigate promptly, and contain the affected identity before the attacker can escalate from initial access to the broader damage they are seeking to cause.
The identity security investment that most organisations need to make is not primarily about technology. The tools exist. The evidence for their effectiveness is overwhelming. The gap is in the implementation discipline, the organisational accountability, and the leadership commitment to see the programme through the sustained effort required to achieve genuine coverage rather than the partial deployment that creates the illusion of protection while leaving the attack paths that matter most unaddressed. Closing that gap is the most concrete risk reduction available to most enterprise security programmes in 2025 — and it starts with an honest assessment of what is actually deployed versus what is assumed to be in place.
