Identity security is the practice of protecting user accounts, credentials, access privileges, and authentication systems against compromise, abuse, and unauthorized access. It encompasses IAM governance, privileged access management, and—critically—runtime detection and response for active identity attacks.
Key takeaways
- The security perimeter didn’t disappear—it became identity, as cloud adoption moved access control from network edges to credentials, tokens, and OAuth grants
- Credential breach datasets now number in the billions, MFA has been systematically bypassed, and SaaS sprawl has created unmonitored identity systems across most enterprise environments
- Identity sprawl—the uncontrolled proliferation of service accounts, machine identities, and OAuth grants—creates an attack surface most organizations can’t fully see or baseline
- Zero trust and ITDR are complementary: zero trust verifies identity before granting access; ITDR detects when that verification has been circumvented
- The IAM-ITDR gap is where most identity breaches happen—valid credentials pass every governance check while behavioral detection is missed
A decade ago, the security perimeter was a network boundary. You defended the edge, and everything inside was relatively trusted. That model is gone. Today, users authenticate from personal devices on home networks, access cloud-hosted applications from dozens of countries, and operate across dozens of SaaS platforms that each manage their own identity systems. The perimeter didn’t disappear—it became identity. Identity threat detection and response (ITDR) emerged from this shift as the detection layer that identity governance tools were never designed to provide. This page explains why identity security became enterprise security’s most urgent discipline—and what a credible defense actually requires.
What changed? Why identity is now the primary attack surface
The shift wasn’t sudden—it accumulated over roughly a decade of structural changes in how organizations operate.
Cloud adoption moved workloads outside the network perimeter. When applications lived on-premises, protecting the network edge protected the application. When applications moved to AWS, Azure, and SaaS platforms, access to them became controlled entirely by identity—credentials, tokens, and OAuth grants. There’s no network edge to defend.
Credential breach datasets became massive. The volume of credentials available to attackers from prior data breaches is now measured in billions. Services like HaveIBeenPwned have catalogued over 14 billion breached accounts. Credential stuffing—trying known username and password combinations against enterprise applications—works at scale because password reuse is endemic.
MFA adoption exposed its own gaps. Multi-factor authentication is essential. It also created a false sense of completeness. Attackers adapted: push bombing exploits MFA fatigue; AiTM phishing captures session tokens post-authentication, making the MFA check irrelevant; SIM swapping compromises the second factor directly. MFA reduces risk—it doesn’t eliminate the credential attack surface.
SaaS sprawl created unmonitored identity systems. The average enterprise runs over 130 SaaS applications. Each has its own user directory, its own authentication events, and its own audit log—most of which never reach the central SIEM. Attackers target the least-monitored entry points.
What is identity sprawl, and why does it matter?
Identity sprawl refers to the uncontrolled proliferation of user accounts, service accounts, OAuth grants, API keys, and access privileges across cloud and SaaS environments. It’s a natural byproduct of cloud adoption—and it’s now one of the most exploited conditions in enterprise security.
In a mature cloud environment, identities include not just human users but service accounts, automated pipelines, third-party integrations, machine identities, and temporary credentials issued by cloud IAM systems. Most of these identities are under-monitored and over-privileged. Service accounts in particular tend to accumulate permissions over time and are rarely audited with the same rigor as human accounts.
For attackers, identity sprawl is an opportunity: there are more accounts to target, more credentials to steal, and more overlooked service accounts to pivot through. For defenders, it creates a detection problem—you can’t establish behavioral baselines for accounts you don’t know exist.
Effective identity security requires an inventory of all identity types across the environment, behavioral monitoring for each, and a clear revocation process for unused credentials and accounts.
How does remote and hybrid work expand the identity attack surface?
Remote and hybrid work permanently altered the identity attack surface in three ways.
First, it destroyed the “trusted network” heuristic. When users worked on-site, authentication from a corporate IP address was a meaningful signal. Remote work means authentication from home networks, coffee shops, hotel Wi-Fi, and VPN exit nodes in dozens of countries. Location-based trust signals became noise.
Second, it increased phishing exposure. Remote workers rely more heavily on email, Slack, and collaboration tools—all common phishing vectors. Without the informal friction of an office environment (“did you send me this link?”), social engineering attacks succeed at higher rates.
