In today’s cybersecurity landscape, identity is no longer just a credentialing concern; it is the battleground. Modern cyber defenses increasingly need to be identity-centric. With attackers increasingly bypassing traditional defenses by compromising valid credentials, the phrase “identity is the new perimeter” has become a strategic reality. Organizations must pivot to identity-centric approaches, especially within Continuous Threat Exposure Management (CTEM) programs.
The Rise of Identity-Driven Risk
Modern breaches are no longer dominated by malware. Adversaries now favor tactics that “log in” rather than “break in.” Some reports show that up to 80% of cyber incidents involve compromised credentials. Even more alarming, 79% of observed attacks are malware-free, exploiting valid access paths through identity systems like Active Directory (AD) and Azure AD.
Real-world examples emphasize the consequences:
- In the Microsoft Midnight Blizzard breach, a test account without Multi-Factor Authentication (MFA) became a nation-state actor’s entry point.
- Okta’s support system compromise exposed session cookies that enabled attackers to impersonate customers.
These events confirm that traditional defenses (e.g. firewalls, endpoint security, and patch management) are no longer sufficient on their own. Identity security must be elevated to a first-class discipline within any CTEM framework.
CTEM: A New Security Operating Model
CTEM, as outlined by Gartner, is a five-stage, iterative cycle designed to reduce exposure to evolving threats. Its stages (Scoping, Discovery, Prioritization, Validation, and Mobilization) enable proactive, continuous management of cyber risk. To succeed, each stage must explicitly include identity considerations:
- Scoping: Define all identity-related assets, from human users to non-human identities (NHIs), across on-prem, SaaS, and multi-cloud.
- Discovery: Identify weak configurations, excessive privileges, dormant accounts, and credential exposures.
- Prioritization: Rank exposures based on business impact. For example, an unprotected domain admin account poses more risk than an unpatched system.
- Validation: Simulate attacks to confirm whether exposures are exploitable, especially through identity-based red teaming.
- Mobilization: Act on findings by tightening controls, applying least privilege, enforcing MFA, and improving identity hygiene.
Gartner projects that organizations who embrace CTEM will be three times less likely to experience a breach by 2026. But this depends on closing a critical gap, identity risk.
Identity Sprawl: The Expanding Attack Surface
Modern enterprises manage thousands of identities (e.g. human, machine, and service-based). Identity sprawl has exploded due to remote work, SaaS adoption, and hybrid cloud architectures. Non-human identities, such as API tokens and service accounts, now outnumber human users by as much as 50 to 1 in some organizations.
This sprawl introduces fragmentation and complexity:
- Dormant or orphaned accounts persist after offboarding.
- Over-permissioned roles violate least privilege principles.
- Shadow identities and inconsistent IAM policies become blind spots.
These factors all contribute to an ever-widening identity attack surface. This in turn is a perfect target for attackers who rely on reconnaissance, credential theft, and privilege escalation.
Beyond IAM: The Emergence of Identity Risk Intelligence
Traditional Identity and Access Management (IAM) focuses on authentication, authorization, and lifecycle management. While essential, IAM systems are largely preventive and policy-based. They do not monitor for identity misuse, detect behavioral anomalies, or identify exposed credentials across external threat ecosystems.
That’s where Identity Risk Intelligence comes in.
Identity Risk Intelligence, often aligned with Gartner’s emerging discipline of Identity Threat Detection and Response (ITDR), provides real-time, threat-driven visibility into identity behaviors, misconfigurations, and compromise indicators. Key capabilities include:
- Credential exposure monitoring: Detecting leaked credentials across breach databases and dark web sources.
- User behavior analytics: Identifying anomalies like sudden privilege escalation or abnormal login geographies.
- Identity threat detection: Flagging brute-force, MFA fatigue, or session hijacking attempts.
By continuously evaluating how identities are used and misused, not just how they’re provisioned, security teams can prioritize threats that IAM alone would miss.
Case Studies: When Identity Risk Intelligence Works
- Texas Mutual Insurance deployed a threat intelligence platform to monitor dark web forums for exposed user credentials. Alerts enabled immediate remediation, actively preventing compromise of board members and policyholders.
- Borden Ladner Gervais (BLG) implemented real-time, risk-based conditional access. An AI engine scored identity risks dynamically and blocked high-risk login attempts, ensuring client data remained protected.
Both organizations illustrate that proactive identity visibility transforms potential threats into manageable risks.
Operationalizing Identity Risk Intelligence in CTEM
To integrate identity risk into CTEM programs effectively, consider these recommendations:
- Adopt an identity-first security posture: Prioritize identity protection alongside data, endpoints, and networks.
- Enforce MFA universally: Especially for service accounts and administrative roles. Favor phishing-resistant methods like FIDO2 or app-based One-Time Password (OTP).
- Inventory all identities and privileges: Use automated tools to discover, map, and continuously assess identity assets.
- Monitor identity activity in real-time: Correlate authentication logs, breach data, privilege escalations, and IAM changes within your Security Operations Center (SOC) workflows.
- Deploy ITDR capabilities: Detect identity-based threats that bypass traditional IAM controls.
- Practice least privilege and Just-in-Time (JIT) access: Reduce static permissions, limiting blast radius from compromise.
- Integrate identity data into exposure scoring and incident response: Update playbooks to include credential theft, identity misuse, and cloud entitlement abuse.
A Strategic Imperative
The identity attack surface is now as critical as endpoints or infrastructure, perhaps even more so. With identities granting access to everything from cloud data to internal systems, attackers are exploiting every available weakness.
By embedding Identity Risk Intelligence into CTEM, organizations close a crucial gap. They shift from passive control enforcement to active, intelligence-driven defense. This convergence of IAM, ITDR, and CTEM practices signals a new era: identity-first security.
Security leaders who recognize this will not only reduce breaches but also build adaptive, resilient cybersecurity programs that evolve alongside modern threats.
About the Author
Andres Andreu serves as both the Chief Operating Officer (COO) and Chief Information Security Officer (CISO) at Constella Intelligence. He is a 4X CISO and distinguished cybersecurity leader with credentials including CISSP, ISSAP, and Boardroom Certified Qualified Technology Expert (QTE). His diverse career spans federal law enforcement, where he earned three U.S. Department of Justice awards for contributions to lawful intercept technology, corporate leadership at Hearst, Ogilvy & Mather and 2U, Inc./edX, and entrepreneurial success as a founding executive at Bayshore Networks (acquired by Opswat in 2021). Recognized as a Top 100 CISO (C100) and a Top 50 Information Security Professional, he balances offensive and defensive cybersecurity strategies with a leadership philosophy that aligns executive and employee objectives. An acclaimed author of The CISO Playbook and Professional Pen Testing Web Applications, he also holds patents in cybersecurity innovations and advises at Forgepoint Capital’s Cybersecurity Advisory Council.
Andres can be reached online at Linkedin and at our company website https://constella.ai/
