
Modern cyber defenses increasingly need to be identity-centric. Many industry thought leaders have honed in on this giving rise to the often heard “identity is the new perimeter”. Consequently, attackers do indeed now find it easier to log in rather than break in (https://www.tenable.com/webinars/embracing-identity-security-as-part-of-continuous-threat-exposure-management-ctem). In fact, some research shows that up to 80% of breaches involve compromised or stolen identities, typically due to poor identity hygiene (https://www.crowdstrike.com/en-us/resources/infographics/identity-security-risk-review/). As such, let’s aim to unlock superior threat protection: the power of identity risk intelligence in CTEM.
Recognizing this shift in reality, security leaders are embracing Continuous Threat Exposure Management (CTEM) as a proactive program. The goal here is to continuously uncover and mitigate all forms of risk exposure, including identity-related risks (https://www.oneidentity.com/learn/what-is-ctem.aspx). CTEM aims to move security from the reactive to a continuous, iterative cycle focused on what most threatens a given business.
Identity as the New Perimeter in CTEM
At this point it is clear that traditional security perimeters have dissolved with the rise of cloud services, mobile workforces, and remote access. As the new de-facto perimeter, verifying who is accessing assets is now foundational for trust. Attackers capitalize on identity systems like Active Directory (AD) and Azure AD to gain illicit access, monetize stolen data, and maintain persistence. A recent industry threat report found that 79% of detected attacks were “malware-free”, indicating adversaries are using valid credentials and living off the land instead of deploying malware (https://www.crowdstrike.com/en-us/blog/how-three-industry-leaders-are-stopping-identity-based-attacks-with-crowdstrike/).
In cloud ecosystem breaches, valid account abuse has become the top initial access method in over a third of incidents. These trends underscore that protecting identity systems (authentication, credentials, and privileges) is now mission-critical. Compounding matters, identity-driven attacks now readily bypass traditional network defenses. For example, in the Microsoft Midnight Blizzard breach, a nation-state actor gained access by password-spraying a test account that lacked multi-factor authentication (MFA). In another case, attackers used stolen Okta credentials to impersonate user sessions (bypassing MFA) and compromise multiple Okta customers’ data (https://www.savvy.security/blog/top-10-identity-security-breaches-of-2024-so-far/). Each of these illustrates how inadequate identity controls (e.g. weak passwords, absent MFA, or misconfigurations) can undermine an organization’s defenses. A CTEM program must treat identity as a primary attack surface and continuously scope, monitor, and harden it.
Attack Surface Expansion via Identity Sprawl
The challenge for defenders is magnified by identity sprawl. This is the proliferation of user and service accounts across external, on-premises, multi-cloud environments. Enterprises today use hundreds of SaaS applications with the average large organization using over 200 (https://www.idsalliance.org/blog/best-practices-to-ensure-successful-real-time-iga-2). This sprawl results in thousands of identity accounts and credentials that security teams must try to keep track of. Employee data is only one factor, there are also contractors, partners, customers, and a booming number of Non-Human Identities (NHI) (https://entro.security/blog/use-case-secure-non-human-identities/). Some research suggests that NHIs now outnumber human users by as much as 50 to 1 in many organizations. Each of these identities is a potential path of ingress to an organization. If these accounts and their access rights aren’t centrally visible and controlled, they become part of an expanding, fragmented attack surface.
Properly managing this sprawl is very difficult. Users often accumulate multiple accounts (e.g. separate logins for different cloud platforms or dev/test systems). Dormant or orphaned accounts frequently persist after employees leave or vendors finish contracts. Over time, over-permissioning creeps in – users and service principals gain far more access than necessary, violating least privilege principles. Hybrid and multi-cloud architectures contribute to this complexity leading to inconsistent security controls. As the Identity Defined Security Alliance warns, “identity sprawl and over-permissioning… is accelerating,” (https://www.idsalliance.org/blog/best-practices-to-ensure-successful-real-time-iga-2). Each unmanaged identity or excessive privilege expands an attack surface and needs to be accounted for in a CTEM strategy.
