Rising identity complexity: How CISOs can prevent it from becoming an attacker’s roadmap

Identity has always been the thread that stitches enterprise IT together, but the nature of that identity has changed dramatically. Twenty years ago, identity meant a username and password sitting in a corporate directory. Access was tied to a desktop on a corporate LAN. Identities were relatively static, human, and predictable.

Fast forward to today, and everything has changed. Identities aren’t just employees; they are contractors, partners, machines, bots, APIs, cloud workloads, and SaaS connectors. They aren’t static either; permissions change dynamically based on role, project, or integration. Also, identities are no longer confined to one environment. An identity now spans on-premises Active Directory, Azure AD, AWS Identity and Access Management roles, Okta tenants, and hundreds of SaaS apps. At the same time, machine-to-machine identities and SaaS integrations multiply, widening exposure.

In other words, the identity surface has exploded, and with it, so has the attack surface.

IAM shifts from administration to defense

This expansion forced IAM to change. Hybrid cloud, SaaS adoption, and remote work triggered identity sprawl, sprawling accounts, overlapping entitlements, and inconsistent controls. Misconfigurations and privilege creep became routine. Attackers noticed, and credential misuse rapidly became the easiest path for lateral movement inside an enterprise.

Security teams now face a deluge. Analysts bounce between EDR, SIEM, IAM, PAM, and MFA consoles, trying to stitch together incomplete pictures while attackers slip through with:

• Credential dumping on compromised endpoints.
• MFA fatigue leads users to approve fraudulent logins.
• Lateral movement across hybrid AD and cloud connectors.
• Living-off-the-land tactics (LotL) that abuse legitimate admin tools rather than dropping malware.

The most devastating breaches of the last five years were caused by identity failures, misconfigurations, excessive privileges, and overlooked accounts that were chained into attack paths.

The Snowflake data breach of 2024 proves the point. Attackers from the UNC5537 group compromised over 160 customer environments by using credentials stolen via infostealer malware. Numerous customer environments lacked MFA, letting attackers authenticate directly with just a username and password. Victims included AT&T, Santander, and Ticketmaster. The data exposed ranged from PII to 50 billion call records.

“The most devastating breaches of the last five years were caused by identity failures, misconfigurations, excessive privileges, and overlooked accounts that were chained into attack paths.”

As a result, IAM shifted from an operational enabler into an existential defense layer. Ten years ago, IAM success was measured in onboarding time or password reset volumes. Today, how fast you can disable a compromised account, cut off privilege escalation, and stop a breach from cascading into systemic outage determines success.

The evolution of IAM: From admin utility to defense system

IAM’s trajectory reflects the changing shape of enterprise risk:

• The operational era: IAM functioned as an administrative utility, focused on provisioning accounts, enforcing password policies, and mapping users to roles.
• The proactive era: Compliance pressures led to the introduction of SSO, MFA, and conditional access. IAM helped reduce friction, demonstrate control, and anticipate some risks. However, IAM was still rooted in prevention.
• The reactive era: Hybrid IT accelerated identity sprawl. IAM data began feeding into SIEMs to highlight suspicious logins or privilege misuse. But alerts piled up, investigations lagged, and attackers thrived in the delay.
• The continuous era: As attackers pivoted fully to identity abuse, IAM had to directly integrate with security operations. Continuous posture assessment, real-time mapping of attack paths, and automated responses, disabling suspicious accounts, revoking tokens, or triggering step-up authentication, became essential. This convergence of identity management and security operations is now recognized as identity threat detection and response (ITDR), the inevitable next phase of IAM maturity.

The old boundaries between IAM teams and SOC defenders have dissolved. If a service account is exploited to escalate privileges, is it an IAM issue or a SOC issue? The answer is both. Treating them separately only guarantees blind spots for attackers to exploit.

What CIOs and CISOs should prioritize in a threat-aware IAM strategy

The priority is not to add more point tools but to reshape IAM into a discipline that actively defends the enterprise.

That requires building on three pillars — continuous posture assessment, attack path analysis, and automated mitigation — and embedding them into everyday operations.