Third, it accelerated SaaS adoption. Teams standing up their own productivity and collaboration tools without IT oversight created shadow IT: SaaS accounts outside central IAM management, producing identity telemetry no one is monitoring.
Identity security in remote and hybrid environments requires behavioral baselines that account for legitimate location variance, device fingerprinting, and visibility into SaaS platforms that exist outside central directory control. For a detailed breakdown, see ITDR for remote and hybrid workforces.
What’s the connection between zero trust and identity security?
Zero trust is an architectural principle: never trust, always verify. Every access request—regardless of source, network location, or prior authentication—should be verified before access is granted.
Identity is the verification mechanism zero trust depends on. Zero trust architecture says “always verify identity before granting access.” ITDR asks a harder question: what if the identity being presented has been compromised? Zero trust verifies; ITDR detects when verification has been circumvented.
In practice, zero trust and ITDR are complementary layers of an identity-centered security program:
- Zero trust enforces strong authentication, conditional access policies, and least-privilege access controls—reducing the attack surface
- ITDR detects when those controls have been bypassed—compromised credentials, stolen tokens, MFA bypass—and triggers a response
Organizations implementing zero trust without ITDR have robust access controls but no detection layer for when those controls fail. Identity attacks specifically target the moment of bypass.
Where does IAM end and identity security begin?
IAM (identity and access management) governs who has access to what. It handles provisioning, deprovisioning, role assignments, MFA enforcement, and policy compliance. IAM is governance-layer security—it controls the rules.
Identity security—specifically ITDR—operates at the runtime detection layer. It assumes that IAM controls will sometimes fail (credentials will be stolen, MFA will be bypassed, sessions will be hijacked) and provides the behavioral monitoring to detect when they do.
The IAM-ITDR gap is the space where most identity breaches happen: an attacker with valid credentials passes every IAM policy check, produces legitimate-looking authentication events, and operates undetected until they’ve caused significant damage—or until a behavioral anomaly triggers a detection.
| IAM | ITDR | |
|---|---|---|
|
Layer |
Governance | Detection and response |
|
When it operates |
At provisioning and policy enforcement | At runtime, during and after authentication |
|
Primary question |
Does the account have the right access? | Is this account behaving the way it normally does? |
|
Threat response |
Not designed for active threats | Purpose-built for real-time detection and response |
Expel’s take
In 2025, 68.6% of all incidents Expel’s SOC investigated involved identity—a figure that reflects a structural shift in how attacks work, not just a bad year. It’s the product of converging conditions: credential breach datasets now number in the billions, MFA bypass techniques have matured to the point where push-based MFA is no longer a reliable control on its own, and the average enterprise runs identity across dozens of SaaS platforms most security teams aren’t monitoring. Cloud adoption didn’t just expand the identity attack surface—it moved it somewhere most defenses weren’t positioned to watch.
Frequently asked questions
Why is identity security suddenly so important?
Cloud adoption moved access control from network edges to identity systems. Credential breach datasets now number in the billions, enabling widespread credential stuffing. MFA has been systematically bypassed through push bombing and AiTM phishing. And SaaS sprawl has created unmonitored identity systems across most enterprise environments—giving attackers more entry points and defenders less visibility.
What is identity sprawl?
Identity sprawl is the uncontrolled proliferation of user accounts, service accounts, API keys, OAuth grants, and machine identities across cloud and SaaS environments. It creates an expanded, under-monitored attack surface—attackers target over-privileged service accounts and rarely audited credentials that organizations may not even know exist.
What is the connection between zero trust and identity security?
Zero trust verifies identity before granting access. ITDR detects when that verification has been circumvented—when an attacker is operating with stolen credentials, a bypassed MFA token, or a hijacked session. Zero trust reduces the attack surface; ITDR detects breaches in the control. Both are required for a complete identity security program.
Where does IAM end and identity security begin?
IAM governs access—provisioning, policy enforcement, role assignments. ITDR operates at runtime, detecting when valid, policy-compliant credentials are being abused by an attacker. The gap between them is where most identity breaches occur: an attacker with stolen credentials passes every IAM check and operates undetected until behavioral detection surfaces the anomaly.