The CTEM Framework and the Identity Component
CTEM, as introduced by Gartner, is structured as an iterative five-stage cycle aimed at continuously reducing an organization’s exposure to threats (https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes). Rather than a one-time effort, CTEM is an ongoing program that repeats these stages to adapt to evolving threats. The five CTEM stages are:
- Scoping: define the full attack surface of the organization, all systems, applications, data, and identities that could be targeted. This includes not only servers and devices but also things like corporate social media accounts, code repositories, and third-party services. Crucially, scoping must cover identity stores (e.g. AD/Azure AD, IAM systems) and credentials at play. It is important to note that credentials can be at play nefariously, this is part of a given scope.
- Discovery: perform in-depth discovery of assets and exposures. This goes beyond traditional Operating System (OS) vulnerability scanning and penetration testing. It must factor in software vulnerabilities and resource misconfigurations. It must also include IAM issues such as weak configurations, excessive privileges, or unknown accounts. As One Identity notes, discovery “must also include IAM assets like identities and access rights” to build a complete matrix of assets, vulnerabilities, threats, and business impact (https://www.oneidentity.com/learn/what-is-ctem.aspx). In practice, this means identifying all user/service accounts and evaluating their overall risk profiles (e.g. are infostealers present, etc).
- Prioritization: analyze and rank identified exposures based on urgency and impact. For example, take a critical vulnerability on a low-value system. It might rank below an “identity exposure” like an admin account with no MFA or an exposed credential. The CTEM framework calls for a risk-based list, considering threat likelihood, business impact, and the effectiveness of controls in place. Identity context is essential here. Security teams should prioritize exposures involving highly privileged or widely used identities (e.g., domain admins or SSO accounts) due to their potential impact if compromised.
- Validation: rigorously test and validate the true exploitability of the prioritized exposures. Moreover, validate the relevant protective mechanisms that are in place. This may involve penetration testing or red-team exercises that simulate identity-based attacks (for instance, attempting lateral movement with a captured credential to see if detection tools trigger). Validation ensures that assumed risks are real, and that proposed mitigations (like stricter access controls) actually add protective value.
- Mobilization: mobilize the organization to remediate and reduce exposure. This stage is about taking action. Action could take the form of patching vulnerabilities, addressing identity and access misconfigurations, closing policy gaps, or improving processes. It requires engaging stakeholders (IT, DevOps, business units) and implementing changes. Mobilization transitions CTEM findings into real risk reduction, after which the cycle repeats.
Gartner predicts that organizations who proactively adopt continuous exposure management will be 3× less likely to suffer a breach by 2026 (https://www.oneidentity.com/learn/what-is-ctem.aspx). Achieving that requires treating identity exposures on par with software vulnerabilities. CTEM provides the framework to do so, but it demands directed strategies, new practices, and intelligence focused on identities. This is where identity risk intelligence comes into play.
From Identity and Access Management to Identity Risk Intelligence: Big Difference
It’s important to distinguish Identity and Access Management (IAM) tools from identity risk intelligence capabilities. IAM (including identity governance and privileged access management) is primarily about enabling and restricting access:
- Authentication: ensuring users are who they claim
- Authorization: granting the right level of access to resources
- Provisioning and Deprovisioning: managing the lifecycle of identity accounts and permissions
IAM solutions strengthen account hygiene and enforce policies upfront. For example this means requiring MFA, rotating passwords, or limiting who can access a sensitive database. These are critical preventive controls, but by themselves they don’t provide full visibility into active threats targeting identities.
Identity risk intelligence, by contrast, focuses on the threats and risk indicators associated with identities on an ongoing basis. Gartner has coined the term Identity Threat Detection and Response (ITDR) for the emerging security discipline that fills this gap. Identity risk intelligence is a key component of ITDR. Unlike traditional IAM, which might flag a policy violation or require periodic access reviews, identity risk intelligence is more proactive and context-driven. For example, IAM might ensure a user has a strong password; identity risk intelligence will alert if that password later appears in a public breach database or if the user suddenly logs in from an unusual location at some odd hour. In essence, IAM asks “Who should have access, and are they authenticated?” whereas identity risk intelligence asks “What is this identity doing, and does that behavior or configuration pose a risk?”.
Several areas may fall under identity risk intelligence:
- Exposure of Credentials and Secrets: tracking if user passwords, API keys, or session objects have been leaked or are weak. For instance, monitoring dark web and breach data for any of an organization’s accounts can reveal stolen credentials before attackers use them. This goes beyond standard IAM by ingesting external threat intelligence relevant to identity compromise.