1. Consolidate identities into one source of truth

Fragmented directories create fragmented defense. Today, identities span employees, contractors, service accounts, bots, workloads, and SaaS connectors. If they aren’t unified, oversight is impossible.

There should be a single authoritative view of every identity, across on-premises and cloud, human and machine:

• Eliminating duplicates so each person or service maps to one record.
• Assigning clear ownership and accountability for every account and entitlement.
• Establishing baseline indicators, such as privilege level, sensitivity, and exposure, to guide prioritization.

Without this foundation, posture assurance and risk analysis will always be incomplete.

2. Continuous posture assessment: Managing exposure as it happens

Quarterly reviews and annual audits no longer reflect reality. Identities shift daily; roles change, SaaS connectors are added, contractors leave, but their accounts persist. Every change introduces an invisible risk.

A modern program must move from static audits to continuous assurance:

• Detect privilege drift and surface out-of-policy access in real time.
• Flag dormant or orphaned accounts before they become footholds for attackers.
• Apply the same scrutiny to service and machine accounts as to administrators.
• Use adaptive, context-aware controls that adjust access decisions based on device health, location, session history, and role criticality.
• Incorporate behavior analytics to spot anomalies such as impossible logins, mass data pulls, or unusual privilege use.
• Run recurring access reviews tied to business owners, ensuring entitlements remain appropriate and defensible.

This transforms posture from a backward-looking compliance exercise into a living risk picture.

3. Attack path analysis: Exposing how compromises spread

Attackers rarely exploit a single flaw. They chain together small missteps, a misconfigured role, an overprivileged account, and a forgotten SaaS connector into privilege-escalation routes that span the enterprise.

There should be visibility into how the compromise would actually unfold:

• Map relationships across users, groups, roles, apps, and domains.
• Identify privilege-escalation pathways that could elevate a low-level account to domain or cloud admin.
• Assess the blast radius of a single compromised identity and quantify the business impact.
• Run simulations to test how quickly attackers could move through the environment.
• Maintain a rolling view of the riskiest accounts and entitlements, prioritized by exposure and sensitivity.

This shifts IAM from a static entitlement directory into a dynamic attack graph. Never guess where attackers might go; see it mapped in advance and address choke points before they are exploited.

4. Pull identity into the SOC nerve center

Historically, IAM was treated as “administration”, and the SOC as defense. Attackers exploit that divide. A service account abused for lateral movement is both an IAM failure and a SOC failure, and if those teams operate in silos, attackers win.

Ensure IAM becomes part of the SOC’s muscle memory:

• Stream identity signals — privilege changes, anomalous behavior, attack-path alerts — into SIEM and SOAR pipelines.
• Give SOC analysts the authority to disable accounts, revoke tokens, or force step-up authentication directly through IAM controls.
• Run joint exercises so that detection and containment are practiced motions, not organizational debates.

By integrating IAM into operations, leaders ensure that identity compromises are treated as security events, not administrative problems.

The identity imperative

Enterprises have layered on countless security controls, yet attackers still find their way in because identity is the connective tissue binding every system, cloud, and workflow. That makes IAM more than a security tool; it is the foundation of resilience.

For CIOs and CISOs, the question is no longer whether to invest in IAM, but how to approach it with the urgency of a defense program instead of the cadence of IT administration.

“The question is no longer whether to invest in IAM, but how to approach it with the urgency of a defense program instead of the cadence of IT administration.”

This is the heart of a threat-aware IAM strategy: Continuous posture assessment, attack-path visibility, and automated containment that elevate identity from a neglected weakness into the control plane of enterprise defense.

In a world without perimeters, where every workload, bot, and partner account can be an attacker’s opening move, defending identity with the same rigor once reserved for networks and endpoints is what separates enterprises that withstand modern attacks from those that become the next headline.

As the enterprise IT management division of Zoho Corp., ManageEngine empowers you to take control of your IT, from your security, networks, and servers to your applications, service desk, Active Directory, desktops, and mobile devices.

Learn More

The latest from ManageEngine