- User Behavior Analytics (UBA): establishing baselines of normal user and service account behavior and detecting anomalies. Sudden privilege escalations, a typically dormant admin account becoming active, or active sessions from new geolocations could indicate account takeover. Identity-focused UBA aims to provide this continuous risk scoring of identities’ behavior.
- Identity Threat Detection: real-time detection of attacks targeting identity infrastructure, such as brute-force/MFA fatigue attacks.
In summary, identity risk intelligence is about having unified visibility and analytics across all types of identities (software, human, and machine) and feeding that into some risk management program. It complements IAM by focusing on continuous monitoring, threat detection, and risk-based decision-making around identities. This unified approach lowers the risk of dangerous identity conditions slipping through gaps between siloed IAM, PAM, and governance tools. In a CTEM context, identity risk intelligence supplies the data needed to uncover and prioritize identity exposures. It also helps validate that identity-focused attacks are being detected, and ideally, stopped.
Real-World Breaches Underscoring Identity Risk
CTEM program designers should study real-world breaches to understand how identity weaknesses translate into business risk. Here are a few illustrative cases:
- Lack of MFA: the Change Healthcare breach (2023) saw ALPHV/BlackCat ransomware actors exfiltrate 4 terabytes of health data after finding a VPN account that had no MFA (https://www.savvy.security/blog/top-10-identity-security-breaches-of-2024-so-far/). Absence of MFA made it trivial to exploit a stolen password. The incident disrupted healthcare operations nationwide and cost over $1B in recovery, all traced back to a single identity exposure. Similarly, the Midnight Blizzard attack on Microsoft’s environment (2023) exploited a non-production account without MFA. This showed that even test or service accounts can cause catastrophic breaches if not secured. These cases underscore the need to enforce MFA universally. Security teams must also audit for accounts left outside strong SSO or MFA coverage. This step is non-negotiable for reducing the attack surface.
- Supply Chain Effect: in the 2024 Okta support system breach, attackers obtained an Okta support engineer’s credentials. With that access, attackers grabbed session cookies from the support portal. These cookies enabled them to impersonate Okta customers. The attackers bypassed MFA and escalated into those customers’ systems. This case highlights the risk that arises when attackers compromise an identity platform—such breaches can cascade across many organizations. A CTEM strategy must account for third-party identity risk and include vendors like Okta and Microsoft in regular risk assessments.
- Privileged Account Compromise: an analysis (2024) by BeyondTrust noted that compromised privileged identities accounted for 33% of security incidents, up from 28% the year before (https://www.beyondtrust.com/blog/entry/the-state-of-identity-security-identity-based-threats-breaches-security-best-practices). One breach example is the Uber 2022 incident, where an attacker obtained an IT admin’s VPN password (likely via social engineering) and then spammed the user with MFA push requests (MFA fatigue) until the user approved one. This granted the attacker VPN access, leading to a major internal compromise. Such breaches show why defenders must secure administrative identities with extra safeguards. These include phishing-resistant MFA, risk-based authentication, and admin action monitoring. Just-in-time privilege adds another layer of protection. It limits risk by ensuring attackers can’t misuse stolen admin credentials outside a narrow time window.
- Cloud Identity Misconfigurations: many cloud breaches stem from identity and access misconfigurations in multi-cloud environments. For instance, a leaky AWS access key or an overly permissive cloud IAM role can open the door to an attacker. CTEM must treat cloud entitlements (managed by Cloud Infrastructure Entitlement Management (CIEM) tools) as part of identity risk intelligence. A well-known example is the Capital One breach in 2019: a misconfigured AWS identity (EC2 role) allowed an attacker to perform actions and access data they shouldn’t have. While on the older side, this case set a precedent for cloud IAM review being vital. Modern CTEM programs use CIEM tools to continuously check for things like unused high-privilege roles, tokens without rotation, or cross-account trusts that could be abused.
In each of these scenarios, a failure in identity controls either enabled the breach or worsened its impact. They illustrate why identity exposures need to be surfaced and prioritized within an exposure management strategy. Either way, the message is clear: if you’re not actively looking for identity-related risks, your adversaries certainly are.
Identity-Centric CTEM Success Stories
Not all is gloom and doom, some organizations have embraced an identity-focused approach to CTEM and are reaping the benefits. By integrating identity risk intelligence into their security operations, they are catching attacks earlier and addressing gaps proactively. Here are two examples of companies that leveraged identity risk intelligence to strengthen their security posture:
- Dark web credential monitoring – Texas Mutual, a large insurance provider, recognized that many of their user accounts (including those of infrequent users like board members or policyholders) could be targeted by attackers if their credentials were exposed. As part of their CTEM efforts, they deployed a commercial identity threat protection platform. One component continuously monitors dark web and criminal forums for any mention of Texas Mutual user credentials. When a leaked username/password is found, the security team is alerted immediately. They can then take action before any nefarious activity takes place. This approach transforms credential theft from a hidden danger into a manageable risk.
- Risk-Based identity protection – Borden Ladner Gervais (BLG), Canada’s largest law firm, adopted an identity-centric security strategy to protect sensitive client data. Partnering with a managed service provider, they implemented 24/7 identity threat monitoring and real-time, risk-based conditional access. Each login attempt is evaluated using signals like device hygiene, user role, and location. High-risk events, such as privileged logins from unusual geographies, are blocked or escalated. An AI-driven engine continuously scores identity risk, flags exposed credentials, and enforces immediate password changes. It also detects dormant accounts and triggers their removal. BLG’s operationalized identity risk intelligence enables rapid detection and response to identity anomalies, directly supporting CTEM’s goal of continuous exposure reduction.
These case studies illustrate tangible benefits:
- Early detection of credential compromise
- Automated blocking of suspicious logins
- Elimination of unnecessary privileges
They also show that technology and managed services are available to help achieve these outcomes. The key is integrating these tools and practices into a broader CTEM strategy – treating identity risks as first-class citizens alongside software vulnerabilities, OS, and network threats.
Recommendations for Leveraging Identity Risk Intelligence in CTEM
To build a CTEM program with strong identity-centric coverage, organizations should consider the following strategic and tactical recommendations:
- Adopt an “Identity-First” security strategy – make identity security a leadership and board-level priority alongside application, data, API, endpoint and network security.
- Embrace Zero Trust (ZT) principles – assume any identity could be compromised and require continuous verification of users and devices. Treat your identity providers (AD, Azure AD, IAM systems) as critical infrastructure and resource them accordingly. This strategic shift ensures that investments in identity risk intelligence are supported from the top down.
- Enforce strong authentication everywhere – the “everywhere” part is essential here. This point deserves emphasis – enable MFA for all users and critical accounts, including service accounts where possible. Doing so eliminates easy credential stuffing attacks. Many known breaches, including Change Healthcare and Microsoft, could have been prevented with stricter authentication requirements. Wherever possible, push towards phishing-resistant methods (FIDO2 tokens, certificate-based auth, or app-based OTP) for high-privilege accounts to thwart phishing and MFA fatigue techniques.
- Gain visibility into all identities and privilege levels – continuously inventory every identity in your environment. This includes human, software, service, application, across on-prem and multi-cloud. This type of inventory (https://www.plerion.com/cloud-knowledge-base/identity-inventory) is now becoming more important than the traditional notion of asset inventory. Map out what systems a given identity can access and what privileges they have. This intelligence is foundational for CTEM. Leverage tools to enumerate accounts in AD, Azure AD, SaaS apps, AWS IAM, etc., and centralize this data. Pay special attention to dormant accounts, shared accounts, default accounts, and third-party identities. Eliminate or disable what is not actually needed (especially legacy accounts) and tighten privileges for what remains. Reducing identity clutter will shrink the attack surface significantly.
- Continuously monitor identity activity and risk – this cannot be overstated. The days of point in time snapshots are behind us. Things in this industry just move too fast and change too frequently. This requires an integration of identity telemetry into your security operations center (SOC) monitoring. Data signals must include breach data, cybercrime forum data, infostealer data, login logs, privilege use logs, IAM changes, and alerts from identity protection tools. Establish baselines and let automated systems flag outliers, or anomalies (e.g. an admin logging in from an unusual IP, or a service account suddenly accessing new resources).
- Implement an ITDR solution – aim to get real-time detection of identity-based threats that IAM alone won’t catch. The goal is real-time response (e.g., if user credentials are detected on the dark web, immediately disable or step up stronger authentication for that account).
- Integrate identity risk intelligence into risk assessments and incident response – when prioritizing risks (the CTEM Prioritization stage), include identity signals. Develop scoring or a posture rating that raises risk for identity assets that have been part of data leaks and/or have high-privilege access. Additionally, update incident response plans to account for identity compromise scenarios (have playbooks for rapid credential resets, terminating all sessions for a user, or evicting attackers from cloud accounts). Practicing these in drills (e.g. simulate a leaked password scenario) will improve resilience.
- Apply the principle of least privilege – make it a continuous effort to adjust privileges. Privileges should no longer be a set and forget mechanism. Also, use identity analytics or governance tools to detect over-privileged accounts and roles, and then remediate them (via access reviews or automated role mining). When done properly, least privilege drastically limits what an identity compromise can achieve.
- Apply Just-in-Time (JIT) access – consider JIT access as a replacement for static access rules. This way privileges are activated only when needed and expire automatically. In this model, even if an attacker compromises an account with elevated privileges, they cannot do damage unless they also compromise the privilege elevation process.
- Address identity misconfigurations and hygiene issues proactively – treat misconfigurations in identity systems as seriously as OS or software vulnerabilities. Regularly audit configurations in identity stores and cloud IAM settings. Known attack paths often rely on poor configurations, security teams must find and fix them before attackers do. For example, avoid setting service account passwords to never expire. Also, remove any redundant admin accounts to reduce unnecessary risk. These hygiene improvements reduce the number of “easy wins” an attacker might find if they penetrate your ecosystem.
- Leverage automation for identity risk analysis – the scale of identity data (thousands of accounts, millions of logins) demands automation. Invest in solutions that use machine learning to assess risk continuously (focusing on the patterns humans might miss or sheer volume alone make unrealistic). As an example, risk-based authentication systems automatically adjust requirements when they detect elevated risk. Add intelligence to some of these solutions and a model can surface a user whose behavior subtly changes following a phishing campaign, or flag a rarely used service account that suddenly starts querying a database.
- Unify identity risk intelligence with CTEM programs – ensure that all the identity risk insights feed into your overall CTEM data sets. When you communicate exposure levels to executives, include identity metrics (number of known exposed accounts, high-risk accounts, SSO coverage gaps, etc.) alongside vulnerabilities and patch status. As part of your program metrics develop KPIs like:
- Number of detected data breaches showing identities from this organization
- Average time to reset compromised credentials
- Number of identities from this organization with known infostealer infections
- Number of attempts to log in to our systems via exposed session objects
- MFA coverage percentage
- Number of stale identities from this organization removed this quarter
This reinforces that identity risk management is an integral part of exposure management.
CTEM should break down silos. For example, use CTEM’s Mobilization phase to bring together the IAM team (to implement policy changes) and the SOC team (to tune detections) when an identity risk needs mitigation. Over time, organizations build a culture of continuous improvement by addressing identity-related findings as routinely as OS and software patches.
By following these recommendations, organizations can significantly strengthen their security posture against identity-centric threats. The goal is to be proactive, don’t wait for an identity breach to force action. Instead, continuously hunt for identity weaknesses and address them on your own terms. This will reduce your overall attack surface and threat exposure while complementing all the other security efforts under your CTEM program.
In today’s threat landscape, protecting identities is as vital as patching servers or monitoring networks. Identities are the keys to the kingdom, the pathway into your ecosystems, and attackers know it. Their tactics prove this. CTEM provides a powerful framework to systematically reduce risk, but it only achieves its full promise when identity risk intelligence is brought into the fold. Identity risk intelligence is the missing piece that turns CTEM into a truly comprehensive defense strategy. Organizations can close the gaps attackers most eagerly exploit by continuously analyzing who has access to what, how they use that access, and where identity-driven weaknesses exist.
The convergence of IAM, ITDR, and CTEM practices represents a shift toward identity-first security. For security leaders and professionals, the message is clear: make identity a cornerstone of your continuous risk management. Those who do so will greatly enhance their resilience and stay ahead of adversaries who are relentlessly probing for that one weak login or forgotten account to open the door. By leveraging identity risk intelligence within CTEM, organizations can dramatically lower their odds of identity related breaches. Moreover, they can build a modern cyber defense that truly leaves attackers with no easy way in due to identity risk intelligence: the missing piece in continuous threat exposure management.